Rufus 3.8 | Infected with malware?

Status
Not open for further replies.
RoboMan

RoboMan

Level 38
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
High Reputation
Forum Veteran
Jun 24, 2016
2,608
24,580
3,600
Hidden Village of Hispanic America
As a daily rutine on context-scanning or analyzing with VT every executable I download, this got my attention. I was trying to create a bootable USB with Rufus.

VirusTotal threw this: GrayWare/Win32.Generic

1571653243880.png


Yeah, I know what you are thinking. 1/60 is definitely a false positive.

Well, on the third analysis section (relations) on Rufus 3.8, content of the executable was sandboxed and tested, where it ended with the parent executable Win32 EXE d9da5ddf53b891f94b0a78ed043645ea.virus.

1571653401327.png


After opening the parent executable contained in Rufus 3.8, it's found a compilation of all these beauties.

1571655001207.png


Opinions?
 
  • Like
  • Wow
  • +Reputation
Reactions: Vasudev, Venustus, silversurfer and 7 others
I have rufus 3.8 in my system, in fact just used it to save new W10 1909 in a pendrive:

1571656379849.png

This is Clearly a false positive... but if You have a rufus 3.8 with many other AV detections, then it is probably an infected copy of the tool...
 
  • Like
  • +Reputation
Reactions: Mercenary, shmu26, Vasudev and 11 others
Robbie said:
Although I understand 1/68 can be and will probably be a false positive, how can a parent process of the rufus executable trigger 60/68?
Click to expand...
Kaspersky, Microsoft, ESET, Symantec doesn't sound at this detections... It's most probably a false positive. Most detections came from Bitdefender definitions...
 
  • Like
  • +Reputation
Reactions: Mercenary, RXZ6Q, Vasudev and 12 others
BoraMurdar said:
Kaspersky, Microsoft, ESET, Symantec doesn't sound at this detections... It's most probably a false positive. Most detections came from Bitdefender definitions...
Click to expand...
In the last picture, Kaspersky, Microsoft and ESET detect the parent executable as malware
 
  • Like
Reactions: silversurfer, oldschool, upnorth and 1 other person
  • Like
Reactions: Venustus, oldschool and upnorth
Robbie said:
I may be misunderstanding then. VirusTotal throws execution parents as dangerous processes; but I do not yet understand if it's actually the parent processes that spawn it, or it just compares world-wide the parent processes that ever spawned rufus process.
Click to expand...
Virustotal always show a ton of engines detecting the parent exe on all programs, its a glitch on their end.
 
  • Like
  • Wow
Reactions: RXZ6Q, Venustus, oldschool and 2 others
  • Like
  • Wow
Reactions: Venustus, oldschool, upnorth and 2 others
Robbie said:
cb641345d6c01e6b16ab18ad930eb7218f270eb319a4b7fb599ce88b5ae18159
Click to expand...
Damn, I never have a VM at the hand when this stuff happens!
Either this thingy is impossible or you just found a zeroday (if all of this is true)

You can see the new experimental features of Rufus but I cannot see the connection between those and disabling WD
 
  • Like
Reactions: Venustus, DDE_Server, oldschool and 2 others
Status
Not open for further replies.

You may also like...