Jump to content

Recommended Posts

Hi guys,

Today upon rebooting my pc, I got a message from MBAM that it blocked a malicious process. Looking at the log file, I found the following:

DETECTION C:\Users\downloads\portable_mathxpert_calculus_assistant_3.02\mathxpert_by_pp\Virtual\STUBEXE\@programfiles@\helpwithmath\mathxpert\mathpert.exe Backdoor.Agent

This is a portable version of Mathxpert Calculus Assistant 3.02, which was made using Xenocode. I have been running it for quite some time now. I believe that MBAM doesn't like the Xenocode.

In the developer mode MBAM (Quick Scan), doesn't pick anything up.

Please, I would appreciate your help in determining whether this is a false positive.

Thank you in advance.

TrDo.

mathpert.rar

Link to post
Share on other sites

Hi Mieke,

Thank you very much for quick response. I know that other scanners do not like it either. Kaspersky don't like it either.

But, it would be nice to see, whether it is malicious in reality, or is just because it's something new and the scanners just react to it.

Thank you Mieke. :)

Link to post
Share on other sites

  • Staff

After comparing with the original software and your version, detection won't be removed. The file you have attached is a component used in many backdoors (for example Bifrose/PoisonIvy)

http://www.HelpWithMath.com is where you can download the original one it and it doesn't even create a mathpert.exe file. Instead it's a mathxpert.exe file which has proper version info and is signed.

I believe you are using a cracked/hacked version here.

Link to post
Share on other sites

Just a moment Mieke. The question here is whether the code is malicious or not. This is a portable version made using Xenocode.

I said that from the beginning.

If you allow me to say that, comparing it with the original (not portable) is one approach. Another would be to see whether it actually acts as aBackdoor, and eradicates or creates malicious processes.

I believe its a false positive. It's the Xenocode that you pick up.

Please have a closer look. Please.

Thank you.

Link to post
Share on other sites

  • Staff

Hi,

http://www.mathxpert.com/download.php gives the same as my other link. The files are totally different with your version. I cannot find a portable version there and your portable version looks like a modified hacked/cracked version and not the original one, because that one would be signed and have version info as well and would actually launch the program. This one doesn't.

Did you purchase this?

The file you attached is a component used in many backdoors and not the actual mathxpert file, that's why we won't remove detection as this is no false positive and we detect it correctly as "backdoor.agent'

Also, I don't think other scanners will remove this detection either. :)

Edit, I have re-uploaded the file at virustotal as above report was from the hash already present there. More scanners are detecting it in a meanwhile as well:

http://www.virustotal.com/analisis/7b4a6a9...d4ef-1273230589

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.