<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 5 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Yes, AV software, especially HitmanPro are not gospel.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>67 other AVs came out clean. But let’s say for the sake of argument that they’re all wrong.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>“Trojan-Downloader” is a class of Trojan that downloads a payload. Which means they need to use a socket somehow.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>$ sha256sum.exe ghc-8.2.2/lib/bin/touchy.exe</p><p class=MsoNormal>5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782 *ghc-8.2.2/lib/bin/touchy.exe</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Is the binary I’m looking it, it matches the hash on the total virus link and yours.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This is the source of touchy <a href="https://github.com/ghc/ghc/blob/ghc-8.2/utils/touchy/touchy.c">https://github.com/ghc/ghc/blob/ghc-8.2/utils/touchy/touchy.c</a></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The application does not import Winsock, so networking seems more unlikely, but it imports <span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'>GetProcAddress, so let’s say for the sake of argument it’s<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'>Dynamically binding to the socket library.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'><a href="http://lpaste.net/3408264924009332736">http://lpaste.net/3408264924009332736</a> is the full string table. Which contains no ascii string starting with “WSA”. So unlikely since you need to name the function<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'>you want to call, and you need to initialize the sockets, so WSA.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'>This is the full disassembly of touchy.exe<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'><a href="http://lpaste.net/7667888088021991424">http://lpaste.net/7667888088021991424</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'>Below you’ll find an inline copy of main, it pretty much follows the source in touchy.c.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'>I’m pretty confident that HitmanPro is just throwing a false positive, I won’t be going through the CRT startup code.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'>Here’s main:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'>00000000004015c0 <main>:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015c0: 41 57 push %r15<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015c2: 41 56 push %r14<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015c4: 41 55 push %r13<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015c6: 41 54 push %r12<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015c8: 55 push %rbp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015c9: 57 push %rdi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015ca: 56 push %rsi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015cb: 53 push %rbx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015cc: 48 83 ec 68 sub $0x68,%rsp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015d0: 89 ce mov %ecx,%esi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015d2: 48 89 d7 mov %rdx,%rdi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015d5: e8 e6 02 00 00 callq 4018c0 <__main><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015da: 83 fe 01 cmp $0x1,%esi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015dd: 74 10 je 4015ef <main+0x2f><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015df: b8 00 00 00 00 mov $0x0,%eax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015e4: 83 fe 01 cmp $0x1,%esi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015e7: 0f 8e 4d 01 00 00 jle 40173a <main+0x17a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015ed: eb 26 jmp 401615 <main+0x55><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015ef: 48 8b 1f mov (%rdi),%rbx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015f2: ff 15 1c 6d 00 00 callq *0x6d1c(%rip) # 408314 <__imp___iob_func><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015f8: 48 8d 48 60 lea 0x60(%rax),%rcx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015fc: 49 89 d8 mov %rbx,%r8<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4015ff: 48 8d 15 2a 2a 00 00 lea 0x2a2a(%rip),%rdx # 404030 <.rdata><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401606: e8 65 17 00 00 callq 402d70 <fprintf><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40160b: b8 01 00 00 00 mov $0x1,%eax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401610: e9 25 01 00 00 jmpq 40173a <main+0x17a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401615: 48 8d 5f 08 lea 0x8(%rdi),%rbx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401619: 8d 46 fe lea -0x2(%rsi),%eax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40161c: 4c 8d 7c c7 10 lea 0x10(%rdi,%rax,8),%r15<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401621: 4c 8b 2d ec 6b 00 00 mov 0x6bec(%rip),%r13 # 408214 <__imp_CreateFileA><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401628: 48 8d 7c 24 50 lea 0x50(%rsp),%rdi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40162d: 4c 8b 25 30 6c 00 00 mov 0x6c30(%rip),%r12 # 408264 <__imp_GetSystemTimeAsFileTime><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401634: 48 8b 2d 71 6c 00 00 mov 0x6c71(%rip),%rbp # 4082ac <__imp_SetFileTime><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40163b: 4c 8b 35 ca 6b 00 00 mov 0x6bca(%rip),%r14 # 40820c <__IAT_start__><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401642: 48 89 5c 24 48 mov %rbx,0x48(%rsp)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401647: 