Severe AV threat

[NBKRedSpy]

Win32/Wacatac.B!ml

The extension's debugAdapter.exe is shown as a AV severe threat.

[babalu-community]

Also appears to cause a request for elevated network access on first launch of the VS Code after reboot.

• Reported threat
• [Drop.Win64.ML.201]
  • Trojan.Dropper
• C:\Users\<_USERNAME_>\.vscode\extensions\helsmy.autohotkey-debug-0.7.2\bin

---

Name: AutoHotKey Debug Id: helsmy.autohotkey-debug Description: Debug Adapter for AutoHotKey implemented by AutoHotKey. Version: 0.7.2 Publisher: Helsmy VS Marketplace Link: https://marketplace.visualstudio.com/items?itemName=helsmy.autohotkey-debug

[helsmy]

Since this extension is an open source software and even do not connect to network at all, so it has absolutely nothing to do with viruses. You can decompile it using tools from autohotkey forums, and compare the source code. But, in order to reduce the size the extension uses upx compression, which may lead to the extension being reported as a virus. As far as I know, there are quite a few viruses that use upx compression, so there are some antivirus programs that will treat all upx compressed programs as viruses. I'll try to use mpress for next version of extension. How to know extension is been took as virus or not by antivirus programs?

[NBKRedSpy]

Windows 10's Microsoft Anti Virus detected it.

Also, the version on the market place is helsmy.autohotkey-debug-0.7.2.vsix While the latest release here is autohotkey-debug-0.5.0.vsix

https://marketplace.visualstudio.com/items?itemName=helsmy.autohotkey-debug

[NBKRedSpy]

To test, you could also try uploading to Virus total. It shows 20 vendors showing it as a virus of some sort.

Here is the report: https://www.virustotal.com/gui/file/ba1d4fe556e19aa553e85253fe101667bc23177b0cc3effcfbe8eac0b3fb6eca?nocache=1

Hash Info:

ba1d4fe556e19aa553e85253fe101667bc23177b0cc3effcfbe8eac0b3fb6eca
debugAdapter.exe

Virus Total upload page can be found here: https://www.virustotal.com/gui/home/upload

[NBKRedSpy]

Since this extension is an open source software and even do not connect to network at all, so it has absolutely nothing to do with viruses.

Is it possible that the market place version was taken over by hackers? Or is it really just a false positive? Just a thought.

[NBKRedSpy]

BTW, I can't reproduce. I wonder if MS updated their AV signatures.

I used a VM with Windows 10.

[helsmy]

Since this extension is an open source software and even do not connect to network at all, so it has absolutely nothing to do with viruses.

Is it possible that the market place version was taken over by hackers? Or is it really just a false positive? Just a thought.

It should not possible in normal case, becasuse uploading is authorized through a long enough token.

[helsmy]

Compiled script will always been reported as virus/malware by some anit-virus software, Even autohotkey itself got 2/70.

• only authotkey interpreter 2/70 https://www.virustotal.com/gui/file/7d47220e8a09c113b82ba9f366ce2cbe5924b0cc661dc9df93c13e8dbfa1f254
• mpress version 9/70 https://www.virustotal.com/gui/file/ff241a0ff0e9e0c17bf7709becf180d6231325f48277c4238d3a30cce60f5ef1/detection
• non-compressed 6/71 https://www.virustotal.com/gui/file/ac571d77da6cdce188c000294e337650defd21b0c721dda97eb3dbaa1c447343?nocache=1

v2 autohotkey may be less reported.

• v2 interpreter 1/71 https://www.virustotal.com/gui/file/f325aa17f9d8b3580b6a89ef8ee18dcf95961a3d28e0d79b7478f9800eba237c
• Msgbox only script
  • non-compressed 1/70 https://www.virustotal.com/gui/file/29e2fe08ee528439994484b56cf06f4f801dfe8474cf7b1ee008aef58f19ad80?nocache=1
  • mpress version 6/70 https://www.virustotal.com/gui/file/6a38dbe7d5c069926a7b7eedde4a991a6312a4777deffbc3921750b5d7947ff2?nocache=1
  • upx version 2/70 https://www.virustotal.com/gui/file/3d83474986c611239273870cf31f7f9d8d358e4931895ff7a632d5a767510441?nocache=1

It seems better to use mpress instead of upx. I will use mpress for next version of this extension