For how many new programs do you actually look for the source code to see if it is a virus or no? Seriously, 8 out of 60 is nothing and it does not matter if they are big names. Most of them mark anything new as a virus until it's proven as a false positive nowadays, and especially if it's using a scripting language. So, if you feel unsafe with the program, use it in a VM or don't use it at all, but if you want a definitive proof that this is not a virus first give me one that it is. Just to be clear, I could not care less about this fake copy of youtube DL/FFMPEG which this program wants to be, but I don't call it a virus either.
First, no need to attack me about the 4 posts because I have never posted on forums before or replied a lot and if I have replied I have replied to already posted topics.
Second, I will say for myself that as long as it doesn't harm anything and does me a good work, I use the software and I supporte whoever created it because everyone needs a support no matter what.
#28 (edited by Ethin 2018-12-30 21:41:44)
@26, and I never strictly labeled it as a virus, though I'm leaning towards that purely because the author has offered nothing other than platitudes that its perfectly safe. We have no proof that it is or isn't, other than his history, and his history indicates that it isn't safe to use. And no, antiviruses don't label anything they don't know as a virus; if that were so, then they'd label all the programs I develop and work on privately as viruses, which they don't. Hell, they'd label every open-source program that you download and build as a virus because they don't know what it is, especially if its one of those programs that's ope-source but not well-known.
As for your assertion that "8 out of 60 is nothing," it certainly is something. Just because its a small number does not mean its "nothing". Considering the accuracy of most AV programs these days, there's about an 80-85 percent or so chance they're correct that it is a virus.
@Ethin, thanks for the explanations, I due have one question though.
For testing purposes I uploaded the great toy robbery.exe up to virustotal, just because I had it laying there.
And also here, i think it was 8 out of 65 programs saw a virus in the file, including things like AVG, Avast and so on.
I suppose Liam isn't the type of person wanting to inject backdoor trojans and so on, so, what could be the cause of this?
Would be cool if you could clear that one up a bit.
#30 (edited by Ethin 2018-12-30 22:24:58)
@29, that's quite surprising, since NVDA was written in Python as well and nothing identified it. I'm downloading it now to upload it...
OK, scan just completed. I wonder of the integrity of your post; I just scanned the setup file and only got one engine (Antiy-AVL, which identified it as Trojan[Backdoor]/MSIL.SpyGate). The rest -- in particular, AVAST, AVAST Mobile Security, BitDefender, and Malwarebytes -- all showed 'clean'. Installing the file, 11 engines detected it. But if you run NvDA through it, nothing shows. The ones that detected it as supposedly 'malicious' were: Antiy-AVL (Trojan[Backdoor]/MSIL.SpyGate), Jiangmin (Trojan.Agent.bphf), K7AntiVirus (Trojan ( 0053f8c91 )), K7GW (Trojan ( 0053f8c91 )), McAfee-GW-Edition (BehavesLike.Win32.Generic.wc), Rising (Malware.Heuristic.MLite(98%) (AI-LITE:NxA9u2TGeZyAKwptw+NnHA)), SentinelOne (static engine - malicious), Sophos ML (heuristic), Trapmine (suspicious.low.ml.score), VBA32 (Trojan.Agent), and Yandex (Trojan.Agent!jKOS93FSwZw). None of the big names like AVG, AVAST, or Malwarebytes detected it as harmful, which nullifies the theory that all antivirus software claims everything is a virus until they know more about it.
But digging deeper, we find basic info:
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
InstallShield setup (49%)
Win64 Executable (generic) (31.4%)
Win32 Dynamic Link Library (generic) (7.4%)
Win32 Executable (generic) (5.1%)
OS/2 Executable (generic) (2.3%)
Process And Service Actions
So, that may be one reason why it was considered a virus by some of the unknown ones. There's no way to know what truly made them suspicious. My best guess, however, would be the fact that it uses pyinstaller and "unpacks" itself and everything it needs, which is sometimes what viruses do to evade detection.
Oh so 80 or 85 percent chance, but those other 60 engines which do not detect it are all inaccurate? How interesting. If 8 detect it and 60 don't, that says something. Now you ask the developer for a proof. First, the developer never said anything on here. Second, do you expect every developer to give you their sources just to prove that it's not a virus? Well, that never happens. As for the example with your programs, you probably develop them in a popular enough language. Go make a BGT script, an autoit one, a batch to exe converter or almost any scripting language and tell me what you get.
