.EXE Slips through AntiExe !

Discussion in 'other anti-malware software' started by CloneRanger, Mar 19, 2013.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I downloaded an .EXE to try out. To my surprise ProcessGuard did NOT alert or prompt me as it Always has done in the past, to Every .EXE i've wanted to run.

    It turns out the actual App i wanted to test, is Zipped with Zip-IT, which i'd never heard of before. It's from back in the day :D

    Zip-It.png

    To get to the real App you have to double click the .EXE first to unzip the 2 files.

    I analyised the .EXE & found the header was this

    MZ.png Normal .EXE's are mz2.png

    I also discovered it's a PKZIP file, not a Zip-IT file ! Anyway i expected a prompt from PG, but didn't get one ? I'm wondering if Malware "might" be able to use this "feature" somehow ?

    If you'ld like to test your defences with it & see how they fare, PM me ;)
     
  2. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    PM sent :)

    I dont know if you´re using Sandboxie, but if you do can you please try to execute the file inside a sandbox with start/run restrictions? Just to see if its able to run...

    thanks!
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ AlexC

    First off, Congrats on reaching 1000 posts :thumb:

    I'm not using SBIE.

    PM replied to ;)
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Could you PM me the exe? Btw, is it something legit that just happens to be somehow different which causes the bypass or is it something shady/malicious?
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ BoerenkoolMetWorst

    Have done ;)

    Yes

    Absolutely NOT !
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Built a self extracting exe file from Winzip. Both Online Armor and NVT's ERP stopped it cold.

    ProcessGuard may be nearing the end of it's useful life.

    Pete
     
  7. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Thanks! :)

    Couldn't run the exe in my x64 system...

    Good to know that Online Armor and NVT ERP can stop it :thumb:
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Please PM me.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Yes, it seems it doesn't like 64 bit:
    Untitled.png

    There are quite a few people here who test malware, so I thought I better ask before I execute it on a real machine with taking precautionary measures :p
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yeah PG will stop "Normal" .EXE's no prob :) If you take a look at my screenie that shows the Header, you'll see it's MZs with an v over the s. That's not a normal .EXE.

    Doubt it :p

    It's not just you.

    Yeah, it seems not to !

    You did the right thing :thumb: But i would have said if it was a nasty :D

    @ aigle

    PM'd

    I "think" Zip-It probably is, as i get cmd.exe prompts from PG, but the actual App is 32 Bit.

    Good point, in PG yes, plus wowexec.exe which also gets launched with it. That's because i have a few old Apps that i Know are safe & run now & then.

    Good link :thumb:

    A safe audio www.

    *

    Maybe some of you "might" be able to run it in Compatability Mode ?
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    OK, now you've peaked my interest,pm sent.:D
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ LoneWolf

    Sent ;)
     
  14. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Thanks CR.
    I'll check this out later when I have more time and report back.
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    I just tried it on a 32 bit VM with AppGuard installed, and AG does not block it either.
    When looking at task manager it seems it does not have it's own process; winspkse.exe and wowexec.exe are shown running under explorer.exe, and when Show processes from all users is ticked, they show under msdtc.exe instead of explorer.
     

    Attached Files:

  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Interesting, Thanks.

    Yes, curious ! That's why i wondered if this "could" be misused, in "some" way/s ?

    Also, wowexec.exe & ntvdm.exe & msdtc.exe will most likely be whitelisted, so won't alert either !

    Quite why it requires msdtc.exe ? http://www.neuber.com/taskmanager/process/msdtc.exe.html

    I don't see msdtc.exe running ?

    I just tried it again & get this !

    p.png

    I allowed it & highlight both files for unzipping, the .EXE App & a .DOC & get an MSDOS prompt

    dos1.png

    I try unzipping just one file & get this

    dos2.png

    Today i can't unzip either file ?
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Depending where the file was located and the setting Appguard might not block it. Put the executable on the desktop, make it a guarded application, and set appguard to lockdown. That way for sure it should block it.

    Pete
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi CloneRanger. It,s the problem of 16-bit applications and ntvdm.exe. PG is old so you can get problems with ntvdm.exe, cmd.exe, bat files, .vbs files etc.

    CIS v 5 on Win 7

    1.JPG 2.jpg
    3.jpg 4.jpg
     
    Last edited: Mar 21, 2013
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    CIS v 6

    a.jpg b.jpg
    c.jpg d.jpg
     
    Last edited: Mar 21, 2013
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GesWall

    g1 (1).jpg
    g1 (2).jpg
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, based on the header, that's a 16bit executable, which won't work on x64 but will still run on 32bit OSs. It requires a different type of filtering to block because of how ntvdm is used during its execution. You may want to test your antiexecutable with eicar as well to see if they block it (as eicar is also a 16bit executable, albeit not using the PE format).
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    It's not so much its age, just that PG and others don't filter what ntvdm executes. Similar to script blocking in that sense, but obviously different.

    CR: Process Monitor can show you what's going on a bit better.

    Does anyone know a program that easily identifies a file like on Linux with the file program?
    Code:
    $ file Winspkse.exe 
    Winspkse.exe: MS-DOS executable, NE for MS Windows 3.x Self-extracting PKZIP archive
    EDIT: forgot about TrID.
     
    Last edited: Mar 22, 2013
  23. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Is it normal for current applications to also use some 16-bit processes, at all?

    Otherwise, Windows has a group policy that prevents access to 16-bit applications. Should this do the trick for you?

    The group policy for those having Group Policy Editor is Administrative Templates\Windows Components\Application Compatibility.

    Those not having it, can modify the Registry:

    Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat\

    Create a REG_DWORD entry named "VDMDisallowed" and give it a value of 1. Setting it to 0 will disable it again. (Backup first, of course.)
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    Could you PM me the Zip file? I would like to try it on VoodooShield, and see if it bypasses Appguard on my system.
     
Thread Status:
Not open for further replies.