I think "Bat To Exe Converter" creates exes with Trojan.VkHost. Note, the program itself is not infected - it's exes converted from batch files with the "invisible" setting that are. This trojan randomly redirects Google search results.
http://www.portablefreeware.com/index.p ... 0#comments

Can you share one of your custom invisible exe files here for study?

_________________
"Defects are always more tolerable than the changes necessary to correct them"

ones i made doesnt trigger anything from avira

-.-
Do you convert bats to exes with the invisible setting?

Napiophelios
Here's how I reproduce the problem ...

1. download Bat To Exe Converter 1.5 and run it

2. create a batch file with 2 lines: dir, pause

3. convert it with Bat to Exe with the invisible setting

4. scan it the test.exe:
Malwarebytes' Anti-Malware 1.44, Database version: 3826
Files Infected:
c:\Download\portable updates\bat_to_exe_converter\test-dir-pause.exe (Trojan.VkHost) -> No action taken.

The symptom I experienced was random web browser redirects with Google search results. I real time up to date Avast and Windows Defender doesn't catch this. Malwarebytes catches it though! Note, it's the exe *created* but the program but not the program itself.

I was running an invisible exe that was a 3 line batch:
xcopy D:\MyDocs\Thunderbird\contacts\abook.mab C:\Portable\ThunderbirdPortable\Data\profile /Y
C:\Portable\ThunderbirdPortable\ThunderbirdPortable.exe
move C:\Portable\ThunderbirdPortable\Data\profile\abook.mab D:\MyDocs\Thunderbird\contacts

This ensures my address book is backed up with my MyDocs folder along with my Tbird account folders. If portable Tbird allowed me to specify my address book location, this wouldn't be needed. And, I don't want to see a dos window in the task bar while I run Tbird.

Anyway, since I've stopped running ThunderbirdBatch.exe which I created with Bat To Exe Converter I've had no redirects with Google search results.

Here's the PASSWORD protected 7z file with the test batch file, test.exe, and Malwarebytes output (truncated):
http://www.megaupload.com/?d=KJXESB76

Password is:
Trojan.VkHost

I'll drop a note in the Avast forums and see what they think. (Avast is great, my fave BTW despite not catching this)

Thanks,
jxf011

try to put in some information under version information

I think I had this happen before since some scanners doesn't like nameless programs. put in a company and description and see if it still triggers alert

also your thing didnt trigger avira for me, so its probably just your program settings

[offtopic]I wish people'd use Drop.io or other free no wait service instead of either making me wait on a countdown or bust out FF with it's skipscreen plugin and then hope it works[/offtopic]
my 7zipportable (latest version) didn't much care for your 7z file.

VirusTotal Results 11/42 scanners
Jotti Results 3/20 scanners

Uncompressed file:

VirusTotal Results 11/42 scanners
Jotti's Results 2/20 scanners

These scanners use heuristic settings which will almost always find something
if you use upx or write your own bat files or make silent installers.

I seriously doubt this program adds viruses to your batch files.
If you wrote the bat file yourself I wouldnt worry too much over this

...of course I aint gonna click that exe either


MiDojo are you using the 7Zip 9.11beta? I have heard it doesnt always extract files properly.

Me personally,I dont like to download from MediaFire it takes so long to load the page and the ads and popups drive me nuts...but I use it to store files cuz my files upload almost instantly.
Maybe thats why people use filehosting services that make you wait,
not so much for your convenience,but maybe their own.

_________________
"Defects are always more tolerable than the changes necessary to correct them"

- Most likely it's not a false positive
- (Most likely) It does *not* add any crapware to the batches and is 100% safe to use.

So why is it considered insecure?
Because you can write crapware in any language, including MS Batch. I guess that sb. did it and packed with this converter.
The converter encrypted it and hidden in own internals (as such converters usually do) and for AV it's much easier to flag all such exes than reverse the encrypting procedures and look into the batches.
From AV perspective wrapping encrypted program code in a kind of stub is flawed procedure.

AutoHotKey compiler had (has?) this issue. Both programs work mostly the same way. It doesn't mean the reason for flagging is the same, the converter's author might have his computer infected, but this is just much less likely.

_________________

Nope, using 7Zip 4.65 wrapped in PortableApps (blech wrapper). Why is Portableapps at 4.x when beta is 9.x?

Sorry the .7z didn't work well. Since it has a virus within the archive I encrypted the file and am not comfortable putting it on my ISP's share.

I've re-posted it at drop.io as was suggested - thanks! This site looks great for 100MB and less files. Also, I'm using 7-Zip 9.10 beta (2009-12-22), the latest.
http://drop.io/nphxgwp
password: Trojan.VkHost

The key thing I want to stress is that I was having symptoms of a Google search redirect hijack after I created and ran a bat to exe with the invisible setting. After I stopped and deleted the bat to exe I created, the Google search redirecting stopped.

