Monday, March 15, 2010

Possible Issue With EasyPal

Some people might have noticed that the glowing review of the EasyPal software has been deleted from this blog. This is because of various strange virus detection issues that many users, myself included, have gotten since the start of 2010 while using this program.

A rather spirited discussion of this subject is on QRZ. There's another on the DigiSSTV Yahoo! group.

The areas of agreement are as follows:

1. EasyPal detects as clear of malware on all checkers when its files are scanned on first installation.

2. At some point after the first picture is viewed, various different virus checkers start to show various different Trojan loaders in EasyPal's directories. MalwareBytes seems to do this the most often. (There is no agreement on whether or not these are false positives.)

3. After this detection, EasyPal still shows as clear. The alleged virus is in a more recently created file that was not distributed with the original package.

Such a behavior is common to some types of dropper programs, which will download the malware later while not making code changes that will be detected. Sometimes anti-virus programs find the new bad stuff before it runs, and sometimes they don't.

Unfortunately, it is also typical of false positives, given the huge complexity of virus detection lists.

In my own case, running EasyPal would create a zip file named, which Norton would "quarantine" as containing a rare Trojan which logs keystrokes and steals all your passwords. I would delete the zip archive, but it would reappear on every subsequent running of EasyPal.

The suspect file inside is called loop.dll. Searches show one old (~2008) reference to a QRZ forum thread mentioning a file with this name associated with ham radio software. Perhaps it creates a local loopback so a simplex sound card can feed multiple programs.

There is no other mention of this file anywhere detectable on Google, and a full disk search of my computer (which has at least 30 ham radio programs), finds nothing.

Therefore, there are two main possibilities:

1. Norton is confusing loop.dll with loop.exe, a program dropped by many Trojan loaders to capture keystrokes.

2. Norton is finding malicious code that somehow gets into the EasyPal directory hierarchy via file transfers on the air, or an infected utility which is called on the fly when pictures are viewed. (If so, this is a good reason to transfer them to Irfan View, the way DIGTRX does.)

Everyone will have to draw their own conclusion. In my own case, I am far, far from certain that there is any problem with EasyPal. I still really like it a lot. However, I won't put any version of it back on any of my computers until the issue is resolved one way or the other.

Perhaps I'm erring on the safe side, but that's what I do.