48 c7 44 24 30 00 00 movq $0x0,0x30(%rsp)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40164e: 00 00 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401650: c7 44 24 28 80 00 00 movl $0x80,0x28(%rsp)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401657: 00 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401658: c7 44 24 20 04 00 00 movl $0x4,0x20(%rsp)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40165f: 00 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401660: 41 b9 00 00 00 00 mov $0x0,%r9d<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401666: 41 b8 00 00 00 00 mov $0x0,%r8d<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40166c: ba 00 00 00 40 mov $0x40000000,%edx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401671: 48 8b 0b mov (%rbx),%rcx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401674: 41 ff d5 callq *%r13<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401677: 48 89 c6 mov %rax,%rsi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40167a: 48 83 f8 ff cmp $0xffffffffffffffff,%rax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40167e: 75 2b jne 4016ab <main+0xeb><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401680: 48 8b 44 24 48 mov 0x48(%rsp),%rax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401685: 48 8b 18 mov (%rax),%rbx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401688: ff 15 86 6c 00 00 callq *0x6c86(%rip) # 408314 <__imp___iob_func><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40168e: 48 8d 48 60 lea 0x60(%rax),%rcx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401692: 49 89 d8 mov %rbx,%r8<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401695: 48 8d 15 a7 29 00 00 lea 0x29a7(%rip),%rdx # 404043 <.rdata+0x13><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40169c: e8 cf 16 00 00 callq 402d70 <fprintf><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016a1: b9 01 00 00 00 mov $0x1,%ecx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016a6: e8 cd 16 00 00 callq 402d78 <exit><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016ab: 48 89 f9 mov %rdi,%rcx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016ae: 41 ff d4 callq *%r12<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016b1: 49 89 f9 mov %rdi,%r9<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016b4: 41 b8 00 00 00 00 mov $0x0,%r8d<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016ba: ba 00 00 00 00 mov $0x0,%edx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016bf: 48 89 f1 mov %rsi,%rcx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016c2: ff d5 callq *%rbp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016c4: 85 c0 test %eax,%eax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016c6: 75 2b jne 4016f3 <main+0x133><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016c8: 48 8b 44 24 48 mov 0x48(%rsp),%rax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016cd: 48 8b 18 mov (%rax),%rbx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016d0: ff 15 3e 6c 00 00 callq *0x6c3e(%rip) # 408314 <__imp___iob_func><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016d6: 48 8d 48 60 lea 0x60(%rax),%rcx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016da: 49 89 d8 mov %rbx,%r8<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016dd: 48 8d 15 74 29 00 00 lea 0x2974(%rip),%rdx # 404058 <.rdata+0x28><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016e4: e8 87 16 00 00 callq 402d70 <fprintf><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016e9: b9 01 00 00 00 mov $0x1,%ecx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016ee: e8 85 16 00 00 callq 402d78 <exit><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016f3: 48 89 f1 mov %rsi,%rcx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016f6: 41 ff d6 callq *%r14<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016f9: 85 c0 test %eax,%eax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016fb: 75 2b jne 401728 <main+0x168><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 4016fd: 48 8b 44 24 48 mov 0x48(%rsp),%rax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401702: 48 8b 18 mov (%rax),%rbx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401705: ff 15 09 6c 00 00 callq *0x6c09(%rip) # 408314 <__imp___iob_func><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40170b: 48 8d 48 60 lea 0x60(%rax),%rcx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40170f: 49 89 d8 mov %rbx,%r8<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401712: 48 8d 15 62 29 00 00 lea 0x2962(%rip),%rdx # 40407b <.rdata+0x4b><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401719: e8 52 16 00 00 callq 402d70 <fprintf><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40171e: b9 01 00 00 00 mov $0x1,%ecx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401723: e8 50 16 00 00 callq 402d78 <exit><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401728: 48 83 c3 08 add $0x8,%rbx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40172c: 4c 39 fb cmp %r15,%rbx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40172f: 0f 85 0d ff ff ff jne 401642 <main+0x82><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401735: b8 00 00 00 00 mov $0x0,%eax<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40173a: 48 83 c4 68 add $0x68,%rsp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40173e: 5b pop %rbx<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40173f: 5e pop %rsi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401740: 5f pop %rdi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401741: 5d pop %rbp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401742: 41 5c pop %r12<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401744: 