WannaCry in GUIEditor

[zvenx]

hmmm mine is dated 01-13-18 and WD still flags it.. Interesting.
I even redownloaded it an hour ago.
rsp

I think I see the difference. You have a gui editor.exe in your SM One folder but I do not. Mine is in the regular Synthmaster folder and that one is dated 1-9-18.

Do you also have Synthmaster installed ?

Have you tried uploading the file dated 1-13-18 to VirusTotal ?

https://www.virustotal.com/#/home/upload

Hi,
I have both SM1/one and SM2... only the GUI Editor in SM1 was flagged....I did follow your suggestions in the other thread and did upload it and it showed fine there.
thanks
rsp

[Teksonik]

Yikes!

I found three versions of 'GUIEditor.exe' in my path 'C:\Program Files\KV331 Audio'.
One each in 'SynthMaster', 'SynthMaster One', and 'SynthMaster Player'.
Here is the VirusTotal results for the file located in 'SynthMaster One':
So, in total there were 22 AV engines out of 66 at VirusTotal that detected this, plus so did HitmanPro. This is not just a Microsoft false detection. I am glad I never executed this file!

Holy crap ! Did you download the Synthmaster files from the KV331 site ? Perhaps it's a Supply Chain exploit similar to what happened to CCleaner awhile back......

[zvenx]

The one from the 13th which was in Program Files/KV331/SynthmasterOne

https://www.virustotal.com/#/file/bd269 ... /detection

I then found one dated on the 9th in my vst folder.

https://www.virustotal.com/#/file/86bca ... /detection


the first one had been flagged earlier when I posted, I redownloaded SM1 installer and it was still flagged. I then physically dumped the first one in the trash and reinstalled SM1 from the downloader I had redownloaded today.... This one is no longer flagged and the results are above.

For completeness I also found something on the original UBK-1 that i had the installer on my harddrive. I deleted those and went on ubk site to find the legacy downloads:
https://www.mediafire.com/folder/yan2k21s5a1a1/UBK-1

one of these still tests postive for a virus (don't remember which one) (it was flagged on virustotal)

I deleted it completely since I used the UBK-1 second version.

rsp
rsp

[Teksonik]

Hi,
I have both SM1/one and SM2... only the GUI Editor in SM1 was flagged....I did follow your suggestions in the other thread and did upload it and it showed fine there.
thanks
rsp

Cool I'm glad it's clean there. I wonder why I don't have a gui editor.exe in my SM One folder. Perhaps my AV deleted it.

[zvenx]

Hi,
I have both SM1/one and SM2... only the GUI Editor in SM1 was flagged....I did follow your suggestions in the other thread and did upload it and it showed fine there.
thanks
rsp

Cool I'm glad it's clean there. I wonder why I don't have a gui editor.exe in my SM One folder. Perhaps my AV deleted it.

Indeed
rsp

[zzz00m]

Yikes!

I found three versions of 'GUIEditor.exe' in my path 'C:\Program Files\KV331 Audio'.
One each in 'SynthMaster', 'SynthMaster One', and 'SynthMaster Player'.
Here is the VirusTotal results for the file located in 'SynthMaster One':
So, in total there were 22 AV engines out of 66 at VirusTotal that detected this, plus so did HitmanPro. This is not just a Microsoft false detection. I am glad I never executed this file!

Holy crap ! Did you download the Synthmaster files from the KV331 site ? Perhaps it's a Supply Chain exploit similar to what happened to CCleaner awhile back......

Yes, I downloaded the SynthMaster One installer directly from KV331 in December.

I had archived that installer zip, and so I just unzipped it again to check the installer file at VirusTotal.

This is the current VirusTotal scan result for the December 13, 2017 version of the SynthMasterOneSetup.exe (3 detections).
>>> https://www.virustotal.com/en/file/a2a6 ... /analysis/

[Teksonik]

Ok that's not so bad. Better than 22 /65. Defender and a couple of AV programs that aren't in the top tier of AV programs. It passes Bitdefender, McAfee, Norton, Kaspersky, Malwarebytes etc.......

[zzz00m]

Ok that's not so bad. Better than 22 /65. Defender and a couple of AV programs that aren't in the top tier of AV programs. It passes Bitdefender, McAfee, Norton, Kaspersky, Malwarebytes etc.......

Yep, but ... the difference is that the installer with 3 detections dropped an '.exe' file with 22 detections in a folder.

Something's not right here...

[zvenx]

Ok that's not so bad. Better than 22 /65. Defender and a couple of AV programs that aren't in the top tier of AV programs. It passes Bitdefender, McAfee, Norton, Kaspersky, Malwarebytes etc.......

Yep, but ... the difference is that the installer with 3 detections dropped an '.exe' file with 22 detections in a folder.

Something's not right here...

I would download the current build and immediately remove what you have on your computer.
rsp

[zzz00m]

Ok that's not so bad. Better than 22 /65. Defender and a couple of AV programs that aren't in the top tier of AV programs. It passes Bitdefender, McAfee, Norton, Kaspersky, Malwarebytes etc.......

Yep, but ... the difference is that the installer with 3 detections dropped an '.exe' file with 22 detections in a folder.

Something's not right here...

I would download the current build and immediately remove what you have on your computer.
rsp

The current SynthMaster One setup installer build is dated February 9, 2018, and scores '0/66' at VirusTotal.

So I uninstalled my previous build, and installed the latest. The 'GUIEditor.exe' scores '0/66' at VirusTotal now as well.

The one thing about having a potential malware executable file on your drive, is that it cannot do any harm until it is executed. It is only a static file with the potential to cause harm. It's not an active infection until it runs and drops it's payload etc. I have multiple leading anti-malware scanners installed, and no active infections have been detected in routine system scans.

If this was actually a false alarm, something in the code was really tripping the heuristics of many scanners.

But I do feel better knowing that I have a 'clean' build installed now!

[Teksonik]

Perhaps the December installer was compromised in some way. 22 AV programs triggering is a bit high so obviously there was something in that code those AV programs found suspicious.

With Supply-Chain exploitations a thing you can never be completely sure a download is safe even from the official site.

The lack of response from the developer doesn't do much to bolster confidence......

[zzz00m]

With Supply-Chain exploitations a thing you can never be completely sure a download is safe even from the official site.

I'm a big believer in that. I run every download possible against VirusTotal these days, before executing it.

If it's only 1-3 detections, I assume a false positive for those. Clearly 0 is best, but some of these AVs are pretty obscure, so they may not clear false positives as fast as the major developers, or they just have very aggressive heuristics.

You can add a Windows right-click context menu to Windows file explorer for VirusTotal by downloading the free 'HashMyFiles' from NirSoft (no install, portable, no dlls): http://www.nirsoft.net/utils/hash_my_files.html

When you run it you can choose 'Options > Enable Explorer Context Menu - VirusTotal'.

Then when you right-click any file you have selected in a folder, such as an installer in your downloads folder, this option will send a SHA-256 file hash of the selected file to VirusTotal via your web browser. View the results there! Handy!

My firewall also generates a VirusTotal score for EVERY program on my computer that connects to the net. So I pretty much know what is running on my machine. That's why this dormant file was such a big surprise to me!