EasyPal Alert

Results for the main easypal.exe executable are identical to the ones above. Uninstall.exe gets 3 out of 41 positives;

F-Secure 9.0.15370.0 2010.01.30 Suspicious:W32/Riskware!Online
McAfee+Artemis 5877 2010.01.30 Suspect-D!1D2356C860E1
TrendMicro 9.120.0.1004 2010.01.30 PAK_Generic.001

Make of this what you will, but given the noted actions of the previous version from November, erring on the side of caution might be a good idea. This really needs getting to the bottom of, because easypal is truly a great program, and a hell of a lot of hard work clearly went into it. The author, Erik, is being screwed over, and he doesn't deserve it. If the download site has been owned, the hoster should be told.

 

Paranoia . . .

You guys all sound like Barny Fife . . . Not sure what version everybody is talking about, but I use Webroot Spysweeper (not shareware) and it has never found any issues with any version.

My current version came directly from Erik (the author) dated 1/28/2010 and it's perfectly clean. If there is anything going on it's happening at the alternative download sites . . .

 

Sorry, it doesn't matter if it's freeware or shareware, it won't detect all malware. No AV software in the world does that. There IS a trojan in some versions, I've seen it in action here today in my virtual machine, doing exactly what other people have observed. I've just downloaded the latest version from another ham's site. Interestingly, it's a different size than the one from Erik's. I'll upload it to Virustotal and see how it compares.

I'm not taking Virustotal's results as absolute, but my caution is based on the proven infection in the earlier version and the similar detections by Virustotal in the latest easypal.

 

EasyPal possible problem....

My Malwarebytes says "No malicious items were detected". I scanned the .exe twice.

 

ATTN KD8IOW!
You need to download and run MalwareBytes. What you have is something totally different. You should be getting occasional porn picutres. This is highly documented on the web. Antivirus scanners DO NOT pick it up. Our church had one computer get infected, and it traveled through our network to two other machines.

Again, this has NOTHING to do with EasyPal...

de NA4IT

 

Guys Come on NOW

You know.. you guys have not got a clue.. THERE IS NO TROJAN in this program.

If I put a John Deere had on and someone says I am a tractor does that make it so.

The problem is your virus scanner. To say it again I have dissassembled this program and there is NO Trojan .

 

____ It seems that everyone has strong feelings about this topic, Risk assessment, if you think your machine is clean then do your Income Taxes and Online banking from your machine, if you are unsure don't. The only way to never have an infection is do not put the machine on line.

 

Again guys, the executable I got from the easypal download site in November had been triggering alerts from Avira by creating strange randomly named executables in my Temp folder, a classic Trojan 'dropper' action. Other posters above had exactly the same issue. This happened when easypal was running, and actions involving loading or editing pictures were taken.

I replicated this in a Vbox virtual machine, with a clean install of windows XP, that hadn't accessed the internet at any time. The problem came up again.
It's important to recognise that the actual malware isn't within the setup file, it's just the 'dropper' that retreives it, in this case, it seems to happen whenever OLEAUT32.dll is called from within easypal by opening a picture. That's why the setup file looks ok to a lot of AV SW.
In the Virtual machine, Windows\System32\OLEAUT32.dll was found clean, no other process calling it caused the trojan dropper to fire, and the checksum tallied with the microsoft version, so it's not the dll that's infected.

Try this. Download the easypal installer, and submit it to the Virustotal site here http://www.virustotal.com/ and see what results you get. Then try it with the easypal executable you've installed already, in your Program Files\easypal folder. You might also want to check if you have the folders the Trojan process creates in your Temp folders as I posted above, and upload any executables found in there. Look in C:\Documents and Settings\(Your user name)\Local Settings\Temp\ for a folder something like "400000620001418f04f22\" for files named along the lines of "NiceIview.exe. tmp." or "iview.exe .tmp" etc etc.

I rate easypal very highly. This isn't me making things up to scare you, and it's not my intention to stir up or argue. There IS an issue with some versions, and people need to know about it. There's no suggestion anyone connected with easypal knows about it. Of course they don't. What's safe and what isn't needs pinning down though, and nobody has antivirus software that's capable of settling the issue. It needs diagnostics. Unless you can disassemble and read and understand the code line by line, including any dlls called by the program, you can't say it's ok by doing that either. All I can say is that the ones I've downloaded here exhibit the same obvious action.

