Spyware, Viruses, & Security

General discussion

Unknown EXE

by GovernmentMan / September 22, 2007 6:50 PM PDT

Okay.

My mother, a novice computer user, downloaded and ran this executable from a site that is no longer in her History. (She is not aware of what "file types" are; I think that it was supposed to be an animated GIF?)

So, I'm a bit worried. I see nothing new in the Startup tab of msconfig, there's nothing new in Task Manager, nothing abnormal in her HijackThis log, and AVG is calm as can be.

So, what did this little ****** do?

Is there any way at all that I can see the effect that this file had on her system?

Thanks.

File:
http://derekdavidhoward.googlepages.com/ unknown.rar

Message was edited by: admin

Post a reply
Discussion is locked
You are posting a reply to: Unknown EXE
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Unknown EXE
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
It "seems" to be virus and spyware free.
by MarkFlax Forum moderator / September 22, 2007 7:21 PM PDT
In reply to: Unknown EXE

Although I can understand why you posted that link it could cause problems for others. Some people have their browsers set to Run downloads immediately rather than save to disk, and if this had have been an executable, it would have run or installed without their knowledge.

As it is, being a .rar file, the Operating System would then have looked for WinRar or some other extracting software to open it, and that may have halted the process. Nevertheless, I will ask Admin to remove or edit the link, for safety reasons.

That said, I downloaded the unknown.rar file and virus and spyware checked it before extracting the unknown.exe file inside. The unknown.exe file was also virus and spyware free as far as I could tell, so it seems harmless. However, I didn't run the exe file, instead I deleted it straight away. So I don't know what it does.

There's nothing in your mother's computer's history because the page "does not exist yet". Trying http{space}://derekdavidhoward.com brings up that error message. Googling derekdavidhoward only lists 3 sites, two of which appear to be about music lyrics. I didn't try any.

I would think your mother's computer is safe, but keep an eye on it.

Could you set her browser to save downloads instead of running them? Tools > Options is normally the place, or Tools > Internet Options for IE. It won't affect normal web site downloads but may make her aware she has downloaded something like this again, then at least she has the opportunity to ask questions.

It's strange that she got this in the first place, seeing as that web site doesn't exist. But I think she will be ok. If you can search her drive for "unknown.exe", you could perhaps delete it if it is stored in a non-critical folder, (eg elsewhere than Windows/System32).

Mark

Collapse -
That's my own website.
by GovernmentMan / September 23, 2007 6:36 AM PDT

DerekDavidHoward.GooglePages.com is my own website, I RAR'd and uploaded the EXE there so that I could have people examine it. Derek Howard is my own name.

I do not know where Mom got the file originally; her browser does not keep History across sessions.

Apparently, she saved the file from wherever, to her Desktop, and then ran it, thinking it was a video. Something to do with cats. I burned it to a CD, and deleted it off of her Desktop.

I then ran the EXE on a non-internet connected machine that I was already planning on formatting that night, to see what it would do. The EXE ran for about five seconds, during which, the HDD activity light blinked rapidly. The process then quit. As far as I could tell, there were no changes to the system. But I'm pretty sure that something was written to the HDD. And I have no idea what.

Collapse -
Should be ok
by MarkFlax Forum moderator / September 23, 2007 6:40 PM PDT
In reply to: That's my own website.

With Marianna's investigation I think the computer will be OK, Although Marianna's tests showed some suspicious results, these were not conclusive and the majority of the tests came up clean. That can happen with anti-malware scans where "false positives" appear.

Keep an eye on things over the next few days. If anything is going to happen it will most likely be sooner rather than later. But my feeling is your mother's computer is fine.

Mark

Collapse -
I uploaded the File unknown.rar
by Marianna Schmudlach / September 23, 2007 2:26 AM PDT
In reply to: Unknown EXE

to VirusTotal - result:

File unknown.rar received on 09.23.2007 18:15:26 (CET)

Result: 5/32 (15.63%)

Antivirus Version Last Update Result
AhnLab-V3 2007.9.22.0 2007.09.21 -
AntiVir 7.6.0.15 2007.09.21 -
Authentium 4.93.8 2007.09.23 -
Avast 4.7.1043.0 2007.09.22 -
AVG 7.5.0.485 2007.09.23 -
BitDefender 7.2 2007.09.23 BehavesLike:Win32.ProcessHijack
CAT-QuickHeal 9.00 2007.09.21 -
ClamAV 0.91.2 2007.09.23 -
DrWeb 4.33 2007.09.23 -
eSafe 7.0.15.0 2007.09.23 -
eTrust-Vet 31.2.5154 2007.09.21 -
Ewido 4.0 2007.09.20 -
FileAdvisor 1 2007.09.23 -
Fortinet 3.11.0.0 2007.09.23 -
F-Prot 4.3.2.48 2007.09.23 -
F-Secure 6.70.13030.0 2007.09.21 -
Ikarus T3.1.1.12 2007.09.23 MemScanBackdoor.VB.EV
Kaspersky 4.0.2.24 2007.09.23 -
McAfee 5125 2007.09.21 -
Microsoft 1.2803 2007.09.23 -
NOD32v2 2545 2007.09.23 -
Norman 5.80.02 2007.09.21 -
Panda 9.0.0.4 2007.09.23 -
Prevx1 V2 2007.09.23 -
Rising 19.41.62.00 2007.09.23 -
Sophos 4.21.0 2007.09.23 -
Sunbelt 2.2.907.0 2007.09.22 VIPRE.Suspicious
Symantec 10 2007.09.23 -
TheHacker 6.2.5.066 2007.09.22 W32/Behav-Heuristic-064
VBA32 3.12.2.4 2007.09.23 -
VirusBuster 4.3.26:9 2007.09.23 -
Webwasher-Gateway 6.0.1 2007.09.21 Win32.EPO.gen (suspicious)
Additional information
File size: 1297615 bytes
MD5: e7620aafa189b7f41041574023eee392
SHA1: 10373926b039edcc26b6b25a301eac012ee9e6eb
packers: Themida

I then uploaded the same file to:

http://scanner.virus.org/

Results from the virus scan of uploaded sample
Return to the Virus.Org Scanning Service




The following represents the test results from the virus scanners used by the Virus.Org scanning service when it performed the scan on the file 'unknown.rar'.




File: unknown.rar
SHA-1 Digest: 10373926b039edcc26b6b25a301eac012ee9e6eb
Packers: Unknown
Status: Potentially Clean

Scanner Scanner Version Result Scan Time
ArcaVir 1.0.4 Clean 8.69055 secs
ClamAV 0.90/4316 Clean 2.70995 secs
F-PROT 4.6.7 Clean 6.05679 secs
Sophos Sweep 4.21.0 Clean 14.0192 secs

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech Tip

Know how to save a wet phone?

It's not with a dryer and it's not with rice. CNET shows you the secret to saving your phone.