@nidza07, I've written programs in C, C++, BGT, Python, PureBASIC, Go, and so on. The only one that makes my AV program go haywire is BGT. And I significantly doubt that Media Extra was written in BGT.
Second, did I ever say that those that didn't pick it up were 'inaccurate'? No. Stop making assumptions for once and actually learn to *read*. No, I don't expect every developer to give me their source code so I can determine for myself whether its a virus or not. But when someone like this guy posts something and he's well-known for the Blind Extra add-on for NVDA, and hacked someone using Get Extra, you can see my paranoia and understand it. Though, considering how you've been quite happy to misunderstand and misinterpret what I've posted, I doubt you would.
Man, the one who is so arrogant and tells others to read does not read. Can you find where he hacked somebody with get extra? I only saw the info for blind extra, and even that is not hacking. Also, what is your opinion on the fact that the great toy robbery, on it's arrival, was detected by that same, highly accurate AVG? And it remained so until a forum member reported it as a false positive. Trust common sense, not antiviruses. The only one I can actually highly recommend is malwarebites as it did not really have much false positives for me. Also, no, you never directly said those others are inaccurate, and I never said you said so. However, if you say that 8 out of 60 detect it and they are pretty accurate, it is a logical conclusion that compared to them those others are weak and inaccurate. Again, I personally do not have much good to say about this particular developer either, but you simply cannot say at the moment that this program is dangerous.
Yeah, I would stop trying to make excuses for this guy. To get people up to speed, here's a little history on Blind Extra's escapades.
Once upon a time, in the year 2016 a d, there was an nvda addon called Blind Extra. Blind Extra was a collection of our beloved synthesizers, Acapela and Vocalizer, distributed for free, spread far and wide, packaged in a nice downloader for everyone's...convenience?
No blind man, woman or child could resist the call of free stuf so they all flocked on mass to download the addon. The code took hold, infecting and spreading from device to device while the huskey tones of Ava whispered in their eares that everything was all right. The code gained strength, quietly waiting in the shadowy parts of cyberspace, sealing bank details, spreading further. It conquered skype, TeamTalk, teamspeak and everyone's favorite MOOs. On December 31st, 2016 at 11:59 PM the malware, evolved beyond all recognition by this point infected and took control of a prototype mech that was basically a carbon copy of metal gear rex. After powering the weapons, configuring the speakers to play an endless stream of Rick Astley songs for all to heare, The code went on a bloody rampage, murdering it's creater and installing it's self in the whitehouse where it brainwashed the U.S government with the promis of all the cocaine they could ever dream of snorting. The population of the world fell next, implanted with a number of devices that made them all believe they were living back in the 1980s where there was only one version of ghost busters, and starwars was glorious. Completely unhindered and With a population that lived to serve, the code formerally known as blind extra built and refined technology at an alarming rate. Turning it's sights to space, it spread through the universe, conquering planet after planet until the entire universe sounded like one giant 80s nightclub.
Meanwhile, in an undisclosed part of the world, a man awoke in a darkened apartment his mind completely free of the 80s. He was, however, suffering one of the most brutal hangovers ever known in the entire history of hangovers. Will he have what it takes to save the world? Find out on the next episode of... Blind. Extra! Escape. From. The. 80s!
***Before i go and explain the real problem with Blind Extra in another post in case you tldr folks didn't make it through this whole thing, credit to Exodus for that wonderfully made bit of comedy from
this thread right here
Ok, folks. So here's the scoop. For real this time, all obvious meme and jokes aside.
The developer of Media Extra, who by the way is really combining already-existing software into one for convenience sake, is known for a remote access trojen called Blind Extra. First, let's get Media Extra out of the way. What it would be, without the possible strings attached.
Downloading video content: Youtube Dl, so for that you have Pontes Media Downloader, Foobar2000 (streams) and the newer MusicDl, indeed a gui frontend to Youtube DL itself.
Combining a raw audio with still photos: www.tunestotube.com does that, and even uploads the video to Youtube for you, bypassing the drag that is Youtube's own upload page. Only restriction is there's a visual tunestotube.com watermark laced into your videos unless you donate a few bucks, which is totally fair.
Finding the media in an article? Ok, admittedly useful, but there are external sources that can do just that.
Now that we've got that out of the way, let's talk about Blind Extra.
Imagine, an addon that has two obviously cracked synthesizers, available for download out in the open, with a dedicated download wizard? Too good to be true, and there sure are strings attached.