Malwarebytes identifies the invisible exe I created as Trojan.VkHost (Avast 5.0 and Win7 Defender misses it) but whether that's accurate or a false positive is neither here nor there - I was having random nameserver redirects running the exe and I don't have this issue when it's not running and it's deleted.

Also, I scanned www.f2ko.de with Norton SafeWeb and they say 4 trojans reside at the Bat to Exe site ...
http://safeweb.norton.com/report/show?url=f2ko.de
Time to add my comment to SafeWeb....

I sent the Norton report to the Contact email at f2ko.de, and also asked that he/she look at invisible compiled batch files.

If I'm understanding this thread, some folks here are looking to get a batch-to-exe converter off of anti-virus programs watch list because its a false positive. The problem I see with this is that any batch file can be essentially made into a trojan. You just create a bat file with "del /s C:\WINDOWS" (a simple dos command for deleting the contents of a folder) turn it into an EXE and suddenly you have a trojan.

Since a batch file can easily be turned into something dangerous, if I were an anti-virus company, I'd want to err on the side of caution and list it as a trojan. Then, if the user wants to take the risk, that's up to them.

_________________
Supporting the Electronic Frontier Foundation | DuckDuckGo user | My GPG key | Projects donated to: VLC, CubicExplorer, Ditto, Greenshot, TrueCrypt

I agree with WebFork on this one

I agree that the real danger with batch files are the commands that are put into them.

There are actually two technical issues that I read here; one being the caution that scanners have towards compiled batch files, launchers, etc., because of the potential payload the ease of adding that payload, and the other being the products of f2ko.

The Web scan report sent to f2ko (still awaiting a response) listed four products coming up, none of which was the Bat To Exe Converter. They were all mini utilities in the CmdTools section of the web site. The topic here is whether these are false positives or infected.

The original question is whether benign batch files compiled with Bat To Exe Converter in "invisible" mode" introduced a trojan (because of some "value added" by the converter) or a false positive, as I understand it.

I have been using the converter for some time at 1.4.0, 1.4.1, and 1.5 version levels, and have occasionally found false positives in controlled situations. I determined that invisible AND properties data in 1.4.x very often came up with false positives. I verified to my satisfaction these were not trojans by watching process, temporary or created files, and modifications of registry entries during these tests. Of the limited tests I have done with 1.5, I found I could usually get rid of false positives by changing inconsequential lines in batch files and recompiling. My batch files are usually installer mechanisms that modify registry and config files before copying files, etc., and usually invisible.

So I don't have definitive answers to the queries, but have been able to make the Bat To Exe Converter work for me. So far.

Everyone,

I'm not suggesting for a moment this is a false positive.

I experienced ***symptoms*** after creating and running an invisible exe with this program. These symptoms were random, periodic redirects of Google search results. Maybe the top result was fine but the next 1 or 3 were re-directed. The Google web page of results would have the url printed, e.g. http://www.hitnumber7.com/blah/blah, and when I clicked on it I would be sent to an advertisement web page.

Specifically, with my invisible exe running, I searched Google for an Acronis backup issue. One of the hits (maybe the 3rd) was an Acronis.com link for the pdf manual. The Google web page results had http://www.acronis.com/... printed underneath the hyperlink in clear text. If I mouse over this link with Firefox using the add on Link Alert I don't see the Acronis link, I see some super long link for some ad web site. Clicking on the link in Firefox takes me to said link.

I started to investigate the URL of this ad page. I Googled and found some others talking about Google search result redirects specially affecting Firefox. I started to test this by doing Google searches and looking at the results and clicking on them. What do you know but I was easily able to replicate the problem: hypertext links on Google that go to an advertisement web site - these links do not match the link text associated with them on the Google search results page.

Ok, so now I know I have a problem. Avast 5.0 scan, nothing. Windows Defender scan, nothing. Malwarebytes scan, something! Trojan.VkHost is found on the process and file that I created with Bat to Exe.

I stop the process and delete the exe. No more Google search redirects!!!!

Let me repeat - this is not a false positive problem. I had Firefox redirect hijack symptoms for Google search results when my invisible exe was running. After stopping the process and deleting the exe, no more redirects.

Maybe this only affects certain versions or Windows (I run 7 x64) and/or Firefox (latest with 40+ add ons). But, I can't recall being hit with a trojan/virus before and I sure didn't like it this time! Thanks to Malwarebytes and a few other poor souls troubleshooting this on forums on line for helping me to a solution.