-
June 17th, 2002, 10:46 AM
#1
Junior Member
Unknown .Com File?
I was recently browsing around my Windows dir for fun stuff (as I am wont to do on occasion) when I came across a somewhat suspicious file.
Well, it wasn't suspicious at first.
I had never heard of it before - Info.Com - but was excited that I had found a new DOS program that I had yet to play with. Yet, when I opened up a prompt to run this command file (I did scan it first, mind you), it spat out an echo that read: "This program must be run under UNIX". While I consider myself rather new to security stuff, it doesn’t take much to conceptualize that I probably didn't install a UNIX program on my Win98 machine. Nevertheless, it perplexes me why a command file supposedly designed for UNIX would still run in DOS, because I have no idea if command files are even executable in UNIX. To add to my suspicion, I recently created a dual boot system on an old computer of mine that included a fresh install of 98 and there’s no Info.Com to be seen, as several of you can probably verify.
So... I'm rather confused as to how this thing got into my windows dir and what it does, although I have my guesses (I only recently started using these wonderful pieces of software called firewalls ). The file's not big at all, only 93 Bytes, and Symantec didn't have anything special to say about it after having submitted it to them.
So I'm kinda at a loss here about what to think or do about this file.
Before anyone asks the million dollar questions - yes, my AV is up to date, no suspicious system activity and no suspicious port activities. And yes, I've Googled this sucker as many ways as I could think of.
Here’s what happens when you open it in Notepad:
ë*0.........1.........2.........3......... º7 ´ Í!´LÍ!This program must be run under UNIX
$
Looks harmless enough, but it could simply be calling some other program for all the sense I can make of the compiled stuff that comes before the string. If anyone wants/needs more info, then please let me know. Thanks for your time people
[glowpurple]Fatal System Error:[/glowpurple][gloworange]User Has Crashed.[/gloworange]AX=fffffffb CS=018f EIP=5f403d60 EFLGS=00010202
-
June 17th, 2002, 10:54 AM
#2
ehmm,
a little bit scarery, anyway why not run the program under UNIx, and see what happens?
its me,
Bellon"Human knowledge Belongs to the World"
-
June 17th, 2002, 11:13 AM
#3
Rhavethstine,
instaed of Notepad download a hex viewer/editer and have a look at it there.. at 93bytes it is rather small. What version of windaz are you running.. only being a linux noob can't help ya..
I suspect it is a reminent of a software install... or a failed install..
cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
June 17th, 2002, 11:21 AM
#4
Junior Member
a little bit scarery, anyway why not run the program under UNIx, and see what happens?
I actually have tried that (I think), but the closest thing resembling UNIX that I have access to is an OSX machine at work and I have no idea if the Terminal app is actually UNIX or if it's just supposed to be loosely based on it. In any case, the Mac didn't recognize it as an executable inside or outside of Terminal, so I'm hoping someone else can clarify this for me.
[glowpurple]Fatal System Error:[/glowpurple][gloworange]User Has Crashed.[/gloworange]AX=fffffffb CS=018f EIP=5f403d60 EFLGS=00010202
-
June 17th, 2002, 12:59 PM
#5
make a copy of the file. rename it with a .TXT extension
and attach it to your post. I'll unassemble it with DEBUG
and get to the bottom of it
I came in to the world with nothing. I still have most of it.
-
June 17th, 2002, 01:37 PM
#6
Its most likely part of some spyware program or something along those lines...
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
-
June 17th, 2002, 07:40 PM
#7
Junior Member
make a copy of the file. rename it with a .TXT extension
Ok, thanks rcgreen, here it is.
Please be warned, people who haven't read the above description of my file here... this in not a text file!
Souleman, that's actually something I forgot to check on, but I must point out that it's not really big enough to have enough code to call home with (to my knowledge). That's half the mystery of it. However, I will make a run to Lavasoft later today to get their latest version. Good suggestion.
[glowpurple]Fatal System Error:[/glowpurple][gloworange]User Has Crashed.[/gloworange]AX=fffffffb CS=018f EIP=5f403d60 EFLGS=00010202
-
June 17th, 2002, 09:12 PM
#8
Member
I just checked this out, it isn't a unix proggy, I tried it on Debian Linux, Mandrake Linux and FreeBSD, same thing cannot execute binary file
What do you mean you don\'t have a backup disk?
-
June 17th, 2002, 11:42 PM
#9
OK, here's the scoop:
Code:
115A:0100 EB2A JMP 012C ;jump to offset 12C
115A:0102 90 NOP ;no operation
115A:0103 302E2E2E XOR [2E2E],CH ;garbage
115A:0107 2E SEG CS (unused) ;this area of 38 bytes
115A:0108 2E SEG CS (unused) ;seems to serve no purpose
115A:0109 2E SEG CS (unused)
115A:010A 2E SEG CS (unused)
115A:010B 2E SEG CS (unused)
115A:010C 2E312E2E2E XOR CS:[2E2E],BP
115A:0111 2E SEG CS (unused)
115A:0112 2E SEG CS (unused)
115A:0113 2E SEG CS (unused)
115A:0114 2E SEG CS (unused)
115A:0115 2E SEG CS (unused)
115A:0116 2E322E2E2E XOR CH,CS:[2E2E]
115A:011B 2E SEG CS (unused)
115A:011C 2E SEG CS (unused)
115A:011D 2E SEG CS (unused)
115A:011E 2E SEG CS (unused)
115A:011F 2E SEG CS (unused)
115A:0120 2E332E2E2E XOR BP,CS:[2E2E]
115A:0125 2E SEG CS (unused)
115A:0126 2E SEG CS (unused)
115A:0127 2E SEG CS (unused)
115A:0128 2E SEG CS (unused)
115A:0129 2E SEG CS (unused)
115A:012A 2E00 ??? ;code begins at offset 012C
115A:012C BA3701 MOV DX,0137 ;put address of msg in DX
115A:012F B409 MOV AH,09 ;write string to stdout
115A:0131 CD21 INT 21 ;call dos function
115A:0133 B44C MOV AH,4C ;terminate process
115A:0135 CD21 INT 21 ;return to dos
115A:0137 54 PUSH SP ;text message
115A:0138 686973 PUSH WORD 7369 ;this output looks like nonsense
115A:013B 207072 AND [BX+SI+72],DH ;when unassembled
115A:013E 6F OUTSW ;but it is the text of the
115A:013F 67 DB 67 ;message
115A:0140 7261 JB 01A3
115A:0142 6D INSW
115A:0143 206D75 AND [DI+75],CH
115A:0146 7374 JAE 01BC
115A:0148 206265 AND [BP+SI+65],AH
115A:014B 207275 AND [BP+SI+75],DH
115A:014E 6E OUTSB
115A:014F 20756E AND [DI+6E],DH
115A:0152 64 SEG FS (unused)
115A:0153 65 SEG GS (unused)
115A:0154 7220 JB 0176
115A:0156 55 PUSH BP
115A:0157 4E DEC SI
115A:0158 49 DEC CX
115A:0159 58 POP AX
115A:015A 0D0A24 OR AX,240A
115A:015D 7413 JZ 0172
The only thing this program does is display the strange message
Maybe it's somebody's idea of a joke
It is definitely a plain msdos executable
and has nothing in it resembling a unix file
I came in to the world with nothing. I still have most of it.
-
June 18th, 2002, 03:28 AM
#10
lol, kinda disappointed it wasn't something cool
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|