41 5d pop %r13<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401746: 41 5e pop %r14<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 401748: 41 5f pop %r15<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40174a: c3 retq <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40174b: 90 nop<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40174c: 90 nop<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40174d: 90 nop<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40174e: 90 nop<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica",sans-serif;color:#4F4371'> 40174f: 90 nop</span></p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:allbery.b@gmail.com">Brandon Allbery</a><br><b>Sent: </b>Thursday, December 28, 2017 21:29<br><b>To: </b><a href="mailto:matt.lamari@gmail.com">Matthew Lamari</a><br><b>Cc: </b><a href="mailto:lonetiger@gmail.com">lonetiger@gmail.com</a>; <a href="mailto:ghc-devs@haskell.org">ghc-devs@haskell.org</a><br><b>Subject: </b>Re: Haskell Platform 8.2.2 - virus?</p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>This wouldn't be the first time some program that uses heuristic execution patterns to detect malware decided it didn't like the STG.</p></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Dec 28, 2017 at 4:15 PM, Matthew Lamari <<a href="mailto:matt.lamari@gmail.com" target="_blank">matt.lamari@gmail.com</a>> wrote:</p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><p><o:p> </o:p></p><p>The site gave me the 5ffdaa sha256 you have below for touchy.exe.</p><p>That said, I still have the 2 builds yield different results from Hitman Pro on the clean boxes. And Bitdefender, on my machine, (albeit being obtuse) chucks a fit over it. It doesn't detect the EXE files; but detects secondary consequences of them running.</p><p><o:p> </o:p></p><p><b>I really think something is afoot here.</b></p><div><div><p><o:p> </o:p></p><p><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On 12/28/2017 3:00 PM, <a href="mailto:lonetiger@gmail.com" target="_blank">lonetiger@gmail.com</a> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Upload one of the binaries it flagged to <a href="https://www.virustotal.com/en/" target="_blank">https://www.virustotal.com/en/</a> and send the link.</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>As far as I can tell, they’re all clean</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="https://www.virustotal.com/en/file/9cc2a6032dde8d8ab572f9491041242ab4c76d2b7d36eea5283c82cf9bf9fd69/analysis/" target="_blank">https://www.virustotal.com/en/file/9cc2a6032dde8d8ab572f9491041242ab4c76d2b7d36eea5283c82cf9bf9fd69/analysis/</a></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="https://www.virustotal.com/en/file/5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782/analysis/" target="_blank">https://www.virustotal.com/en/file/5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782/analysis/</a></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From: </b><a href="mailto:matt.lamari@gmail.com" target="_blank">Matthew Lamari</a><br><b>Sent: </b>Thursday, December 28, 2017 20:29<br><b>To: </b><a href="mailto:ghc-devs@haskell.org" target="_blank">ghc-devs@haskell.org</a><br><b>Subject: </b>Haskell Platform 8.2.2 - virus?</p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>New Haskell install was tripping my Bitdefender like crazy and in weird</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>ways - not new as that's how bitdefender rolls. However, I retested in a</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>clean test, with (free) Hitman Pro</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I started from a base case with 2 clean windows 8 VMs.</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>New 8.2.2 install - has virus</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Old 8.0.2 Jan 2017 - no virus</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>According to Hitman Pro, touchy.exe, haddock-8.2.2, ghc-8.2.2.exe, and</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>unlit.exe have some problem post-install. I went no further on the VMs.</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>"Detection Names</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Kaspersky Trojan-Downloader.Win32.Paph.fsv</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>"</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Bitdefender didn't get it on install but would lock the whole thing down</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>on the first run of "Cabal".</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>_______________________________________________</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>ghc-devs mailing list</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="mailto:ghc-devs@haskell.org" target="_blank">ghc-devs@haskell.org</a></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs</a></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>ghc-devs mailing list<br><a href="mailto:ghc-devs@haskell.org">ghc-devs@haskell.org</a><br><a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs</a></p></blockquote></div><p class=MsoNormal><br><br clear=all></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- </p><div><div><div><p class=MsoNormal>brandon s allbery kf8nh sine nomine associates</p></div><div><p class=MsoNormal><a href="mailto:allbery.b@gmail.com" target="_blank">allbery.b@gmail.com</a> <a href="mailto:ballbery@sinenomine.net" target="_blank">ballbery@sinenomine.net</a></p></div></div></div></div><p class=MsoNormal>unix, openafs, kerberos, infrastructure, xmonad <a href="http://sinenomine.net" target="_blank">http://sinenomine.net</a></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>