If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rating: | Display Modes |
#16
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On Tue, 28 Jul 2015 00:51:34 +0100, Yousuf Khan wrote:
On 27/07/2015 5:19 PM, Tough Guy no. 1265 wrote: I think I'll give Panda a try if it's free. MSE isn't on there though. I'll probably keep using MSE on my own systems, as it is the least intrusive AV of them all. I've always had problems with resource utilization from other AV in the past. Yousuf Khan I've removed MSE from other people's computers (loads of them), then taken off about 40 viruses which it didn't detect. |
Ads |
#17
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On 28/07/2015 8:02 AM, Ed Cryer wrote:
Yousuf Khan wrote: On 27/07/2015 1:28 PM, Ed Cryer wrote: I have a Windows.exe in my new Malwarebytes folder. It's digitally signed and passes as legit. Which is what's puzzling, what's malware doing installing legit Microsoft software for? Yousuf Khan Does MS own Malwarebytes? I'm not talking about Malwarebytes, I'm talking about actual malware! You know the stuff that Malwarebytes is named after because it's supposed to clean it up. Yousuf Khan |
#18
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On 28/07/2015 8:42 AM, Paul wrote:
Ed Cryer wrote: Does MS own Malwarebytes? Ed Has anyone done "Properties" on this purported file ? Malwarebytes has Chameleon technology, their words for a way to fool the malware into allowing a copy of mbam.exe to run. They have some trick where they rename files, or do something so that the malware is less likely to block it. If the file is signed, there's a good chance you'll have proof of ownership. We have to get off of this line. I'm not talking about Malwarebytes the brand name, I'm talking about malware the category of software. Yousuf Khan |
#19
|
|||
|
|||
Why would malware install a copy of Windows.exe?
Yousuf Khan wrote:
On 28/07/2015 8:42 AM, Paul wrote: Ed Cryer wrote: Does MS own Malwarebytes? Ed Has anyone done "Properties" on this purported file ? Malwarebytes has Chameleon technology, their words for a way to fool the malware into allowing a copy of mbam.exe to run. They have some trick where they rename files, or do something so that the malware is less likely to block it. If the file is signed, there's a good chance you'll have proof of ownership. We have to get off of this line. I'm not talking about Malwarebytes the brand name, I'm talking about malware the category of software. Yousuf Khan 1) Find your sample "Windows.exe" file. 2) Upload it to virustotal.com. 3) Post a link to the results page, which shows all the scanners giving it a clean bill of health. The Virustotal page has some other tabs, which give hints about the file. In some cases (not very often), there is behavioral information, such as what files the program tried to access, or what files the program tried to create. That's the easiest way I know of, for people to look at some aspect of your file. Without actually having the file in hand. Even if you have an MD5SUM or a SHA1SUM of the file in question, and can post that, that would help. Legitimate files, signed files, the results for them are different and more detailed, than a program I might compile in MinGW here. When you use a modern browser to upload that file, virustotal.com sends web page code which causes the checksum to be computed. If the checksum matches a known file, the upload step is not needed. If the checksum is unknown, then, the upload step will be required. On older browsers, all the files must be uploaded for an opinion. Paul |
#20
|
|||
|
|||
Why would malware install a copy of Windows.exe?
Yousuf Khan wrote:
On 28/07/2015 8:02 AM, Ed Cryer wrote: Yousuf Khan wrote: On 27/07/2015 1:28 PM, Ed Cryer wrote: I have a Windows.exe in my new Malwarebytes folder. It's digitally signed and passes as legit. Which is what's puzzling, what's malware doing installing legit Microsoft software for? Yousuf Khan Does MS own Malwarebytes? I'm not talking about Malwarebytes, I'm talking about actual malware! You know the stuff that Malwarebytes is named after because it's supposed to clean it up. Yousuf Khan We were talking about a file named "Windows.exe". I scanned my system for it and found a file of that name in my Program Files(X86)/ Malwarebytes/ Chameleon folder. That file is completely legit, and if I uploaded it to a virus-scanning site it would be passed as clean. The whole point was to let you know that not all files named "Windows.exe" are malware or created by malware. Look at the Properties of your file (all the tabs) and see what further info you can gather about it; size, when created, digital signatures, details. Ed |
#21
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On 29/07/2015 6:04 AM, Paul wrote:
1) Find your sample "Windows.exe" file. 2) Upload it to virustotal.com. 3) Post a link to the results page, which shows all the scanners giving it a clean bill of health. The Virustotal page has some other tabs, which give hints about the file. In some cases (not very often), there is behavioral information, such as what files the program tried to access, or what files the program tried to create. I did the same thing but instead of to Virustotal, I went to Jotti.org. It ran the file through several dozen virus scanners, and they all found it to be legit. The Windows.exe has since been removed after we removed the malware. Yousuf Khan |
#22
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On 29/07/2015 7:26 AM, Ed Cryer wrote:
We were talking about a file named "Windows.exe". I scanned my system for it and found a file of that name in my Program Files(X86)/ Malwarebytes/ Chameleon folder. That file is completely legit, and if I uploaded it to a virus-scanning site it would be passed as clean. The whole point was to let you know that not all files named "Windows.exe" are malware or created by malware. Look at the Properties of your file (all the tabs) and see what further info you can gather about it; size, when created, digital signatures, details. The file has been removed since we cleaned up all of the malware. But it was puzzling why malware would want to install it. I can understand why Malwarebytes would want to install it, it creates a sandbox environment for itself. Yousuf Khan |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|