Remove From My Forums

ScriptCryptor Virus???

Question
0

Sign in to vote
I recently downloaded ScriptCryptor from Cnet. I loaded a VBS file to compile and then exported it. Norton came up and said that the new EXE file was some kind of virus/malicious software. Any ideas? Is this safe? Please help.
- Moved by Mike Feng Tuesday, October 4, 2011 7:15 AM off-topic (From:Visual Basic General)
Sunday, October 2, 2011 4:32 PM

Answers

1

Sign in to vote
Well, if Norton is upset over it, I would leave it alone. Use Norton to send it to quarantine, then have it deleted.
Thanks, Callum Kerr.

My Software Website
Xbox Live Gamertag: Unggoy Murderer
- Proposed as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:44 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
Sunday, October 2, 2011 5:10 PM
1

Sign in to vote
Let me understand exactly what you are saying. The new executable generated from your vbs was detected as a virus, and not the ScriptCryptor executable, correct? If this is correct (my understanding) then create a simple "hello world" vbs script and see if that too is flagged. If so, I agree with jo0ls, that you potentially have false positives. If that turns out to be the case, you may find a Norton AV board and post the questions there, or perhaps CNet has discussions on the app.

--
Mike
- Proposed as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
Sunday, October 2, 2011 9:31 PM
1

Sign in to vote
I too agree that it is probably a false positive, but don't think for a minute that something could get past CNET, or anybody else for that matter. This is the perfect place to embed malicious code (inside the compiler), look at some of Ken Thompson's work regarding this.

http://cm.bell-labs.com/who/ken/trust.html

RE: Mr. Thompson - "Having worked at Bell Labs for most of his career, Thompson is notable for his work with the B programming language (basing it mainly on the BCPL language he had used to write Unix while in the MULTICS project), C programming language and as one of the creators and early developers of the Unix and Plan 9 operating systems." - Wikipedia.

He knows what he is talking about.......
- Proposed as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
Sunday, October 2, 2011 11:34 PM
0

Sign in to vote
Virus scanners can detect known viruses, or they can detect new viruses.

To detect new viruses they use heuristics - many small tests that can be performed to generate a number that says how likely it is for the file to be malicious.

The program you mention creates and saves exe files to the disk, which is suspicious behaviour as viruses do that - they contain some encrypted code which is decrypted and written to disk as an exe when the virus runs.

Norton's heuristic thinks the file is likely to be a virus, but you know otherwise - you've got it from a reliable source. It sounds likely to be a false positive.

You should be asking the authors of the software about it. This isn't realated to VB.Net programming...
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:44 AM
Sunday, October 2, 2011 6:25 PM
0

Sign in to vote
This was moved out of the VS forum. I suggest posting it on www.answers.microsoft.com if you'd like more assistance.
Ed Price a.k.a User Ed, Microsoft Experience Program Manager (Blog, Twitter, Wiki)
- Proposed as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:46 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:46 AM
Friday, October 28, 2011 7:46 AM

All replies

1

Sign in to vote
Well, if Norton is upset over it, I would leave it alone. Use Norton to send it to quarantine, then have it deleted.
Thanks, Callum Kerr.

My Software Website
Xbox Live Gamertag: Unggoy Murderer
- Proposed as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:44 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
Sunday, October 2, 2011 5:10 PM
0

Sign in to vote

Yes, I would do that too, but I downloaded it off of Cnet. Cnet doesn't allow virus making programs. Why would this be on there?

Sunday, October 2, 2011 5:26 PM
0

Sign in to vote
Virus scanners can detect known viruses, or they can detect new viruses.

To detect new viruses they use heuristics - many small tests that can be performed to generate a number that says how likely it is for the file to be malicious.

The program you mention creates and saves exe files to the disk, which is suspicious behaviour as viruses do that - they contain some encrypted code which is decrypted and written to disk as an exe when the virus runs.

Norton's heuristic thinks the file is likely to be a virus, but you know otherwise - you've got it from a reliable source. It sounds likely to be a false positive.

You should be asking the authors of the software about it. This isn't realated to VB.Net programming...
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:44 AM
Sunday, October 2, 2011 6:25 PM
1

Sign in to vote
Let me understand exactly what you are saying. The new executable generated from your vbs was detected as a virus, and not the ScriptCryptor executable, correct? If this is correct (my understanding) then create a simple "hello world" vbs script and see if that too is flagged. If so, I agree with jo0ls, that you potentially have false positives. If that turns out to be the case, you may find a Norton AV board and post the questions there, or perhaps CNet has discussions on the app.

--
Mike
- Proposed as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
Sunday, October 2, 2011 9:31 PM
1

Sign in to vote

Just run it. You've got everything backed up and a restore point so the most you can lose is a few hours, but you'll have a definitive answer which you can share with the world.

Sunday, October 2, 2011 9:55 PM
1

Sign in to vote
I too agree that it is probably a false positive, but don't think for a minute that something could get past CNET, or anybody else for that matter. This is the perfect place to embed malicious code (inside the compiler), look at some of Ken Thompson's work regarding this.

http://cm.bell-labs.com/who/ken/trust.html

RE: Mr. Thompson - "Having worked at Bell Labs for most of his career, Thompson is notable for his work with the B programming language (basing it mainly on the BCPL language he had used to write Unix while in the MULTICS project), C programming language and as one of the creators and early developers of the Unix and Plan 9 operating systems." - Wikipedia.

He knows what he is talking about.......
- Proposed as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:45 AM
Sunday, October 2, 2011 11:34 PM
0

Sign in to vote

That's sure not something I would ever recommend,or do, in spite of thinking myself that it's a false positive.

Sunday, October 2, 2011 11:38 PM
0

Sign in to vote
This was moved out of the VS forum. I suggest posting it on www.answers.microsoft.com if you'd like more assistance.
Ed Price a.k.a User Ed, Microsoft Experience Program Manager (Blog, Twitter, Wiki)
- Proposed as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:46 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Friday, October 28, 2011 7:46 AM
Friday, October 28, 2011 7:46 AM

Answered by:

ScriptCryptor Virus???

Question

Answers

All replies