• Ransomware detected in .zip archive

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Ransomware detected in .zip archive

    Tags:

    Author
    Topic
    E Pericoloso Sporgersi
    AskWoody Lounger
    August 10, 2021 at 12:22 am #2382846

    29 november 2020 I downloaded “Nirsoft Network Password Recovery“, just in case I would ever need it.
    Just this last night I ran a full scan of Microsoft Defender Antivirus and, for a minute, got the scare of my 37-year computer life.
    Defender reported detection of Ransom:PowerShell/Roduk detected in
    G:\Installers\Nirsoft Network Password Recovery\netpass-x64.zip .

    See https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Ransom%3aPowerShell%2fRoduk&threatid=2147768006

    As fortunately the alleged infection was dormant in a compressed archive and I NEVER unpacked nor ran it (I’m quite sure about that), I assume the ransomware was never activated.

    Windows Defender removed the infected archive. Well, good riddance and kudos to Windows Defender.

    All’s well that ends well! 

    1 Desktop Win 11
    1 Laptop Win 10
    Both tweaked to look, behave and feel like Windows 95
    (except for the marine blue desktop, rgb(0, 3, 98)
    Reply | Quote
    Viewing 6 reply threads
    Author
    Replies
    • AJNorth
      AskWoody Plus
      August 10, 2021 at 12:35 am #2382847

      Hello,

      By chance, did you also check the file with another antimalware scanner? Given NirSoft’s long and unblemished reputation, there is an excellent chance that WIN Defender kicked out a false positive.

      A rather nifty free utility is the PeStudio Initial Malware Assessment Tool (updated today). A portable app, it allows one to run a file through VirusTotal (drag & drop), with additional detections for advanced users:
      https://www.softpedia.com/get/Programming/Other-Programming-Files/PeStudio.shtml

      Cheers,
      AJN

      Reply | Quote
    • E Pericoloso Sporgersi
      AskWoody Lounger
      August 10, 2021 at 12:39 am #2382848
      AJNorth wrote:

      By chance, did you also check the file with another antimalware scanner?

      Couldn’t. Microsoft Defender removed it.

      1 Desktop Win 11
      1 Laptop Win 10
      Both tweaked to look, behave and feel like Windows 95
      (except for the marine blue desktop, rgb(0, 3, 98)
      Reply | Quote
    • CBA
      AskWoody Plus
      August 10, 2021 at 2:27 am #2382852

      Most password recovery utilities, NirSoft’s included, are blocked by most antivirus progs.  To the best of my knowledge (granted that you downloaded from the source), you experienced a false-positive removal by MS Defender.  It happens to me as well using NAV.

      PS: to use the program you have to restore it and tell your antivirus that “I trust this file”.  Or just forget the whole thing .. probably safer anyway.  In your case, note this statement on the download page: False Alert Problems: Some Antivirus programs detect this utility as infected with Trojan/Virus:

      http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/

      Reply | Quote
    • Paul T
      AskWoody MVP
      August 10, 2021 at 2:27 am #2382853

      More likely Defender doesn’t like password recovery utilities.

      Download the latest Nirsoft and scan it.
      Upload it to VirusTotal to test.

      cheers, Paul

      1 user thanked author for this post.
      doriel
      Reply | Quote
      • doriel
        AskWoody Lounger
        August 10, 2021 at 5:13 am #2382877

        Exactly, also some sysinternals utilities are evaluated as hacking tools (autologon.exe for example).

        Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        PRUSA i3 MK3S+

        Reply | Quote
    • E Pericoloso Sporgersi
      AskWoody Lounger
      August 10, 2021 at 3:44 am #2382864
      Paul T wrote:

      Download the latest Nirsoft and scan it. Upload it to VirusTotal to test.

      There’s actually no need.

      I studied its use more thoroughly and I had to conclude that I don’t need it. Simply because I don’t have any network passwords.