The addon has numerous security holes which will be described, but let's get one thing straight. This whole thing does not use Nvda's core api, at all. The addon, if it can even be called that, uses urllib/urlib2/webbrowser to download some files, presumably the voice data, but not before making sure to delete the Python source for the addon. As we knew before, it has some odd compiled batch scripts and *some* readable python code. And to top it all, it does not use proper l10n methods and reads like a rough transcription from another language. Could it just be exe's that are running the voices, and it isn't going through nvda's speech module at all? Well in short, this so-called addon is nothing short of a collection of programs, not in any way communicating to nvda. How do you know it's a program? It has a whole damn gui loop! Granted some addons have dialogues, look at ntm for example, and addons like that have *one* executable to launch. But this addon? Completely unpythonic, goes way beyond an nvda addon into who knows what.
So with that said, knowing this guy's reputation, I'd steer clear of media extra.
@nidza07, first, post 22 is where the reference was made. Second, I'm now running the actually installed program (in a sandbox) through virus total. It returns... 22 out of 70. That's a 31.42 percent detection, out of a mere 16.66 or so percent for TGTR. That's an approximate 14.76 percent increase. Not much, eh? Until you look at some of these... Ad-Aware, ALYac, Antiy-AVL, Arcabit, BitDefender, CAT-QuickHeal, Cybereason, Cyren, Emsisoft, eScan, F-Prot, F-Secure, GData, Jiangmin, MAX, McAfee-GW-Edition, Rising, SentinelOne, Symantec, Trapmine, VBA32, and Yandex. Here are the good ol results:
2018-12-30 22:00:18 UTC
malware (ai score=80)
static engine - malicious
Avast Mobile Security
Palo Alto Networks
Symantec Mobile Insight
Unable to process file type
You can find all the info at https://www.virustotal.com/#/file/7c31b … 5340043f1. Also, it seems this app was written in Python, Python 3.6, to be exact. So, that's even more evidence to suggest -- with an even higher rate of confidence -- that this is malicious.
@Ethin, so, when should I get suspecious of a file which I upload.
Currently, I check if AVG, Avast, Avira, GData and Kaspersky find any results, are there any more legitimate anti virus programs out there?
And what are these unknown ones like trapmine, fProd and what not?
@37, I don't know what those are. I usually get suspicious if big names -- at least the ones I know and have worked with before -- like Sophos, Malwarebytes, AVAST, and AVG all give a true positive. I don't check if they all do, but the more that detect it the more suspicious I get.
It is kind of concerning how Windows Defender Security Center -- which claims to be the latest and the best of the best antivirus, antimalware and antispyware program from Microsoft running on the latest Windows10 build didn't detect it as malicious.
Find me on Twitter
@39, supposed to be, you know. It... definitely isn't.
@Ethin, hmm ok, makes sense though.
I am not gonna ask why every anti virus program flags BGT programs as a virus, i suppose this only would be explanable in programers terms that i wouldn't even comprehend in any shape or form.
If not, one or two sentences why these things are getting flagged or a link to a topic where this gets explained would be awesome to have.
Ok, as long as I wanted to stay cool and positive, this won't happen.
Now, tell me how many of you actually scan every program you use?
I will tell you. Most of the programs you download and use you don't scan.
I am not believing the false stories and NVDA reports because I have used all the programs of this developer.
Just because he works alone doesn't mean that you have the right to make a drama movie out of it. Thank you for the great TV series, but I already watch enough of them. Instead of saying what is a virus and how not to use it, go get a life and be real, come down to Earth.
so guys, program developer wants make happy all you, and he don't needs make virus programs, and he is making all free programs.
#44 (edited by sid512 2018-12-31 14:13:51)
I just wanted to chime in here and put my own experience. apart from self-claimed geeks and nirds going over countless reports from virustotal and momentarily disagreeing about the expected reliability of windows defender on one of the latest windows version, let me share what I found.
As a matter of fact, i've been using microsoft security essentials here on a windows 7 pc since last 4 years, and it didn't disappoint me to say the least. it has not only removed malicious trojans and roots found on rogue usb drives, but also flagged files from eurofly, other zipped games including sbyw, and other legitimate files as viruses. sometimes, I had no choice but to disable the antivirus for making a certain programme work. to say the least, microsoft security essentials would be considered as one of the most basic antivirus programmes out there, nevermind the ones with advanced security features.
so, on one such evening, I decided to turn the antivirus off and download the programme. what occured afterwards is beyond me, as an alert from mse crept up, even while it was turned off, showing the below pasted outcome.
