Unknown .Com File?

**Rhavethstine** · June 17th, 2002, 10:46 AM

I was recently browsing around my Windows dir for fun stuff (as I am wont to do on occasion) when I came across a somewhat suspicious file.
Well, it wasn't suspicious at first.
I had never heard of it before - Info.Com - but was excited that I had found a new DOS program that I had yet to play with. Yet, when I opened up a prompt to run this command file (I did scan it first, mind you), it spat out an echo that read: "This program must be run under UNIX". While I consider myself rather new to security stuff, it doesn’t take much to conceptualize that I probably didn't install a UNIX program on my Win98 machine. Nevertheless, it perplexes me why a command file supposedly designed for UNIX would still run in DOS, because I have no idea if command files are even executable in UNIX. To add to my suspicion, I recently created a dual boot system on an old computer of mine that included a fresh install of 98 and there’s no Info.Com to be seen, as several of you can probably verify.
So... I'm rather confused as to how this thing got into my windows dir and what it does, although I have my guesses (I only recently started using these wonderful pieces of software called firewalls

). The file's not big at all, only 93 Bytes, and Symantec didn't have anything special to say about it after having submitted it to them.
So I'm kinda at a loss here about what to think or do about this file.
Before anyone asks the million dollar questions - yes, my AV is up to date, no suspicious system activity and no suspicious port activities. And yes, I've Googled this sucker as many ways as I could think of.
Here’s what happens when you open it in Notepad:
ë*0.........1.........2.........3......... º7 ´ Í!´LÍ!This program must be run under UNIX
$
Looks harmless enough, but it could simply be calling some other program for all the sense I can make of the compiled stuff that comes before the string. If anyone wants/needs more info, then please let me know. Thanks for your time people

**bello** · June 17th, 2002, 10:54 AM

ehmm,
a little bit scarery, anyway why not run the program under UNIx, and see what happens?

its me,
Bellon"Human knowledge Belongs to the World"

***Und3ertak3r*** · June 17th, 2002, 11:13 AM

Rhavethstine,

instaed of Notepad download a hex viewer/editer and have a look at it there.. at 93bytes it is rather small. What version of windaz are you running.. only being a linux noob can't help ya..
I suspect it is a reminent of a software install... or a failed install..

cheers

**Rhavethstine** · June 17th, 2002, 11:21 AM

a little bit scarery, anyway why not run the program under UNIx, and see what happens?

I actually have tried that (I think), but the closest thing resembling UNIX that I have access to is an OSX machine at work and I have no idea if the Terminal app is actually UNIX or if it's just supposed to be loosely based on it. In any case, the Mac didn't recognize it as an executable inside or outside of Terminal, so I'm hoping someone else can clarify this for me.

***rcgreen*** · June 17th, 2002, 12:59 PM

make a copy of the file. rename it with a .TXT extension
and attach it to your post. I'll unassemble it with DEBUG
and get to the bottom of it

***souleman*** · June 17th, 2002, 01:37 PM

Its most likely part of some spyware program or something along those lines...

**Rhavethstine** · June 17th, 2002, 07:40 PM

make a copy of the file. rename it with a .TXT extension

Ok, thanks rcgreen, here it is.
Please be warned, people who haven't read the above description of my file here... this in not a text file!

Souleman, that's actually something I forgot to check on, but I must point out that it's not really big enough to have enough code to call home with (to my knowledge). That's half the mystery of it. However, I will make a run to Lavasoft later today to get their latest version. Good suggestion.

**rootman147** · June 17th, 2002, 09:12 PM

I just checked this out, it isn't a unix proggy, I tried it on Debian Linux, Mandrake Linux and FreeBSD, same thing cannot execute binary file

***rcgreen*** · June 17th, 2002, 11:42 PM

OK, here's the scoop:

Code:

115A:0100 EB2A          JMP     012C                ;jump to offset 12C
115A:0102 90            NOP                         ;no operation
115A:0103 302E2E2E      XOR     [2E2E],CH           ;garbage
115A:0107 2E            SEG     CS (unused)         ;this area of 38 bytes
115A:0108 2E            SEG     CS (unused)         ;seems to serve no purpose
115A:0109 2E            SEG     CS (unused)
115A:010A 2E            SEG     CS (unused)
115A:010B 2E            SEG     CS (unused)
115A:010C 2E312E2E2E    XOR     CS:[2E2E],BP
115A:0111 2E            SEG     CS (unused)
115A:0112 2E            SEG     CS (unused)
115A:0113 2E            SEG     CS (unused)
115A:0114 2E            SEG     CS (unused)
115A:0115 2E            SEG     CS (unused)
115A:0116 2E322E2E2E    XOR     CH,CS:[2E2E]
115A:011B 2E            SEG     CS (unused)
115A:011C 2E            SEG     CS (unused)
115A:011D 2E            SEG     CS (unused)
115A:011E 2E            SEG     CS (unused)
115A:011F 2E            SEG     CS (unused)
115A:0120 2E332E2E2E    XOR     BP,CS:[2E2E]
115A:0125 2E            SEG     CS (unused)
115A:0126 2E            SEG     CS (unused)
115A:0127 2E            SEG     CS (unused)
115A:0128 2E            SEG     CS (unused)
115A:0129 2E            SEG     CS (unused)
115A:012A 2E00          ???                    ;code begins at offset 012C
115A:012C BA3701        MOV     DX,0137        ;put address of msg in DX
115A:012F B409          MOV     AH,09          ;write string to stdout
115A:0131 CD21          INT     21             ;call dos function
115A:0133 B44C          MOV     AH,4C          ;terminate process
115A:0135 CD21          INT     21             ;return to dos
115A:0137 54            PUSH    SP             ;text message
115A:0138 686973        PUSH    WORD 7369      ;this output looks like nonsense
115A:013B 207072        AND     [BX+SI+72],DH  ;when unassembled
115A:013E 6F            OUTSW                  ;but it is the text of the 
115A:013F 67            DB      67             ;message 
115A:0140 7261          JB      01A3
115A:0142 6D            INSW
115A:0143 206D75        AND     [DI+75],CH
115A:0146 7374          JAE     01BC
115A:0148 206265        AND     [BP+SI+65],AH
115A:014B 207275        AND     [BP+SI+75],DH
115A:014E 6E            OUTSB
115A:014F 20756E        AND     [DI+6E],DH
115A:0152 64            SEG     FS (unused)
115A:0153 65            SEG     GS (unused)
115A:0154 7220          JB      0176
115A:0156 55            PUSH    BP
115A:0157 4E            DEC     SI
115A:0158 49            DEC     CX
115A:0159 58            POP     AX
115A:015A 0D0A24        OR      AX,240A
115A:015D 7413          JZ      0172

The only thing this program does is display the strange message
Maybe it's somebody's idea of a joke
It is definitely a plain msdos executable
and has nothing in it resembling a unix file

**cyb3rn3tik** · June 18th, 2002, 03:28 AM

lol, kinda disappointed it wasn't something cool

Thread: Unknown .Com File?

Thread Tools

Display

Unknown .Com File?

Posting Permissions