Page 1 of 1
Signature: PureBasic 4.x -> Neil Hodgson
Posted: Wed Feb 17, 2016 9:03 am
by bbanelli
Greetings to all,
under all 32 bit Windows compilations (haven't tested with other OS'es), there is a signature line "PureBasic 4.x -> Neil Hodgson". It does not appear in Windows 64 bit version of compiled executables.
http://imgur.com/PlqCIc7
Can anyone explain purpose of that line in general and why is has Scintilla's (?) creator and very old PB numeration in it?
With my best,
Bruno
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Wed Feb 17, 2016 1:09 pm
by Fred
What is this tool ? There is no mention of Neil in the final PB exe, just checked with an hex viewer to be sure
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Wed Feb 17, 2016 1:36 pm
by Keya
which program did you use? it seems like it's a PEiD signature,
example, and a
malware one 
Sample detection rate for the malicious executable: MD5: a684feff699bb7e3b8814c32c1da8277 – detected by 38 out of 44 antivirus scanners as Worm:Win32/Cridex.E.
PEiD Signature of the sample: PureBasic 4.x -> Neil Hodgson
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Wed Feb 17, 2016 2:00 pm
by nco2k
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Wed Feb 17, 2016 2:26 pm
by Fred
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Wed Feb 17, 2016 5:41 pm
by bbanelli
Ups, sorry, program is
pestudio.
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Wed Feb 17, 2016 5:43 pm
by Fred
Well, it's this program which falsely flag your exe as a malware.. You can send you exe to the author of this app so he can fix it.
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Wed Feb 17, 2016 5:57 pm
by bbanelli
Fred wrote:Well, it's this program which falsely flag your exe as a malware.. You can send you exe to the author of this app so he can fix it.
Oh, OK, I see, so that's the feature of the program, not something intrinsic to PB.
It obviously detects the executable is done via PB since it reports the same signature even if you compile it with only "End" in the code.
I'll report back if I get any feedback.
Bruno
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Wed Feb 17, 2016 6:10 pm
by Keya
they are open source PEiD signatures thats why google shows that some scanner websites also detect it, not just that program shown in the screenshot
See here
https://www.aldeid.com/wiki/PEiD#Signatures
a search for 'purebasic' shows just these three:
Code: Select all
[PureBasic 4.x -> Neil Hodgson]
signature = 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3
ep_only = true
[PureBasic 4.x DLL -> Neil Hodgson]
signature = 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3
ep_only = true
[PureBasic DLL -> Neil Hodgson]
signature = 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8
ep_only = true
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Thu Feb 18, 2016 3:01 am
by normeus
@nco2k
I chocked on my cheeto! I knew he was popular in Germany for a reason and I now know why.
I am using "pestudio 8.51" and depending which gadgets I used on my programs the signature changes.
( no Justin Bieber yet)
Norm.
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Thu Feb 18, 2016 3:52 am
by jack
I don't understand, why was some malware named after a sports celebrity?
Re: Signature: PureBasic 4.x -> Neil Hodgson
Posted: Thu Feb 18, 2016 5:30 am
by normeus
I just love these forums because of all the languages the users speak. I tried google translate in the german forum and spent most of the time trying to figure out what google was trying to tell me. My hat is off to all who use google translate in this forum.
@jack
There was no malware. ( unless you were kidding then just ignore the whole explanation )
"pestudio 8.51" comes from
http://www.winitor.com.
It is used to analyze exe files for text, images, dlls that are called from program, etc...
It has a feature where it looks for a file signature and what you see at the top "Malware Initial Assesment" is just their fancy way of telling you if the program you are monitoring could be a virus.
If your program checks the registry or checks a website you might get a virus rating, etc...
@nco2k
Thank you.
Norm.
