mystery file

[hatebreed2000]

i went to open up IE and had multi-proxy on, and the first time i clicked on the IE icon no web page came up, so i clicked it again and then a box popped up and asked if i wanted to download a file from google. naturally i was curious sense i had not clicked on anything for a d/l so i started the d/l and 57% through the d/l it just stopped.....the little page still floated across the box showing me that the d/l had not completly froze up but i was still getting no more data, i thought maybe it had something to do with multi-proxy so shut it down and when i did the d/l was suddenly done. so now that you all have the background of my question....heres the question it self....

1)could someone please take a look at the file and tell me what they think, i think it might be just googles web page but the file was only half done and even then it is 108k...which to me seems kinda large for such a simple page?

thank you for the time you spend looking at this file to satisfy my curiosity, all replies and thoughts are appreciated.take it easy people.

[Stephenmg]

It looks like a program to me. I opened it in notepad.

This was on the first line:

€ º ´ Í!¸
LÍ!This program cannot be run in DOS mode.

When I opened Internet Explore in Notepad:

ð º ´ Í!¸
LÍ!This program cannot be run in DOS mode.

[|The|Specialist]

Stephenmg, opening it that way is like playing with a hex-editor only you can't see the hex values. "This program cannot be run in DOS mode" you'll see the same thing in hex on just about any other file except ð º ´ Í!¸
LÍ! isn't distorted and you'll see hex values instead pluse everything is more organized when being viewed through hex. I looked at it and it's properties says its from active root directory.... looks like a cookie to me.

[Zonewalker]

Specialist... greatest respect to you but I'd suggest that a file of more than 105kb is a little on the large side for a cookie... most cookies are less than 500bytes.... I'm wondering if it's some kind of dialup program or something (especially considering it was only halfway through the d/l when hatebreed cut it off)... not suggesting that you were looking at dodgy porn sites hatebreed but you know how these things spread....

seems odd to have claimed to be from google tho' .... apart from the google toolbar I don't know of many other d/l you can get from google (not that I've looked)

Z

[CyberSpyder]

I'd have to say that it's a small program or a cookie. It's definetly not just a cookie. How about a worm???

[hatebreed2000]

these are all interesting prospects....but i would most defintely agree that its not a cookie, and i agree with you zonewalker, ive never heard of a d/l'able prog from google.im really starting to get more curious as to what this is.i just got home from work so i havent had the chance to do some searching of my own as far as what it might be, but i plan to get started here shortly.any more thoughts would be more then welcome. take it easy people.

[Dominaterx]

hatebreed2000,I dont think it is a virus but I cant look at it because I do not have the software to open .php extension files.May I suggest you upload to an Anti-virus company? they will tell you if it is a virus and might hopefully tell you what it is if you ask them to.Also be sure to keep us posted .

P.S What software do I need to open .php extension files?.I did a Google search but I can only find software for installing php on servers .Also the AntiOnline newsletter opens with the .php extension and I havent read the latest versions yet.So can anyone help?

-Dominaterx

[zrekam]

I identefied the file and got this as a result:
Windows 32-bit executable DLL <Native> [intel386]

So it's a windows program of some sort, I have not found out what it is programmed with yet, but I hopefully find it out so I can decompile it, then I will know what the program does.

[hatebreed2000]

thanx for the effort in findong out what it is guys.i got a hex-editor and opend up the file and as was said before one of the first lines was "this program cannot be ran in dos mode", and from what i can see (i could be wrong?)most of its encrypted, also i have noticed that the word R.S.A. comes up quite a few times, which im sure all of you know is the bill gates of encyption software. dont know if this is of any importance i just thought i would let you people know what i found.again thanx for the effort.

[hatebreed2000]

khan was very helpful in irc and informed me that unless someone really wants to take the time to decompile it in x86 then theres really no way to find out what it is, so if some one wants to go for it, otherwise i suppose we can consider this matter closed.take it easy ppl.