Jump to content
WIC Reset Program and Chipless Firmware
VA1DER

Virus detection in WICReset and License

Recommended Posts

Both the WICReset utility and the License program show up as having malware in them.  Also, the fact that License.zip is encrypted with the password just given unencrypted is a tactic used by a lot of people who distribute malware to prevent it from being detected by malware scanners, because the scanners can't see inside the encrypted file.

Can you explain why malware is being detected?  Can you also explain why the license.zip file is encrypted with the password given unencrypted, since this makes absolutely no sense.

Share this post


Link to post
Share on other sites

Good day.

According to the virus total both WICReset installer and executable file are clean:

http://www.2manuals.com/WIC/wicreset.exe

https://www.virustotal.com/gui/file/90d424c84ab21e57b4b9e0db7410948753e110d0019c7dace8a1d9b1810a5f21/detection

https://www.virustotal.com/gui/file/6186c1698dae223af9564e4ad78bfb5a116034674ef78a844afd8931768cdc6f/detection

you can download the files and check that SHA-251 from the scan results matches file hash or just rescan it yourself again.

If you got different results on your local PC, please, try to update antivirus databases first and check again. If this does not help then report what type of the antivirus you are using and what message exactly it shows.

As for the license.exe I scanned extracted executable and got 2 out of 69 (SecureAge Apex and DrWeb):

http://chiplesssolutions.com/download/License.zip

https://www.virustotal.com/gui/file/b034aefcf2714786cdcc43a0ef2ac8b6502b9f584b20c064103be2e762466a7a/detection

in my experience Apex produces a lot of false results especially if application is not signed, in the current results it shows that application is "malicious" without listing any specific threats. Actually it does this after every single update and this is the main reason why activator is encrypted.

Anyway I will send false positive reports for license.exe to both of them and I hope it will be cleared soon.

 

 

Share this post


Link to post
Share on other sites

The WICReset installer gave two hits on VirusTotal before, and it still gives one now.  I don't know what installer you are linking the results to above.  I am using the installer that extracts from a zip file and is linked to right on the 2manuals.com home page.  I get different hashes for that extracted installer and the installer you linked to above.

 

I understand false positives, we all have run into that, but I don't understand why you encrypted license.exe within license.zip and stuck the password unencrypted in the outer zip file.  You understand, this is almost solely a tactic that malware distributors use to fox scanners.  Of course, no one who is distributing malware is going to say, yes, I am distributing malware.  All will say "oh it's a false positive".  So we as consumers base decisions on several factors.  The nature of the product, being a grey-market item, already increases the risk level.  Add in detections on VirusTotal and the fact you are using a malware distribution technique that defies an innocent explanation, and it makes things suspect at best.

 

What is license.exe actually doing?  Is it communicating with the printer?  From what I have read it is just generating a hash code that you enter into the printer's modified firmware.  If this latter is the case, then why can't you generate that hash code from your web site, or email it to the purchaser?

Share this post


Link to post
Share on other sites

It seems that archive from the link you provided contains old version of the application (5.40), this link will be fixed, correct version (5.59) is the one I provided above:

http://www.2manuals.com/WIC/wicreset.exe

Actual activation sequence is generated remotely, license.exe only exchanges data between the printer and the server. Even if it wasn't the case, activation data must be written to the printer somehow, it would be useless if we just send it in the email.

Share this post


Link to post
Share on other sites

Thank-you very much for clarifying which wicreset is the current one.  Thank-you for also explaining the activation sequence.  I would still really like an explanation of why a malware distribution technique is being used to encrypt license.exe.

You might also consider one of more of the following suggestions:

  • make license.exe as a 32-bit binary rather than 64-bit, so it could be run from REACTOS which unfortunately is not remotely stable in 64 bit yet
  • Make license.exe as a Linux binary, so that it can be easily run from a live CD
  • Release the source code for license.exe - if the activation sequence is remotely generated, then there is little magic in license.exe that could be harmed by releasing the source

The first two above would make it easier to run from VirtualBox in a way that is safe for the user even if there is malware in it.  The last option above is just good practice for something like this.

That  being said, can you still please explain why you are using zip encryption the way you are, because from an outside perspective it is shady.  The only other people who do things this way are malware distributors who are trying to hide the payload from scanners.

Thank-you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...