Simple check of a suspicious file

A friend of mine send me a RAR archive containing an executable and a “crack’, telling me his antivirus gives him an alert when he tried to run the “crack”. He downloaded the file from a link posted on a blog, the file was hosted on a file sharing site and the question was if the antivirus alert is because of the name “crack” so if it’s a “false positive”. For who does not know, a “crack” is a small executable which is able to modify an applications executable to act like a registered (licensed) program and a “false positive” is a false virus alert of the antivirus.

I’ve used this beautiful program Uniextract to try to extract all the files possibly contained or embedded in the executable. A trojan can be spreaded embedding or binding the trojan with a legitimate program, by various procedures or using a “installers or setups maker” program. The icons or file properties can be changed in the new resulted installer with the original one ripped from the legitimate clean installer program. Uniextract or Universal Extractor is a program which extract files from any type of archive, whether it’s a simple zip file, an installation program, or even a Windows Installer¬† package, without to run the executable files. Using it it’s very simple because the program has a context menu : a right click menu.

Here are the screenshot with the original files immeditately after desarchiving the RAR archive

missing

and a screeshot when Uniextract was used :

missing

The result was this :

missing

As you can see, a new executable file is revealed, –services.exe–. The things become interesting, it’s clear this executable with another name as the original is dubious. I’ve submitted this executable to virustotal.com site, a free file scanning service, able to give to the user the results of scanning a file with 42 antiviruses and other properties of the executable as the compressor or packer.

The result of virustotal.com scanner is here., 38 from 39 antiviruses find the file is in fact a trojan, Trojan-PWS.Win32.Dybalom!IK .

You can always follow these simple steps to prevent your computer infections with trojans and your sensitive data stolen.

Posted in Thoughts. Tagged with , , , .

2 Responses

Leave a Reply