a test

Test your HIPS or AV

According to your analysis,decide whether it does harm to PC?



Removed links Peter2150

 

Why do I not want to click on either of those links?

 

Yup, i'm also scared...but I'll do it anyways

 

Downloaded kd.exe
Runned it sandboxed.
It crashed.
Done.

sudo reboot, so Returnil can take care if anything else happened.

EDIT: lets see what VirusTotal has to say first---->0/33
What does this thing do?

 

Any more info on this here test?
What does it try to do?

 

The first one was stopped by my download manager so if that was the test it was not much of one .

VT says its clean so I guess its some kind of test app .

The second link did nothing , No exploit , no download , no nothing , just a regular page for me .

 

First link: It wasn't remote code execution - he wanted you to dl and run it to see what your HIPS would do.

The second link had the executable in a zip file.

Neither suitable in a forum where the general public is probably not set up to test.

About VT showing clean: I won't post since its against TOS but in the first 20 hours of the .wmf exploit from 2005, no one picked it up.

 

i just had to try it out comodo D+ stopped it

 

Exploits yes , but 0/33 exes dont happen much at all .

Even clean files get a heu or two usually .

 

Where was kd.exe when comodo D+ stopped it?

 

comodo D+ stopped it as soon as it tried to run

 

What does the message "kd.exe could not be recognized" mean? Does Comodo use a White List of executables already on the computer?

 

It is the same crash popup I got when I runned it sandboxed.

 

I see what you mean. With the unionseek.com exploit, the .wmf file was not flagged,
but the payload executable was a trojan recognized by 4/14 at Jotti.

Here is another one from about that time, where one of the executables downloaded by the dropper
was not caught by any at Jotti but flagged as suspicious (I didn't use VT at the time):

http://www.urs2.net/rsj/computing/tests/wallpapers4u

Back to this kd.exe -- Since this is a file from a non-trusted source, in normal situations, I wouldn't even bother scanning it!
I just wouldn't run it period.

----

 

No. It means it's not on the whitelist supplied by Comodo.

 

For those who are interested,

I have personally tested kd.exe against DefenseWall(DW) and can happily report that DW successfully blocks and contains it. I have posted my DW event log below in quotes.

"Attempt to read directly from the disk \Device\Harddisk0\DR0"


Peace & Gratitude,

CogitoErgoSum

 

Anyone playing with kd.exe sample be advised it is an MBR killer if it goes live

RC and fix mbr command for anyone who gets into trouble

 

I'm glad the combination of SBIE and Returnil stopped any harm.

Is this actual malware or just a PoC?

Where did you get this info?
Where can we know more about this exe?

 

I have seen it reported at a closed research forum by one of the resident experts there.Threat sample was gained c/o the following topic@ Kaspersky forums>>>
http://forum.kaspersky.com/index.php?s=&showtopic=74536&view=findpost&p=682280

Kaspersky are flagging the file as Trojan.Win32.Small.bgo
Rising = Harm.Win32.KillMBR.a

Just to make sure whether same sample>>>
Additional information
File size: 40960 bytes
MD5...: cf583f75125d50dd0cab5a7f09fa5a2c

I would flag it as malware not POC since it dose'nt self heal after doing its function.

 

Sadly I deleted the file as soon as I tested it, so I can't check the MD5