Signature: PureBasic 4.x -> Neil Hodgson

[bbanelli]

Greetings to all,

under all 32 bit Windows compilations (haven't tested with other OS'es), there is a signature line "PureBasic 4.x -> Neil Hodgson". It does not appear in Windows 64 bit version of compiled executables.

http://imgur.com/PlqCIc7

Can anyone explain purpose of that line in general and why is has Scintilla's (?) creator and very old PB numeration in it?

With my best,

Bruno

[Fred]

What is this tool ? There is no mention of Neil in the final PB exe, just checked with an hex viewer to be sure

[Keya]

which program did you use? it seems like it's a PEiD signature, example, and a malware one

Sample detection rate for the malicious executable: MD5: a684feff699bb7e3b8814c32c1da8277 – detected by 38 out of 44 antivirus scanners as Worm:Win32/Cridex.E.
PEiD Signature of the sample: PureBasic 4.x -> Neil Hodgson

[nco2k]

weird, mine shows it correctly: http://img4host.net/upload/1713591656c46ea46079c.png

c ya,
nco2k

[Fred]

[bbanelli]

Ups, sorry, program is pestudio.

[Fred]

Well, it's this program which falsely flag your exe as a malware.. You can send you exe to the author of this app so he can fix it.

[bbanelli]

Well, it's this program which falsely flag your exe as a malware.. You can send you exe to the author of this app so he can fix it.

Oh, OK, I see, so that's the feature of the program, not something intrinsic to PB.

It obviously detects the executable is done via PB since it reports the same signature even if you compile it with only "End" in the code.

I'll report back if I get any feedback.

Bruno

[Keya]

they are open source PEiD signatures thats why google shows that some scanner websites also detect it, not just that program shown in the screenshot

See here https://www.aldeid.com/wiki/PEiD#Signatures
a search for 'purebasic' shows just these three:

Code: Select all

[PureBasic 4.x -> Neil Hodgson]
signature = 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3
ep_only = true

[PureBasic 4.x DLL -> Neil Hodgson]
signature = 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3
ep_only = true

[PureBasic DLL -> Neil Hodgson]
signature = 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8
ep_only = true

[normeus]

@nco2k

I chocked on my cheeto! I knew he was popular in Germany for a reason and I now know why.

I am using "pestudio 8.51" and depending which gadgets I used on my programs the signature changes.

( no Justin Bieber yet)

Norm.

[jack]

I don't understand, why was some malware named after a sports celebrity?

[normeus]

I just love these forums because of all the languages the users speak. I tried google translate in the german forum and spent most of the time trying to figure out what google was trying to tell me. My hat is off to all who use google translate in this forum.

@jack

There was no malware. ( unless you were kidding then just ignore the whole explanation )

"pestudio 8.51" comes from http://www.winitor.com.
It is used to analyze exe files for text, images, dlls that are called from program, etc...
It has a feature where it looks for a file signature and what you see at the top "Malware Initial Assesment" is just their fancy way of telling you if the program you are monitoring could be a virus.
If your program checks the registry or checks a website you might get a virus rating, etc...

@nco2k

Thank you.
Norm.