Yes, AV software, especially HitmanPro are not gospel.

67 other AVs came out clean. But let’s say for the sake of argument that 
they’re all wrong.

“Trojan-Downloader” is a class of Trojan that downloads a payload. Which means 
they need to use a socket somehow.

$ sha256sum.exe ghc-8.2.2/lib/bin/touchy.exe

Is the binary I’m looking it, it matches the hash on the total virus link and 

This is the source of touchy

The application does not import Winsock, so networking seems more unlikely, but 
it imports GetProcAddress, so let’s say for the sake of argument it’s
Dynamically binding to the socket library. is the full string table. Which contains 
no ascii string starting with “WSA”. So unlikely since you need to name the 
you want to call, and you need to initialize the sockets, so WSA.

This is the full disassembly of touchy.exe

Below you’ll find an inline copy of main, it pretty much follows the source in 

I’m pretty confident that HitmanPro is just throwing a false positive,  I won’t 
be going through the CRT startup code.

Here’s main:

00000000004015c0 <main>:
  4015c0:       41 57                   push   %r15
  4015c2:       41 56                   push   %r14
  4015c4:       41 55                   push   %r13
  4015c6:       41 54                   push   %r12
  4015c8:       55                      push   %rbp
  4015c9:       57                      push   %rdi
  4015ca:       56                      push   %rsi
  4015cb:       53                      push   %rbx
  4015cc:       48 83 ec 68             sub    $0x68,%rsp
  4015d0:       89 ce                   mov    %ecx,%esi
  4015d2:       48 89 d7                mov    %rdx,%rdi
  4015d5:       e8 e6 02 00 00          callq  4018c0 <__main>
  4015da:       83 fe 01                cmp    $0x1,%esi
  4015dd:       74 10                   je     4015ef <main+0x2f>
  4015df:       b8 00 00 00 00          mov    $0x0,%eax
  4015e4:       83 fe 01                cmp    $0x1,%esi
  4015e7:       0f 8e 4d 01 00 00       jle    40173a <main+0x17a>
  4015ed:       eb 26                   jmp    401615 <main+0x55>
  4015ef:       48 8b 1f                mov    (%rdi),%rbx
  4015f2:       ff 15 1c 6d 00 00       callq  *0x6d1c(%rip)        # 408314 
  4015f8:       48 8d 48 60             lea    0x60(%rax),%rcx
  4015fc:       49 89 d8                mov    %rbx,%r8
  4015ff:       48 8d 15 2a 2a 00 00    lea    0x2a2a(%rip),%rdx        # 
404030 <.rdata>
  401606:       e8 65 17 00 00          callq  402d70 <fprintf>
  40160b:       b8 01 00 00 00          mov    $0x1,%eax
  401610:       e9 25 01 00 00          jmpq   40173a <main+0x17a>
  401615:       48 8d 5f 08             lea    0x8(%rdi),%rbx
  401619:       8d 46 fe                lea    -0x2(%rsi),%eax
  40161c:       4c 8d 7c c7 10          lea    0x10(%rdi,%rax,8),%r15
  401621:       4c 8b 2d ec 6b 00 00    mov    0x6bec(%rip),%r13        # 
408214 <__imp_CreateFileA>
  401628:       48 8d 7c 24 50          lea    0x50(%rsp),%rdi
  40162d:       4c 8b 25 30 6c 00 00    mov    0x6c30(%rip),%r12        # 
408264 <__imp_GetSystemTimeAsFileTime>
  401634:       48 8b 2d 71 6c 00 00    mov    0x6c71(%rip),%rbp        # 
4082ac <__imp_SetFileTime>
  40163b:       4c 8b 35 ca 6b 00 00    mov    0x6bca(%rip),%r14        # 
40820c <__IAT_start__>
  401642:       48 89 5c 24 48          mov    %rbx,0x48(%rsp)
  401647:       48 c7 44 24 30 00 00    movq   $0x0,0x30(%rsp)
  40164e:       00 00 
  401650:       c7 44 24 28 80 00 00    movl   $0x80,0x28(%rsp)
  401657:       00 
  401658:       c7 44 24 20 04 00 00    movl   $0x4,0x20(%rsp)
  40165f:       00 
  401660:       41 b9 00 00 00 00       mov    $0x0,%r9d
  401666:       41 b8 00 00 00 00       mov    $0x0,%r8d
  40166c:       ba 00 00 00 40          mov    $0x40000000,%edx
  401671:       48 8b 0b                mov    (%rbx),%rcx
  401674:       41 ff d5                callq  *%r13
  401677:       48 89 c6                mov    %rax,%rsi
  40167a:       48 83 f8 ff             cmp    $0xffffffffffffffff,%rax
  40167e:       75 2b                   jne    4016ab <main+0xeb>
  401680:       48 8b 44 24 48          mov    0x48(%rsp),%rax
  401685:       48 8b 18                mov    (%rax),%rbx
  401688:       ff 15 86 6c 00 00       callq  *0x6c86(%rip)        # 408314 
  40168e:       48 8d 48 60             lea    0x60(%rax),%rcx
  401692:       49 89 d8                mov    %rbx,%r8
  401695:       48 8d 15 a7 29 00 00    lea    0x29a7(%rip),%rdx        # 
404043 <.rdata+0x13>
  40169c:       e8 cf 16 00 00          callq  402d70 <fprintf>
  4016a1:       b9 01 00 00 00          mov    $0x1,%ecx
  4016a6:       e8 cd 16 00 00          callq  402d78 <exit>
  4016ab:       48 89 f9                mov    %rdi,%rcx
  4016ae:       41 ff d4                callq  *%r12
  4016b1:       49 89 f9                mov    %rdi,%r9
  4016b4:       41 b8 00 00 00 00       mov    $0x0,%r8d
  4016ba:       ba 00 00 00 00          mov    $0x0,%edx
  4016bf:       48 89 f1                mov    %rsi,%rcx
  4016c2:       ff d5                   callq  *%rbp
  4016c4:       85 c0                   test   %eax,%eax
  4016c6:       75 2b                   jne    4016f3 <main+0x133>
  4016c8:       48 8b 44 24 48          mov    0x48(%rsp),%rax
  4016cd:       48 8b 18                mov    (%rax),%rbx
  4016d0:       ff 15 3e 6c 00 00       callq  *0x6c3e(%rip)        # 408314 
  4016d6:       48 8d 48 60             lea    0x60(%rax),%rcx
  4016da:       49 89 d8                mov    %rbx,%r8
  4016dd:       48 8d 15 74 29 00 00    lea    0x2974(%rip),%rdx        # 
404058 <.rdata+0x28>
  4016e4:       e8 87 16 00 00          callq  402d70 <fprintf>
  4016e9:       b9 01 00 00 00          mov    $0x1,%ecx
  4016ee:       e8 85 16 00 00          callq  402d78 <exit>
  4016f3:       48 89 f1                mov    %rsi,%rcx
  4016f6:       41 ff d6                callq  *%r14
  4016f9:       85 c0                   test   %eax,%eax
  4016fb:       75 2b                   jne    401728 <main+0x168>
  4016fd:       48 8b 44 24 48          mov    0x48(%rsp),%rax
  401702:       48 8b 18                mov    (%rax),%rbx
  401705:       ff 15 09 6c 00 00       callq  *0x6c09(%rip)        # 408314 
  40170b:       48 8d 48 60             lea    0x60(%rax),%rcx
  40170f:       49 89 d8                mov    %rbx,%r8
  401712:       48 8d 15 62 29 00 00    lea    0x2962(%rip),%rdx        # 
40407b <.rdata+0x4b>
  401719:       e8 52 16 00 00          callq  402d70 <fprintf>
  40171e:       b9 01 00 00 00          mov    $0x1,%ecx
  401723:       e8 50 16 00 00          callq  402d78 <exit>
  401728:       48 83 c3 08             add    $0x8,%rbx
  40172c:       4c 39 fb                cmp    %r15,%rbx
  40172f:       0f 85 0d ff ff ff       jne    401642 <main+0x82>
  401735:       b8 00 00 00 00          mov    $0x0,%eax
  40173a:       48 83 c4 68             add    $0x68,%rsp
  40173e:       5b                      pop    %rbx
  40173f:       5e                      pop    %rsi
  401740:       5f                      pop    %rdi
  401741:       5d                      pop    %rbp
  401742:       41 5c                   pop    %r12
  401744:       41 5d                   pop    %r13
  401746:       41 5e                   pop    %r14
  401748:       41 5f                   pop    %r15
  40174a:       c3                      retq   
  40174b:       90                      nop
  40174c:       90                      nop
  40174d:       90                      nop
  40174e:       90                      nop
  40174f:       90                      nop

