Yes, AV software, especially HitmanPro are not gospel.
67 other AVs came out clean. But let’s say for the sake of argument that they’re all wrong.
“Trojan-Downloader” is a class of Trojan that downloads a payload. Which means they need to use a socket somehow.
$ sha256sum.exe ghc-8.2.2/lib/bin/touchy.exe
5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782 *ghc-8.2.2/lib/bin/touchy.exe
Is the binary I’m looking it, it matches the hash on the total virus link and yours.
This is the source of touchy https://github.com/ghc/ghc/blob/ghc-8.2/utils/touchy/touchy.c
The application does not import Winsock, so networking seems more unlikely, but it imports GetProcAddress, so let’s say for the sake of argument it’s
Dynamically binding to the socket library.
http://lpaste.net/3408264924009332736 is the full string table. Which contains no ascii string starting with “WSA”. So unlikely since you need to name the function
you want to call, and you need to initialize the sockets, so WSA.
This is the full disassembly of touchy.exe
http://lpaste.net/7667888088021991424
Below you’ll find an inline copy of main, it pretty much follows the source in touchy.c.
I’m pretty confident that HitmanPro is just throwing a false positive, I won’t be going through the CRT startup code.
Here’s main:
00000000004015c0 <main>:
4015c0: 41 57 push %r15
4015c2: 41 56 push %r14
4015c4: 41 55 push %r13
4015c6: 41 54 push %r12
4015c8: 55 push %rbp
4015c9: 57 push %rdi
4015ca: 56 push %rsi
4015cb: 53 push %rbx
4015cc: 48 83 ec 68 sub $0x68,%rsp
4015d0: 89 ce mov %ecx,%esi
4015d2: 48 89 d7 mov %rdx,%rdi
4015d5: e8 e6 02 00 00 callq 4018c0 <__main>
4015da: 83 fe 01 cmp $0x1,%esi
4015dd: 74 10 je 4015ef <main+0x2f>
4015df: b8 00 00 00 00 mov $0x0,%eax
4015e4: 83 fe 01 cmp $0x1,%esi
4015e7: 0f 8e 4d 01 00 00 jle 40173a <main+0x17a>
4015ed: eb 26 jmp 401615 <main+0x55>
4015ef: 48 8b 1f mov (%rdi),%rbx
4015f2: ff 15 1c 6d 00 00 callq *0x6d1c(%rip) # 408314 <__imp___iob_func>
4015f8: 48 8d 48 60 lea 0x60(%rax),%rcx
4015fc: 49 89 d8 mov %rbx,%r8
4015ff: 48 8d 15 2a 2a 00 00 lea 0x2a2a(%rip),%rdx # 404030 <.rdata>
401606: e8 65 17 00 00 callq 402d70 <fprintf>
40160b: b8 01 00 00 00 mov $0x1,%eax
401610: e9 25 01 00 00 jmpq 40173a <main+0x17a>
401615: 48 8d 5f 08 lea 0x8(%rdi),%rbx
401619: 8d 46 fe lea -0x2(%rsi),%eax
40161c: 4c 8d 7c c7 10 lea 0x10(%rdi,%rax,8),%r15
401621: 4c 8b 2d ec 6b 00 00 mov 0x6bec(%rip),%r13 # 408214 <__imp_CreateFileA>
401628: 48 8d 7c 24 50 lea 0x50(%rsp),%rdi
40162d: 4c 8b 25 30 6c 00 00 mov 0x6c30(%rip),%r12 # 408264 <__imp_GetSystemTimeAsFileTime>
401634: 48 8b 2d 71 6c 00 00 mov 0x6c71(%rip),%rbp # 4082ac <__imp_SetFileTime>
40163b: 4c 8b 35 ca 6b 00 00 mov 0x6bca(%rip),%r14 # 40820c <__IAT_start__>
401642: 48 89 5c 24 48 mov %rbx,0x48(%rsp)
401647: 48 c7 44 24 30 00 00 movq $0x0,0x30(%rsp)
40164e: 00 00
401650: c7 44 24 28 80 00 00 movl $0x80,0x28(%rsp)
