Virus; Trojan.Gen.MBT

[MaxFun]

Norton 360 found a the virus Trojan.Gen.MBT in your download mingwInstaller.exe
I downloaded from https://github.com/niXman/mingw-builds-binaries
See Norton's report below

Filename: padlock.dll
Threat name: Trojan.Gen.MBTFull Path: C:\Users\wmcre\mingw64\opt\lib\engines-3\padlock.dll

---

---

On computers as of 
10/12/2023 at 2:31:20 AM

Last Used 
10/12/2023 at 2:31:20 AM

Startup Item 
No
Launched 
No
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

---

padlock.dllThreat name: Trojan.Gen.MBT
Locate

Few Users
Fewer than 50 users in the Norton Community have used this file.

New
This file was released 10 days  ago.

High
This file risk is high.

---

Source: External Media

---

File Actions

File: C:\Users\wmcre\mingw64\opt\lib\engines-3\padlock.dllBlocked

---

File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available

[Ragudos]

Wow. Thank you for this. It's a good thing I checked the issues. I ran the file in VirusTotal:

How come the link in the README file did not show it?

[MaxFun]

Not sure what file the link is pointing to or if the file is packed such that the scanner does not detect it. When I downloaded mingwInstaller.exe, Norton said it was OK, see below. But after I ran it, Norton detected the virus.

Filename: mingwInstaller.exe
Full Path: C:\Users\wmcre\Downloads\mingwInstaller.exe

---

---

Developers 
Not Available

Version 
Not Available

Identified 
10/13/2023 at 6:18:21 AM

Last Used 
Not Available

Startup Item 
No

---

Few Users
Hundreds of users in the Norton Community have used this file.

Mature
This file was released 10 months  ago.

Good
Norton has given this file a good rating.

---

Source File:
mingwInstaller.exe

---

Performance

---

Avg. Resource Usage: Moderate
Avg. CPU Usage: Low
Avg. Memory Usage: Moderate

---

File Thumbprint - SHA:
68214ff3d9ddd74538d7d96001173c952284b4c6b62608f6c3fcc447feca1a5d
File Thumbprint - MD5:
c777d8b09b8fe4995f8f53ca59e97604

[niXman]

guys, mingwInstaller is a separate project hosted on: https://github.com/Vuniverse0/mingwInstaller
and as I can see the executable file has not changed since Dec 11, 2022: https://github.com/Vuniverse0/mingwInstaller/releases/tag/1.2.0

so I think this is a false positive...

[niXman]

Moreover, VirusTotal says that there are no problems: https://www.virustotal.com/gui/file/68214ff3d9ddd74538d7d96001173c952284b4c6b62608f6c3fcc447feca1a5d

[MaxFun]

Norton said the same thing till I ran it. I guess the bad guy are really good at hiding their tracks

[nenin-sc]

Eset Endpoint (corporative) - no reaction
Eset Antivirus (home) - no reaction

[MaxFun]

Was Eset Endpoint & Eset Antivirus only used to check "mingwInstaller.exe" before it was run?
If so, Norton only found "Trojan.Gen.MBTFull" after I ran "mingwInstaller.exe" and not before

[nenin-sc]

I tried to run it under Endpoint.
"The “Gen” in the name indicates that it is a generic detection, meaning that the specific characteristics of the threat may not be fully identified or classified." Source: https://howtofix.guide/trojan-gen-mbt/

[matenestor]

No, it definitely does not look like a false positive! Even Windows Defender is telling me it is a trojan malware. I put it to VirusTotal as well and 23 vendors marked it as a malware (compared to 10 in the screenshot above).
@niXman The problem is that you are testing mingwInstaller.exe, but the malicious code is in the file padlock.dll.

I downloaded x86_64-13.2.0-release-win32-seh-msvcrt-rt_v11-rev0.7z.
The file is at x86_64-13.2.0-release-win32-seh-msvcrt-rt_v11-rev0\mingw64\opt\lib\engines-3\padlock.dll

Here is my result from VirusTotal.

https://www.virustotal.com/gui/file/82cff646163444ac981fbd9279f503f35f3f9068c23f57d46ea30d17f40c8bf5/details

[nenin-sc]

Hmmm...
Endpoint reacted on x86_64-13.2.0-release-win32-seh-msvcrt-rt_v11-rev0\mingw64\opt\lib\engines-3\padlock.dll as suspicious.
And x86_64-13.2.0-release-win32-seh-ucrt-rt_v11-rev0\mingw64\opt\lib\engines-3\padlock.dll is OK for him.
No comments.

[niXman]

this is definitely a false positive.
this issue can be closed.

[Bulat-Ziganshin]

@niXman The problem is that people will plain refuse to install something reported by popular antivirus software

[niXman]

@Bulat-Ziganshin

and? how can I affect this?
I'm not an antivirus software developer...

[niXman]

guys, does anyone know where this dll comes from?
what project is it part of?

[nenin-sc]

guys, does anyone know where this dll comes from? what project is it part of?

I suppose this is just beginning of the end of the "free access" to the msvcrt.

[nenin-sc]

There are no problems with ucrt.
Yes, it is false positive, but it somehow provoke a lot of AV. Simple explanation is that its interaction with msvcrt makes AV unhappy. msvcrt is an internal MS stuff, so some kinds of access to it might be considered as suspicious activity.

[starg2]

guys, does anyone know where this dll comes from? what project is it part of?

openssl

[ANauzet]

Hello,
My antivirus found a virus in the gcov.exe from the x86_64 MSVCRT and UCRT version (and also in the padlock.dll)
Impossible to use this at work :-(

[nenin-sc]

Hello, My antivirus found a virus in the gcov.exe from the x86_64 MSVCRT and UCRT version (and also in the padlock.dll) Impossible to use this at work :-(

Just checked with Virustotal: no problems with gcov, padlock marked by AI of "Bkav Pro".