Trojan:Win32/Occamy.B; Alert level: Severe; Status: Active; Recommended action: Remove
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Get more information about this item online.
well, surprising enough. imagine mse being turned on, it wouldn't have allowed the download at first place. also, I would like to urge you guys to research about this particular form of trojan compared to the jibberish pasted in above posts.
I wanted a similar programme with youtube downloading and converting capabilities, but coming from one of the most basic antivirus, one can't be sure anymore.
p.s. if one of you have anything contrary, please prove the same.
edit: a basic search about occamy trojan gave out the following, although i'd still urge you guys to search about this particular virus as much as possible.
Occamy is a trojan-type virus detected by most anti-virus/anti-spyware suites. It is designed to be controlled remotely - the developer decides which actions Occamy performs. Anti-virus/anti-spyware suites typically name this malware "Trojan:Win32/Occamy.B" or "Trojan:Win32/Occamy.C". Note also that Occamy's process ("nc.exe") is listed in Windows Task Manager, thus making it easier to detect.
As mentioned above, Occamy is controlled remotely by the developer. In each case, its behavior may differ. Most trojan-type viruses gather information, infiltrate other malware into the system, and connect victims' computers to various botnets. Trojan-type viruses record information such as saved logins/passwords, mouse/keyboard activity, web browsing activity, and geo-locations. This sensitive data is misused to generate revenue (via money transfers, online purchases, identity thefts, etc.) Some trojans are also capable of hijacking web cams and microphones to capture "embarrassing" moments (e.g., user masturbating, etc). Cyber criminals then use compromising photos/videos to blackmail victims. As mentioned above, trojans are also likely to proliferate other malware. In most cases, trojans proliferate ransomware - a high-risk virus that encrypts data (or corrupts the system in other ways) and demands a ransom in exchange for reverting the changes. Fortunately, most reputable anti-virus/anti-spyware suites are capable of detecting and removing Occamy malware. Therefore, if you believe that your computer is infected with Occamy, immediately perform a full system scan and eliminate all detected threats.
#45 (edited by sid512 2018-12-31 14:39:19)
Another article on this type of virus, found at this link states as follows.
Also check this link
Trojan:Win32/Occamy.C is a threat identified by Microsoft Security Software. This is a typical malware that targets the core system of Windows in order to complete its tasks. Trojan:Win32/Occamy.C was made to execute a series of commands once it gets inside the system. It will gather data like system settings, Windows version, network configuration, and so on. Collected data will be sent to remote attacker for analysis.
In general, system will get infected with Trojan:Win32/Occamy.C if malicious code is executed on the computer. Source of this trojan may vary due to the changing ways how it is deployed. Typically, spam email messages disguising as open letter from reputable institution are used to deceive recipients. Body of the message contains enticing phrases that tries to convince user into opening the attached file.
Malicious links from social media sites and instant messaging program are also seen as method used in distributing Trojan:Win32/Occamy.C. Illegally distributed software and media materials may also contain code that can lead to the infection of this malware.
In order to run itself on Windows start-up, Trojan:Win32/Occamy.C will make a copy of itself under system files. Then, registry entry is created to call the file on each Windows boot-up. Apart from that, this malware will also drop non-malicious files on various folders of the compromised PC.
Trojan:Win32/Occamy.C occasionally connects to a remote host to execute tasks like the following:
◾Notify attacker on the new infection
◾Sends gathered data from the infected computer
◾Download and execute additional files including an updated version of the trojan
◾Accept command from a remote attacker
There is not much obvious symptom from this malware. Trojan:Win32/Occamy.C operates silently in the background. However, Microsoft Security Software may alert you on the presence of this trojan.
Trojan:Win32/Occamy.C is a malware that can drop malicious files onto the computer, which tend to lock files and demand payment from users in order to regain access. Some security programs deemed this threat as a Ransomware with that causes high potential damage.
This Trojan will drop the following files:
C:\Users\Username\AppData\LocalLow\Microsoft\Cryptnet Url Cache\Content\5CEA8CFB8047B569B331D0E79D28457D
Aliases: Trojan-Ransom.Win32.Blocker.kqwj, Ransom.HiddenTear, Win32.Occamy
from second article:
Occamy.C falls under the Trojan umbrella. It’s a dreadful application. One that slithers its way into your system via trickery and finesse. Then, once it settles, corrupts it. Not long after the tool invades, it begins to wreak havoc. You face a multitude of grievances on a daily basis. Among the scariest of issues, you encounter, is the privacy risk. Yes, the Trojan threatens your private life. It follows instructions to spy on you from the moment it infiltrates. And, so it does. The tool starts its espionage upon invasion. It monitors your browsing habits, and records everything you do. It keeps track of your every online move. Then, once it determines it has collected enough data, sends it. It hands it over to the unknown people behind it. The cyber criminals with questionable intentions that published it. Those are the individuals, who get access to your sensitive details.