 

I've submitted the setup file from Erik's site to Frisk Labs for analysis. It might take a day or two.

 

It's still there...

I just downloaded the latest version of Easypal (5/JAN/2010) and installed it. Malwarebytes still detected a trojan (trojan.downloader) in the easypal.exe file. The downloaded file itself scans OK- the trojan does not show up until the downloaded exe file is installed.

Tom, KA1MDA
www.ka1mda.org

 

I have found my note scribbled when Norton 360 reported a virus (infostealer.Bancos) while running EasyPal. As scribbled:

c/us/wrm/appdata\local\temp\400000620001418f04f22\niceiview.exe

Is there a reason for EasyPal to include niceiview.exe? And does its presence in temp mean in any case it was not included but "dropped" in?

As I stated before, Bancos preceded my "Antivirus Live" infection. But that is consistent with the modus operandi of a "dropper" program. Admittedly, I had never heard of a dropper before G0IFI told me about it.

I agree with the first point. And as for diagnostics, unfortunately i don't have the skills you listed.

 

No, there's no reason for any legitimate process to create randomly named executables in a randomly named subdirectory of the user's hidden Temp folder, well I'm a programmer, and I can't think of any. You get the exact same results as I get here, every time, with every version I download from any of the sites it's available, and I'd suggest anyone else would, if they looked. The dropper is doing what droppers do: sneaking past Antivirus protection in a setup file or similar, then retrieving the bad stuff from a remote host. Luckily for some of us, our Antivirus resident protection hollered when it happened. When someone's doesn't, it's either because the dropper has downloaded something unknown to its signature files, or their resident protection isn't enabled. In any event, it's 99 percent likely that if it wasn't detected, the dropper managed to run whatever it was, once it was retrieved. What effect that has, we don't yet know, although the 'Antivirus Live' fraud seems to be one of them. I'll email Frisk Labs if I don't hear from them in 24 hours, to see what they found.

http://en.wikipedia.org/wiki/Dropper

 

Any updates about this ? I am thinking about trying SSTV but don't want to D/L a virus into my computer to do it. Thanks for the info about this software.

 

EasyPal Virus False Positives

There are absolutely no virus or malware in EasyPal.
A former message queried why EasyPal put files into hidden folders.

There is a very good reason for this,
It allows vital files required by EasyPal to be loaded and run from a hidden directory. The install file is thus one only exe file and contains every file needed by EasyPal.
This protects the user who likes to fiddle, change or experiment with these vital files. Of course they may have weird names to a casual observer. This was a marvelous system that served well for many years.
As anti-malware programs became more aggressive, they would get suspicious of this action, which is a favorite of true malware.
Some anti-malware programs were flagging this behavior but never then analyzed the particular file concerned. This was an easy out for those programs and resulted in many false positives. Some high-profile anti-malware programs are guilty of this.
As a result, I have rewritten EasyPal to not use embedded files. This results in 94 vital files being exposed in the various EasyPal directories. These files are exactly the same as the embedded files were in previous releases.
Now there are no False positives, even though the files are the same.
It would be a losing battle to insist these anti-virus programs pulled their socks up.
It is a pity that many inovative programming techniques are now suspect to these programs.

EasyPal is now back to the bad old days where users will play with some of these vital files and complain when things do not work as expected.

Oh well that is life.

On the other hand, I will shout a few beers to anyone that can identify any malware in the latest release of EasyPal. Think I might have one or two myself now.

This site only came to my notice several days ago, no one bothered to report any of this to me. So EasyPal has been rewritten as a result.
I am sorry that this has caused concern.


73's de Erik VK4AES

 

Well,

It appears Eric is back to his old tricks.

AVAST antivirus deletes c32.exe as a virus/malware file.
AVAST antivirus will not allow the downloading of the latest versions of EasyPal.

Eric - I was paid big bucks to write software for over 20 years. Now I write software for the amateur community for fun. I have never ever had any software I write be flagged as potentially harmful.

I consider you a combination of genius and idiot.

Please, stop using the programming techniques that virus/malware programmers use!

Your software is being deleted from my computers and I am going to talk with Mars management to ask them to ban the use of your software.

Howard