Why would malware install a copy of Windows.exe?

Okay, so yesterday, I was called over to a friend's house to fix up his
computer which he got infected with malware that he downloaded without
thinking (browser hijackers, PUP's, etc., a whole suite of various
malware in one package). It was a bad infection, but I finally got it
all out.

So ran a scan on the malware package installer with his default virus
scanner, and it didn't even recognize it as a malware. He was running
Microsoft Security Essentials (which I had installed for him
originally). I knew it had to be malware so I uploaded it to the online
Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about
40% of the scanners found it to be malware, so Microsoft wasn't alone in
being braindead about it. One of the scanners that did recognize it was
Avira, so I've switched him over to Avira now.

Anyway, one puzzling aspect of this infection was that the malware had
installed a copy of Windows.exe into the Public Documents folder. I also
had it scanned by Jotti, and absolutely 100% of the scanners listed it
as legit. I looked at its properties, and it was listed as a 32-bit
Windows PE executable. What would be the purpose of installing Windows
PE on an existing Windows system? Is to run some sort of root kits or
something?

Yousuf Khan

On 7/27/2015 11:29 AM, Yousuf Khan wrote:
Okay, so yesterday, I was called over to a friend's house to fix up his
computer which he got infected with malware that he downloaded without
thinking (browser hijackers, PUP's, etc., a whole suite of various
malware in one package). It was a bad infection, but I finally got it
all out.

So ran a scan on the malware package installer with his default virus
scanner, and it didn't even recognize it as a malware. He was running
Microsoft Security Essentials (which I had installed for him
originally). I knew it had to be malware so I uploaded it to the online
Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about
40% of the scanners found it to be malware, so Microsoft wasn't alone in
being braindead about it. One of the scanners that did recognize it was
Avira, so I've switched him over to Avira now.

Anyway, one puzzling aspect of this infection was that the malware had
installed a copy of Windows.exe into the Public Documents folder. I also
had it scanned by Jotti, and absolutely 100% of the scanners listed it
as legit. I looked at its properties, and it was listed as a 32-bit
Windows PE executable. What would be the purpose of installing Windows
PE on an existing Windows system? Is to run some sort of root kits or
something?

Yousuf Khan

Windows PE is legit.

https://technet.microsoft.com/en-us/.../Dn621903.aspx

You might want some malware removal tool installed like Malwarebytes


https://www.malwarebytes.org/

Yousuf Khan wrote:
Okay, so yesterday, I was called over to a friend's house to fix up his
computer which he got infected with malware that he downloaded without
thinking (browser hijackers, PUP's, etc., a whole suite of various
malware in one package). It was a bad infection, but I finally got it
all out.

So ran a scan on the malware package installer with his default virus
scanner, and it didn't even recognize it as a malware. He was running
Microsoft Security Essentials (which I had installed for him
originally). I knew it had to be malware so I uploaded it to the online
Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about
40% of the scanners found it to be malware, so Microsoft wasn't alone in
being braindead about it. One of the scanners that did recognize it was
Avira, so I've switched him over to Avira now.

Anyway, one puzzling aspect of this infection was that the malware had
installed a copy of Windows.exe into the Public Documents folder. I also
had it scanned by Jotti, and absolutely 100% of the scanners listed it
as legit. I looked at its properties, and it was listed as a 32-bit
Windows PE executable. What would be the purpose of installing Windows
PE on an existing Windows system? Is to run some sort of root kits or
something?

Yousuf Khan

I have a Windows.exe in my new Malwarebytes folder. It's digitally
signed and passes as legit.

Ed

On 27-Jul-2015 13:28, Ed Cryer wrote:
Yousuf Khan wrote:
Okay, so yesterday, I was called over to a friend's house to fix up his
computer which he got infected with malware that he downloaded without
thinking (browser hijackers, PUP's, etc., a whole suite of various
malware in one package). It was a bad infection, but I finally got it
all out.

So ran a scan on the malware package installer with his default virus
scanner, and it didn't even recognize it as a malware. He was running
Microsoft Security Essentials (which I had installed for him
originally). I knew it had to be malware so I uploaded it to the online
Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about
40% of the scanners found it to be malware, so Microsoft wasn't alone in
being braindead about it. One of the scanners that did recognize it was
Avira, so I've switched him over to Avira now.

