DarkWave DL reports malware

[captainfepa]

Tom's download of Experimental Scene's DARK WAVE STUDIO (5.7.3) sounds interesting, but VirusTotal indicates 17 detections of malware (mostly related to InstallCore). That is true whether sourced from Tom's, the ES site directly, or others. In fact, all ES software listed on their site reports as covered with malware. This is a particular issue since Mozilla reports that their website is not properly configured. Advice in this forum is to 'be careful not to accept installation of bundled extras'; that is reasonable, but insufficient assurance that omitting bundled programs will yield clean software. Has anyone substantial knowledge of this product?

 

[gardenman]

Hi, VirusTotal tells me it's clean: https/www.virustotal.com/#/url/c13289c0403942af627519d1bd5d0ac4e7284089177aebf75bc97c27df0ccdb7/detection
Note the address at the top to the download file.

The download page: https/downloads.tomsguide.com/DarkWave-Studio,0301-31012.html

I see no Firefox warnings on their website and can go there and download it without a warning. http/www.experimentalscene.com/software/ I downloaded the setup (with Firefox) and scanned it with Malwarebytes and found no infection. I did not install it, I use an older version of "Reaper" to create music.

Maybe you are infected or have InstallCore installed on your browser? Download the free version of Malwarebytes and do a scan. More info from Malwarebytes about InstallCore: https/blog.malwarebytes.com/detections/pup-optional-installcore/

 

[captainfepa]

Thank you for your information, Gardenman. You referred to a VT scan of the ExperimentalScene download URL, which does, in fact, elicit no reported error. The DL file itself, however shows 17 VT reports of error. This is not due to local malware infection, as the same results are obtained on two machines here at home (of different O/S: one is a Chromebook(!) and the other, Windows10, I scan nightly on schedule with one or two of six AV engines) - plus on one highly protected PC at work - and, in fact, even using the hash on the VT report to which you referred me, rather than the URL. (I have not installed the SW, only downloaded it.) I suppose there is a possibility of a collision in the SHA-256 hash...or???. As you point out through the Malwarebytes link, InstallCore is a PUP and perhaps not as great a hazard as some malware - that is, perhaps simply watching for options to install any 'free extra' software will prevent problems, but I do not need the SW badly enough to take the chance.

 

[gardenman]

I downloaded the file, then re-scanned with VT and it did indeed [show 17 reports] as you stated. I didn't expect that, as I thought VT would scan the actual file that you download when you give VT a URL, but apparently it doesn't. Either that, or something is going on with the server (maybe it serves up a different file for VT than the one you download).

I have a test system set up (a virtual machine) and I downloaded it again and installed it. It seemed to be OK. The setup did have an option to install a Yahoo! powered version of Chrome and change your search settings to Yahoo!.

I scanned the program folder (only) with Windows Defender and it [found nothing].

The 17 results could be false positives, but I'm not going to say that for a fact because I just don't know. The program appeared to be safe, but I can't guarantee it.

Would I install it on my real system? No. It could be false positives, but why risk it. Consider alerting the author and allow them to get those problems worked out first.

Edit: After thinking it over, I think the optional install of the Yahoo! branded Chrome (pictured above) is probably the very reason it's being flagged. I probably still wouldn't install it, just because it is being flagged.

 

[USAFRet]

Thanks for the notification.

I've reported this up the chain.

 

[captainfepa]

Thanks again for your attention to this issue. I suspect that the cause is,as you suggest, with the bundled additions rather than the primary SW itself, but without absolute assurance that this is so I would not touch their product. Reporting 17 false positives is unlikely, though I will consider that more likely for the vendor's other products which do report on 1 or 2 engines (as I do for most VT reports of 'WisdomEyes'). I believe that the best course is to move on, not to install it on any 'real' system. All sources I find for this offering share the apparent malware, the product is quite old I believe, and I have no confidence in ExperimentalScene's products at this time. Besides, the program was only a curiosity, not at all a need. Anyway, glad to point this out to Tom's. Thanks...

 

[USAFRet]

I also downloaded this in a Win 10 Pro VM, and Windows Defender reports it as a Trojan.
https/www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Tilken.B!cl

 

[jsimenhoff]

Thanks all for the report. I've informed the editor in chief and will be taking steps to take this link down.

 

[gardenman]

I was confused as to why the two scans (URL vs EXE) would give different results considering the files had the SAME hash. I wrote VT (and gave them a link to here) and asked them and they said the scan for a URL and the scan for a FILE are different (and use different engines). He also said a URL scanner sometimes cannot download the file.

This now makes me question the results of VT. I mean it shows the Hash as being the same on BOTH files, 1 scan shows it as infected, the other one does not. I understand they may use different engines, but still, am I suppose to keep up with which engines scans what? In my opinion, if the HASH is the same on both, then it should be detected whether it's from a URL or a FILE. I think I won't be putting much trust in VT any longer.

 

[captainfepa]

I do not know enough about the workings of VT, as I almost always scan individual files and very simply. However, on the VT 'scan' of the URL (to which you originally referred me), the summary showed the URL and a hash value. However, the hash was followed by a symbol which appeared as a square with a line or arrow from it - as though indicating 'click here to send me to be evaluated.' Clicking on that small box did accurately report it as with 17 viruses. I have no idea what the URL scanner actually does (if very much).