      The very many passwords I do have, I save and back up on 2 offline USB-sticks, with each password in its own separate text file. Furthermore I keep monthly disk images of my system (C:) and application (D:) partitions on an external HDD. Important irreplacable data files are copied (zipped) weekly on a separate offline USB-stick. Non-important files are on external HDD’s.

      But your info is appreciated, guys.

      Thank you. 

      1 Desktop Win 11
      1 Laptop Win 10
      Both tweaked to look, behave and feel like Windows 95
      (except for the marine blue desktop, rgb(0, 3, 98)
      Reply | Quote
    • Rick Corbett
      AskWoody MVP
      August 10, 2021 at 4:30 am #2382871
      Paul T wrote:

      More likely Defender doesn’t like password recovery utilities. Download the latest Nirsoft and scan it. Upload it to VirusTotal to test.

      Unfortunately, uploading to VirusTotal is more likely to scare further than reassure. 🙂

      Here’s the webpage for the utility, retrieved from the WayBack Machine, dated 25 Nov 2020, i.e. 4 days before the OP downloaded what would have been v1.55 of the utility, either 32-bit or 64-bit. You’ll see the warning about false positives:

      nirsoft_warning

      It’s the same webpage, same warning and same file version – 1.55 – as it is today.

      I downloaded both the 32-bit and 64-bit ZIP files… and found they were flagged by Firefox as containing a virus or malware:

      flagged_in_ff

      I downloaded them anyway and uploaded them as is to VirusTotal. The two links below are to the results for the two *ZIP* files (OP wrote that he didn’t unzip):

      32-bit (shows 31 detections out of 63 scanning engines)

      64-bit (shows 32 detections out of 61 scanning engines)

      I unzipped both. Each ZIP archive contains 3 files – a program executable, a helpfile in CHM format and a readme text file. I uploaded the program executables to VirusTotal. The two links below are to the results for the two executable files:

      32-bit  (shows 42 detections out of 70 scanning engines)

      64-bit  (shows 42 detections out of 70 scanning engines)

      If you look at the last columns of each report you won’t find a single mention of ransomware. Instead you’ll see descriptions that include PUA (Potentially Unwanted Application), HEUR (Heuristics), Malware-Gen (Generic), Trojan (but no name of the supposed trojan). This just means that they are best-guesses, not definites… a surfeit of caution because the antimalware engine just doesn’t know… so it’s covering its back.

      Here’s the thing. I use a scripting tool called AutoHotkey for simple automation. I know from experience that I can compile the following one-liner AHK script into an executable and have it flagged as malware:

      MsgBox, Hello World!

      Similarly, I gave up trying to find a VBS-to-EXE tool which didn’t have its output flagged as malware… even this simple VBS script which shows the same message:

      dim answer
answer=MsgBox("Hello World!",65,"Example")
document.write(answer)

      The same goes for BAT-to-EXE compilers… absolutely innocuous one-liners flagged as malware.

      I can’t advise what to do about false positives because every one is different. However, I do suggest reading Nir’s blog post (from 2009) about the problem… because I suspect he just finally stopped developing this particular utility as ‘too much trouble’.

      Note: I have been using NirSoft utilities for more than a decade and have never, ever had a problem with them.

      Hope this helps…

      Reply | Quote
    • RetiredGeek
      AskWoody_MVP
      August 10, 2021 at 1:34 pm #2382954

      Personally, I have both my NirSoft and Sysinternals directories marked as Ignore in both Malwarebytes and Defender. I also only download those utilities from the “OFFICIAL” sites no third party sites like MajorGeeks, etc. I trust them both so I don’t worry. The only way to be completely safe is to never connect to the Internet and I ain’t gonna do that!

      😎

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

      2 users thanked author for this post.
      doriel, Alex5723
      Reply | Quote
    Viewing 6 reply threads
    Reply To: Ransomware detected in .zip archive

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    June 2025
    S M T W T F S
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.