Anyway, one puzzling aspect of this infection was that the malware had
installed a copy of Windows.exe into the Public Documents folder. I also
had it scanned by Jotti, and absolutely 100% of the scanners listed it
as legit. I looked at its properties, and it was listed as a 32-bit
Windows PE executable. What would be the purpose of installing Windows
PE on an existing Windows system? Is to run some sort of root kits or
something?

Yousuf Khan

I have a Windows.exe in my new Malwarebytes folder. It's digitally
signed and passes as legit.

Ed


Yep. Malwarebytes/chameleon folder

On Mon, 27 Jul 2015 16:29:58 +0100, Yousuf Khan wrote:

Okay, so yesterday, I was called over to a friend's house to fix up his
computer which he got infected with malware that he downloaded without
thinking (browser hijackers, PUP's, etc., a whole suite of various
malware in one package). It was a bad infection, but I finally got it
all out.

So ran a scan on the malware package installer with his default virus
scanner, and it didn't even recognize it as a malware. He was running
Microsoft Security Essentials (which I had installed for him
originally). I knew it had to be malware so I uploaded it to the online
Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about
40% of the scanners found it to be malware, so Microsoft wasn't alone in
being braindead about it. One of the scanners that did recognize it was
Avira, so I've switched him over to Avira now.

Anyway, one puzzling aspect of this infection was that the malware had
installed a copy of Windows.exe into the Public Documents folder. I also
had it scanned by Jotti, and absolutely 100% of the scanners listed it
as legit. I looked at its properties, and it was listed as a 32-bit
Windows PE executable. What would be the purpose of installing Windows
PE on an existing Windows system? Is to run some sort of root kits or
something?

Yousuf Khan

Microsoft Security Essentials is the very worst virus checker. AVG is far batter. No Idea about Jotti though.

On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote:
Microsoft Security Essentials is the very worst virus checker. AVG is
far batter. No Idea about Jotti though.

MSE wasn't alone here, at least 60% of virus scanners didn't find it
either. AVG and Avira both did however, and there were a few others as
well. I've used both AVG and Avira in the past, and Avira is by far the
least offensive to have installed, next to MSE.

Yousuf Khan

On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan wrote:

On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote:
Microsoft Security Essentials is the very worst virus checker. AVG is
far batter. No Idea about Jotti though.

MSE wasn't alone here, at least 60% of virus scanners didn't find it
either. AVG and Avira both did however, and there were a few others as
well. I've used both AVG and Avira in the past, and Avira is by far the
least offensive to have installed, next to MSE.

I've never had a problem with AVG. I only allow the basic realtime protection and turn off all the other crap.

I read somewhere how many things AVG and MSE detect. MSE only detects HALF as many things as most others.

Tough Guy no. 1265 wrote:
On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan
wrote:

On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote:
Microsoft Security Essentials is the very worst virus checker. AVG is
far batter. No Idea about Jotti though.

MSE wasn't alone here, at least 60% of virus scanners didn't find it
either. AVG and Avira both did however, and there were a few others as
well. I've used both AVG and Avira in the past, and Avira is by far the
least offensive to have installed, next to MSE.

I've never had a problem with AVG. I only allow the basic realtime
protection and turn off all the other crap.

I read somewhere how many things AVG and MSE detect. MSE only detects
HALF as many things as most others.

http://chart.av-comparatives.org/chart1.php

Ed

On Mon, 27 Jul 2015 22:12:22 +0100, Ed Cryer wrote:

Tough Guy no. 1265 wrote:
On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan
wrote:

On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote:
Microsoft Security Essentials is the very worst virus checker. AVG is
far batter. No Idea about Jotti though.

MSE wasn't alone here, at least 60% of virus scanners didn't find it
either. AVG and Avira both did however, and there were a few others as
well. I've used both AVG and Avira in the past, and Avira is by far the
least offensive to have installed, next to MSE.

