 beckPremium,MVM
join:2002-01-29
On The Road
kudos:1
 ·Stablehost.com
·AllureHost
| [Trojan] Armadillo? I have great confusion and I'm saying many bad words.
I have a file that I submitted at virustotal. And with the link in the FAQ. So far it's 50/50 on the reports from the virus vendors. The 5 positive are claiming a trojan and giving it new names as armadillo or downloader type. Which I don't know what armadillo is.
I've had the file since the beginning of June. Only was alerted once I installed BOClean which didn't know what trojan it was, but it convinced it was one.
So, what is an armadillo trojan? I can't find information on it. Or point me to info on it?
--
Some days it seems like ALL my brain cells have died. |
|
 La LunaSurvived AshrafulPremium
join:2001-07-12
Warwick, NY
kudos:3
 ·Vonage
 ·Optimum Online
1 edit | Armadillo isn't a trojan in and of itself, it's a compression utility that is often used to compress/hide malicious code in .exe's. That's probably why the scans are hitting on the file as suspicious.
If the .exe hasn't executed, whatever trojan it might be, you are most likely ok. Are you experiencing any symptoms of infection on your machine?
Did you follow the steps here, just to double check?
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
--
~~"As long as America is an infidel enemy, terrorizing it is a duty." Sayed Imam Abdul-Aziz el-Sheriff~~
|
|
beckPremium,MVM
join:2002-01-29
On The Road
kudos:1 Reviews:
·Stablehost.com
·AllureHost
| reply to beck
I did the online virus scans and used Ad-aware and AVG/Ewido. Nothing with them. I looked at my hijackthis log and there isn't anything in there that shouldn't be. I keep the system pretty clean so it's only like 60 lines.
I have Avast, BOClean, Ad-Aware Plus, and Spybot. Uninstalled AVG/Ewido after the scan since I don't like it too much.
Nothing seems to be weird on the system and the firewall doesn't show any connections it shouldn't.
Yes, I use the program a lot. It's a game. I wrote the vendor and asked them to clarify for me. Until then, I won't run it.
I wish everyone would agree if it was a nasty or not. 
Thank you for the info on armadillo.
--
Some days it seems like ALL my brain cells have died. |
|
 NanDogThe Pup Was Female, I'M NotPremium
join:2003-12-28 | reply to beck
I found a two year old thread over at Wilder's dealing with Armadillo packed trojans and the possibility of FPs even with legit files.
I know it's old news but perhaps this will help you a bit:
»www.wilderssecurity.com/showthre···?t=92661
--
See ya across the Rainbow Bridge, my good and faithful friend! |
|
beckPremium,MVM
join:2002-01-29
On The Road
kudos:1 | reply to beck
Thank you. A good read. I'm still hoping that it will be resolved and just a false positive.
--
Some days it seems like ALL my brain cells have died. |
|
Jrb2Premium
join:2001-08-31
kudos:3 | reply to beck
Hi Audrey,
Which version of BOClean are you using?
Have you set up BOClean to create a report?
Have you submitted the file and the report to Comodo-BOClean?
malwaresubmit [ at ] avlab.comodo.com
Cheers, Jan |
|
beckPremium,MVM
join:2002-01-29
On The Road
kudos:1 Reviews:
·Stablehost.com
·AllureHost
| reply to beck
Hi Jan,
BOClean is the 4.24 version from Comodo. I just downloaded it last week. I submitted it to the address you specified. Haven't gotten a response back from them yet.
It's setup to create a report, but the report is always empty and zero bytes. So, I don't get one.
But I just downloaded the 7/13 update and it doesn't detect the file as a trojan anymore. So, must be a false positive from them and they fixed it.
Audrey
--
Some days it seems like ALL my brain cells have died. |
|
|
|
| reply to beck
Is this something in your registry?
»forum.siliconrealms.com/index.php?act=idx
The Silicon Realms Toolworks is happy to announce that Armadillo 4.01 is now available for beta-testing! The direct download link can be found here.
This version's changes are primarily internal. We've spent the last several weeks refactoring and restructuring the soure code. If we've done it right, you won't see any detrimental effects, but several small bugs and annoyances should vanish, and future changes should be far more stable.
In addition to that, there are two new features:
"Registry macros," which allow you to use a REG_SZ entry from the registry in your Armadillo-provided messages, or as part of your website/buynow URL, making several affiliate systems much easier to use (among other things).
Portable Keys, for use when you want to allow your customers to use a program on multiple systems, but you don't want to write the key to those systems.
There are also three minor bug-fixes, and a host of other minor changes.
If there are no major problems discovered, the final 4.01 version is scheduled for release on or about Monday, January tenth. |
|
| reply to beck
quote:
The changes between version 4.62 and 4.64 Beta 1 consist of the following:
New features:
Enhanced the ability to maintain the expire by minutes count when the protected application kills or suspends the monitoring thread.
Added code to enable Armadillo to redirect the INI file to locations other than the executable's directory which is normally under the Program Files. This resolves the write-permission issue for the Program Files folder with non-admin users. The INI file now has a new setting "Redirect".
Added a new set of lock/unlock calls to the environment variable class, so that one UpdateEnvironment call will completely finish before another one can start.
Bugs fixed:
Tracked down a problem with custom hardware fingerprints on systems that don't have a valid MAC address.
Ignore any MAC address that are Windows Vista IPv6-to-IPv4 tunneling adapters.
Made a fix for the "requiring admin access" on the first run of the protected application.
Corrected an issue where an injected DLL was causing an incorrect LP5 error on Vista. This was a caused by (vfcompat.dll).
Fixed an issue (introduced in v4.44) where an environment variable may get set to an empty string when used in a website URL, for example.
In ArmAccess.DLL, the external ShowReminderMessage functions were not returning "void" as was stated in the help file and like the virtual DLL functions did. This was corrected and the new file version of ArmAccess.DLL is 4.20
I think this is a encrypted program that is written into programs to protect from tampering/pirating.
Rootkit? |
|
| reply to beck
Is that what your dealing with? above? |
|
beckPremium,MVM
join:2002-01-29
On The Road
kudos:1 | reply to beck
I can't answer that because I have no idea what to search for in the registry.
--
Some days it seems like ALL my brain cells have died. |
|
| reply to beck
The Armadillo key will show up as a FP in many scanners.
There are legit shareware programs that use the Armadillo software to register the programs.
If you look in the registry it should be a key with an encrypted reg code.
In my experiences you can just delete the reg entries, but they come back once you run the shareware program again.
I am not a big "fan" of this sort of thing, but it is harmless. |
|
| reply to beck
An "Armadillo trojan" is a trojan encrypted, compressed, and protected by a software product from Silicon Realms. "Cracked" copies of public builds are available and these compromised trial products are used to wrap a nasty for obfuscation and protection of the malware.
An "Armadillo protected program" is usually a shareware or custom product from an individual or smaller development house. The protection product was purchased by Digital River a while back and is now used for product fulfillment "activation" services in addition to it's more traditional, stand-alone DRM features.
Many anti-virus companies have difficulty telling the different uses apart and some don't bother. The anti-virus companies reporting this FP are incompetent and usually prove it on a monthly basis. As you might surmise, I avoid them when possible .
(Before someone asks, no, I don't own a copy of Armadillo or have anything to do with it. I do have to deal with FPs and the panic they create on a fairly regular basis, though.) |
|
