Rufus 3.8 | Infected with malware?

Status
Not open for further replies.

RoboMan

Level 33
Verified
Content Creator
Jun 24, 2016
2,238
21,659
As a daily rutine on context-scanning or analyzing with VT every executable I download, this got my attention. I was trying to create a bootable USB with Rufus.

VirusTotal threw this: GrayWare/Win32.Generic

1571653243880.png


Yeah, I know what you are thinking. 1/60 is definitely a false positive.

Well, on the third analysis section (relations) on Rufus 3.8, content of the executable was sandboxed and tested, where it ended with the parent executable Win32 EXE d9da5ddf53b891f94b0a78ed043645ea.virus.

1571653401327.png


After opening the parent executable contained in Rufus 3.8, it's found a compilation of all these beauties.

1571655001207.png


Opinions?
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
7,455
68,838
I have rufus 3.8 in my system, in fact just used it to save new W10 1909 in a pendrive:

1571656379849.png

This is Clearly a false positive... but if You have a rufus 3.8 with many other AV detections, then it is probably an infected copy of the tool...
 

RoboMan

Level 33
Verified
Content Creator
Jun 24, 2016
2,238
21,659

EndangeredPootis

Level 10
Verified
Sep 8, 2019
456
2,317
I may be misunderstanding then. VirusTotal throws execution parents as dangerous processes; but I do not yet understand if it's actually the parent processes that spawn it, or it just compares world-wide the parent processes that ever spawned rufus process.
Virustotal always show a ton of engines detecting the parent exe on all programs, its a glitch on their end.
 

BoraMurdar

Community Manager
Verified
Staff member
Aug 30, 2012
6,637
28,293
cb641345d6c01e6b16ab18ad930eb7218f270eb319a4b7fb599ce88b5ae18159
Damn, I never have a VM at the hand when this stuff happens!
Either this thingy is impossible or you just found a zeroday (if all of this is true)

You can see the new experimental features of Rufus but I cannot see the connection between those and disabling WD
 
Status
Not open for further replies.
Top