I've never had a problem with AVG. I only allow the basic realtime
protection and turn off all the other crap.

I read somewhere how many things AVG and MSE detect. MSE only detects
HALF as many things as most others.

http://chart.av-comparatives.org/chart1.php

Ed

I think I'll give Panda a try if it's free.

MSE isn't on there though.

Tough Guy no. 1265 wrote:
On Mon, 27 Jul 2015 22:12:22 +0100, Ed Cryer
wrote:

Tough Guy no. 1265 wrote:
On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan
wrote:

On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote:
Microsoft Security Essentials is the very worst virus checker. AVG is
far batter. No Idea about Jotti though.

MSE wasn't alone here, at least 60% of virus scanners didn't find it
either. AVG and Avira both did however, and there were a few others as
well. I've used both AVG and Avira in the past, and Avira is by far the
least offensive to have installed, next to MSE.

I've never had a problem with AVG. I only allow the basic realtime
protection and turn off all the other crap.

I read somewhere how many things AVG and MSE detect. MSE only detects
HALF as many things as most others.

http://chart.av-comparatives.org/chart1.php

Ed

I think I'll give Panda a try if it's free.

MSE isn't on there though.

The one everybody raves about recently is Bitdefender.
If it were free I'd migrate from AVG to it.
But I have minimal problems with malware; far more problems caused by my
own meddling with things.
(:-

Ed

On Mon, 27 Jul 2015 22:19:00 +0100, Tough Guy no. 1265 wrote:

On Mon, 27 Jul 2015 22:12:22 +0100, Ed Cryer wrote:

Tough Guy no. 1265 wrote:
On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan
wrote:

On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote:
Microsoft Security Essentials is the very worst virus checker. AVG is
far batter. No Idea about Jotti though.

MSE wasn't alone here, at least 60% of virus scanners didn't find it
either. AVG and Avira both did however, and there were a few others as
well. I've used both AVG and Avira in the past, and Avira is by far the
least offensive to have installed, next to MSE.

I've never had a problem with AVG. I only allow the basic realtime
protection and turn off all the other crap.

I read somewhere how many things AVG and MSE detect. MSE only detects
HALF as many things as most others.

http://chart.av-comparatives.org/chart1.php

Ed

I think I'll give Panda a try if it's free.

Now installed, although I never received an account activation email, I guess it'll work without that.

But it's unclear if it's up to date, I found "automatic updates" and clicked "update now", and the circle is spinning indefinitely. Nothing is coming through the internet connection. It's reading 0kbps.

On 27/07/2015 5:19 PM, Tough Guy no. 1265 wrote:
I think I'll give Panda a try if it's free.

MSE isn't on there though.

I'll probably keep using MSE on my own systems, as it is the least
intrusive AV of them all. I've always had problems with resource
utilization from other AV in the past.

Yousuf Khan

On 27/07/2015 1:28 PM, Ed Cryer wrote:
I have a Windows.exe in my new Malwarebytes folder. It's digitally
signed and passes as legit.

Which is what's puzzling, what's malware doing installing legit
Microsoft software for?

Yousuf Khan

Yousuf Khan wrote:
On 27/07/2015 1:28 PM, Ed Cryer wrote:
I have a Windows.exe in my new Malwarebytes folder. It's digitally
signed and passes as legit.

Which is what's puzzling, what's malware doing installing legit
Microsoft software for?

Yousuf Khan


Does MS own Malwarebytes?

Ed

Ed Cryer wrote:
Yousuf Khan wrote:
On 27/07/2015 1:28 PM, Ed Cryer wrote:
I have a Windows.exe in my new Malwarebytes folder. It's digitally
signed and passes as legit.

Which is what's puzzling, what's malware doing installing legit
Microsoft software for?

Yousuf Khan


Does MS own Malwarebytes?

Ed


Has anyone done "Properties" on this purported file ?

Malwarebytes has Chameleon technology, their words for
a way to fool the malware into allowing a copy of
mbam.exe to run. They have some trick where they
rename files, or do something so that the malware
is less likely to block it.

If the file is signed, there's a good chance you'll have
proof of ownership.

Paul