Trojans don’t make for good company. Neither does Occamy.C. The tool throws you into a whirlwind of troubles. After it sneaks into your system undetected, it makes its presence known. How? Well, it begins to meddle. The infection is immensely intrusive. At the very least, it ruins your online experience. Every time, you browse the web, it makes sure to interrupt. It bombards you with banner, in-text, and pop-up ads. As well as, redirects you to suspicious sites. And, nothing you see is reliable or trustworthy. So, click nothing. To press even a single pop-up, is to set yourself up for further grievances. Furthermore, don’t think the incessant interference goes unnoticed. Due to the Trojan’s presence, your PC starts to suffer frequent crashes. Your computer’s performance slows down to a crawl, too. But don’t think the Trojan’s touch is limited to your browsing, alone. Oh, no. The hazardous tool spreads its nastiness throughout. It has the ability to perform changes on your system. It reshuffles settings, even installs programs. Oh, yes. You can find your default homepage replaced. Or, discover your PC home to a plethora of malicious applications. You face a severe malware threat. Couple that with the grave security issue, and it’s given. The Occamy.C has NO place on your computer. Delete it the first chance you get. Its prompt removal earns you a peace of mind. And, the gratitude of your future self.
Let#s say that this program is a virus and gathering data about our network settings, pc settings etc. What will Ahmed Sattar do with those information? I have used this program and saw no viruses. The developer says taht his intention was not to develop viruses. If we believe what ms defender/ms security essentials say, then all of the games that are developed with bgt contain some kind of virus and they have to be removed immediately, but we all know that those game#s don`t actually contain viruses. So I think we should think again.
#47 (edited by sid512 2018-12-31 14:43:05)
your post made no sense. if you check the facts with that particular type of virus, it is one of the trojans which are likely to damage your pc. if the developer wants people to use his programmes, he could have excluded the viruses, easy enough.
plus, the filesize for this programme is 49 mb which is suspicious enough for a video downloading and converting software. moreover, it doesn't need to effect the pc immediately, it can run in the background and up to the mercy of the remote hacker at his own leisure.
if anyone wants to technically back the other side, feel free.
@Muslima, well, I usually don't scan every program I download, but if a developer is known for hacking other computers via an NVDA addon, which even has been confirmed by the NVDA comunity, you are bound to get suspicious about that guy.
#49 (edited by jack 2018-12-31 16:13:42)
Yeah, @Muslima I don't know if you were around for the Blind Extra shenanigans, but if you weren't you're really not in a position to tell us to shut up and take his software offering as it is. Just because all bgt games, for example, are flagged by antivirus, they are not suspected of containing remote access trojans. If you read the whole thing through, you would have seen that Occamy is not your average virus that screws you over right away, it is a remote-access trojan. So, it gives Ahmad STar access to your computer and he can do whatever he wants, he can keystroke-log, take control of the machine, steal logins, and who knows what else. Plus, are you guys that desperate for a youtube downloader that you are completely blind to the fact there are two, no wait three, much better ones out there that you might've probably already used before? Again, I remind you, Pontes Media Downloader, MusicDL, and Foobar2000 (just streaming but offers the ability to pick up more detail about the youtube vid. So I find it incredibly ironic how folks who are unaware are acting like the software is the first of its kind, and won't even google other more well known options. Well, thank you once again for reconfirming my faith in technological literacy...or lack thereof.
I love how a lot of you guys don't have a single bit of knowledge about cyber security, and yet you are talking about Media Extra like it's the best program in the world and the developer will do no harm. You've seen the things that Blind Extra could do, and despite this you believe the dev would never hack people based solely on the fact that he said so. What's worse? Two, three, maybe even four people are telling you that this guy is a fraud and we've shown you proof that Media Extra is a virus, and you refuse to believe the evidence we've shown you. Did you know that Ethin is actually a dev, and goes to colledge and is taking computer science and cyber security as a major? I think he knows what he's talking about. So, what have you guys studied for that gives you so much knowledge about this subject? Come to think of it, why do you guys cling to Media Extra like it's the best program the blind community has ever seen, anyway?