401657: 00
401658: c7 44 24 20 04 00 00 movl $0x4,0x20(%rsp)
40165f: 00
401660: 41 b9 00 00 00 00 mov $0x0,%r9d
401666: 41 b8 00 00 00 00 mov $0x0,%r8d
40166c: ba 00 00 00 40 mov $0x40000000,%edx
401671: 48 8b 0b mov (%rbx),%rcx
401674: 41 ff d5 callq *%r13
401677: 48 89 c6 mov %rax,%rsi
40167a: 48 83 f8 ff cmp $0xffffffffffffffff,%rax
40167e: 75 2b jne 4016ab <main+0xeb>
401680: 48 8b 44 24 48 mov 0x48(%rsp),%rax
401685: 48 8b 18 mov (%rax),%rbx
401688: ff 15 86 6c 00 00 callq *0x6c86(%rip) # 408314 <__imp___iob_func>
40168e: 48 8d 48 60 lea 0x60(%rax),%rcx
401692: 49 89 d8 mov %rbx,%r8
401695: 48 8d 15 a7 29 00 00 lea 0x29a7(%rip),%rdx # 404043 <.rdata+0x13>
40169c: e8 cf 16 00 00 callq 402d70 <fprintf>
4016a1: b9 01 00 00 00 mov $0x1,%ecx
4016a6: e8 cd 16 00 00 callq 402d78 <exit>
4016ab: 48 89 f9 mov %rdi,%rcx
4016ae: 41 ff d4 callq *%r12
4016b1: 49 89 f9 mov %rdi,%r9
4016b4: 41 b8 00 00 00 00 mov $0x0,%r8d
4016ba: ba 00 00 00 00 mov $0x0,%edx
4016bf: 48 89 f1 mov %rsi,%rcx
4016c2: ff d5 callq *%rbp
4016c4: 85 c0 test %eax,%eax
4016c6: 75 2b jne 4016f3 <main+0x133>
4016c8: 48 8b 44 24 48 mov 0x48(%rsp),%rax
4016cd: 48 8b 18 mov (%rax),%rbx
4016d0: ff 15 3e 6c 00 00 callq *0x6c3e(%rip) # 408314 <__imp___iob_func>
4016d6: 48 8d 48 60 lea 0x60(%rax),%rcx
4016da: 49 89 d8 mov %rbx,%r8
4016dd: 48 8d 15 74 29 00 00 lea 0x2974(%rip),%rdx # 404058 <.rdata+0x28>
4016e4: e8 87 16 00 00 callq 402d70 <fprintf>
4016e9: b9 01 00 00 00 mov $0x1,%ecx
4016ee: e8 85 16 00 00 callq 402d78 <exit>
4016f3: 48 89 f1 mov %rsi,%rcx
4016f6: 41 ff d6 callq *%r14
4016f9: 85 c0 test %eax,%eax
4016fb: 75 2b jne 401728 <main+0x168>
4016fd: 48 8b 44 24 48 mov 0x48(%rsp),%rax
401702: 48 8b 18 mov (%rax),%rbx
401705: ff 15 09 6c 00 00 callq *0x6c09(%rip) # 408314 <__imp___iob_func>
40170b: 48 8d 48 60 lea 0x60(%rax),%rcx
40170f: 49 89 d8 mov %rbx,%r8
401712: 48 8d 15 62 29 00 00 lea 0x2962(%rip),%rdx # 40407b <.rdata+0x4b>
401719: e8 52 16 00 00 callq 402d70 <fprintf>
40171e: b9 01 00 00 00 mov $0x1,%ecx
401723: e8 50 16 00 00 callq 402d78 <exit>
401728: 48 83 c3 08 add $0x8,%rbx
40172c: 4c 39 fb cmp %r15,%rbx
40172f: 0f 85 0d ff ff ff jne 401642 <main+0x82>
401735: b8 00 00 00 00 mov $0x0,%eax
40173a: 48 83 c4 68 add $0x68,%rsp
40173e: 5b pop %rbx
40173f: 5e pop %rsi
401740: 5f pop %rdi
401741: 5d pop %rbp
401742: 41 5c pop %r12
401744: 41 5d pop %r13
401746: 41 5e pop %r14
401748: 41 5f pop %r15
40174a: c3 retq
40174b: 90 nop
40174c: 90 nop
40174d: 90 nop
40174e: 90 nop
40174f: 90 nop
From: Brandon Allbery
Sent: Thursday, December 28, 2017 21:29
To: Matthew Lamari
Cc: lonetiger@gmail.com; ghc-devs@haskell.org
Subject: Re: Haskell Platform 8.2.2 - virus?
This wouldn't be the first time some program that uses heuristic execution patterns to detect malware decided it didn't like the STG.
On Thu, Dec 28, 2017 at 4:15 PM, Matthew Lamari <matt.lamari@gmail.com> wrote: