Why would malware install a copy of Windows.exe?

On Tue, 28 Jul 2015 00:51:34 +0100, Yousuf Khan wrote:

On 27/07/2015 5:19 PM, Tough Guy no. 1265 wrote:
I think I'll give Panda a try if it's free.

MSE isn't on there though.

I'll probably keep using MSE on my own systems, as it is the least
intrusive AV of them all. I've always had problems with resource
utilization from other AV in the past.

Yousuf Khan

I've removed MSE from other people's computers (loads of them), then taken off about 40 viruses which it didn't detect.

On 28/07/2015 8:02 AM, Ed Cryer wrote:
Yousuf Khan wrote:
On 27/07/2015 1:28 PM, Ed Cryer wrote:
I have a Windows.exe in my new Malwarebytes folder. It's digitally
signed and passes as legit.

Which is what's puzzling, what's malware doing installing legit
Microsoft software for?

Yousuf Khan


Does MS own Malwarebytes?

I'm not talking about Malwarebytes, I'm talking about actual malware!

You know the stuff that Malwarebytes is named after because it's
supposed to clean it up.

Yousuf Khan

On 28/07/2015 8:42 AM, Paul wrote:
Ed Cryer wrote:
Does MS own Malwarebytes?

Ed


Has anyone done "Properties" on this purported file ?

Malwarebytes has Chameleon technology, their words for
a way to fool the malware into allowing a copy of
mbam.exe to run. They have some trick where they
rename files, or do something so that the malware
is less likely to block it.

If the file is signed, there's a good chance you'll have
proof of ownership.

We have to get off of this line. I'm not talking about Malwarebytes the
brand name, I'm talking about malware the category of software.


Yousuf Khan

Yousuf Khan wrote:
On 28/07/2015 8:42 AM, Paul wrote:
Ed Cryer wrote:
Does MS own Malwarebytes?

Ed


Has anyone done "Properties" on this purported file ?

Malwarebytes has Chameleon technology, their words for
a way to fool the malware into allowing a copy of
mbam.exe to run. They have some trick where they
rename files, or do something so that the malware
is less likely to block it.

If the file is signed, there's a good chance you'll have
proof of ownership.

We have to get off of this line. I'm not talking about Malwarebytes the
brand name, I'm talking about malware the category of software.


Yousuf Khan

1) Find your sample "Windows.exe" file.
2) Upload it to virustotal.com.
3) Post a link to the results page, which shows
all the scanners giving it a clean bill of health.

The Virustotal page has some other tabs, which give hints
about the file. In some cases (not very often), there
is behavioral information, such as what files the program
tried to access, or what files the program tried to create.

That's the easiest way I know of, for people to look
at some aspect of your file. Without actually having
the file in hand.

Even if you have an MD5SUM or a SHA1SUM of the
file in question, and can post that, that would
help.

Legitimate files, signed files, the results for them
are different and more detailed, than a program I
might compile in MinGW here.

When you use a modern browser to upload that
file, virustotal.com sends web page code which
causes the checksum to be computed. If the checksum
matches a known file, the upload step is not needed.
If the checksum is unknown, then, the upload step
will be required. On older browsers, all the files
must be uploaded for an opinion.

Paul

Yousuf Khan wrote:
On 28/07/2015 8:02 AM, Ed Cryer wrote:
Yousuf Khan wrote:
On 27/07/2015 1:28 PM, Ed Cryer wrote:
I have a Windows.exe in my new Malwarebytes folder. It's digitally
signed and passes as legit.

Which is what's puzzling, what's malware doing installing legit
Microsoft software for?

Yousuf Khan


Does MS own Malwarebytes?

I'm not talking about Malwarebytes, I'm talking about actual malware!

You know the stuff that Malwarebytes is named after because it's
supposed to clean it up.

Yousuf Khan


We were talking about a file named "Windows.exe". I scanned my system
for it and found a file of that name in my Program Files(X86)/
Malwarebytes/ Chameleon folder. That file is completely legit, and if I
uploaded it to a virus-scanning site it would be passed as clean.
The whole point was to let you know that not all files named
"Windows.exe" are malware or created by malware.

Look at the Properties of your file (all the tabs) and see what further
info you can gather about it; size, when created, digital signatures,
details.

Ed

On 29/07/2015 6:04 AM, Paul wrote:
1) Find your sample "Windows.exe" file.
2) Upload it to virustotal.com.
3) Post a link to the results page, which shows
all the scanners giving it a clean bill of health.

The Virustotal page has some other tabs, which give hints
about the file. In some cases (not very often), there
is behavioral information, such as what files the program
tried to access, or what files the program tried to create.

I did the same thing but instead of to Virustotal, I went to Jotti.org.
It ran the file through several dozen virus scanners, and they all found
it to be legit. The Windows.exe has since been removed after we removed
the malware.

Yousuf Khan

On 29/07/2015 7:26 AM, Ed Cryer wrote:
We were talking about a file named "Windows.exe". I scanned my system
for it and found a file of that name in my Program Files(X86)/
Malwarebytes/ Chameleon folder. That file is completely legit, and if I
uploaded it to a virus-scanning site it would be passed as clean.
The whole point was to let you know that not all files named
"Windows.exe" are malware or created by malware.

Look at the Properties of your file (all the tabs) and see what further
info you can gather about it; size, when created, digital signatures,
details.

The file has been removed since we cleaned up all of the malware. But it
was puzzling why malware would want to install it. I can understand why
Malwarebytes would want to install it, it creates a sandbox environment
for itself.

Yousuf Khan