From: Brandon Allbery
Sent: Thursday, December 28, 2017 21:29
To: Matthew Lamari
Subject: Re: Haskell Platform 8.2.2 - virus?

This wouldn't be the first time some program that uses heuristic execution 
patterns to detect malware decided it didn't like the STG.

On Thu, Dec 28, 2017 at 4:15 PM, Matthew Lamari <> wrote:

The site gave me the 5ffdaa sha256 you have below for touchy.exe.
That said, I still have the 2 builds yield different results from Hitman Pro on 
the clean boxes. And Bitdefender, on my machine, (albeit being obtuse) chucks a 
fit over it. It doesn't detect the EXE files; but detects secondary 
consequences of them running.

I really think something is afoot here.

On 12/28/2017 3:00 PM, wrote:
Upload one of the binaries it flagged to and 
send the link.
As far as I can tell, they’re all clean
From: Matthew Lamari
Sent: Thursday, December 28, 2017 20:29
Subject: Haskell Platform 8.2.2 - virus?
New Haskell install was tripping my Bitdefender like crazy and in weird
ways - not new as that's how bitdefender rolls. However, I retested in a
clean test, with (free) Hitman Pro
I started from a base case with 2 clean windows 8 VMs.
New 8.2.2 install - has virus
Old 8.0.2 Jan 2017 - no virus
According to Hitman Pro, touchy.exe, haddock-8.2.2, ghc-8.2.2.exe, and
unlit.exe have some problem post-install. I went no further on the VMs.
"Detection Names
Kaspersky           Trojan-Downloader.Win32.Paph.fsv
Bitdefender didn't get it on install but would lock the whole thing down
on the first run of "Cabal".
