Jump to content
Guest

winexec.exe

Recommended Posts

Guest

I have a customer who was infected and they actually fell for and purchased the XP Antivirus 2008 extortionware. *shaking my head*

One of my associates thought he could remotely remove the infection with HiJackThis and Ad-aware. He said it did report it was clean. I told him it would most likely return.

They had SAV CE but it had expired and when they renewed, I installed SEP (endpoint protection) and pushed it to all the clients. His [the infected system] was off while they were on vacation. I do not know when he got infected. When I looked at the system yesterday, because they were being blocked for spamming, I found his system was part of a mass mailing bot. I removed the infections with sdfix, SEP and SAS. I then proceeded to check all other systems on the network, so far, so good.

However, he had issues connecting to his Quicken data files on the server. It would time out trying to open the 45Mb file. Looking at the server, it was running very slow. I ran a scan on the server and SEP did return one item that it IGNORED [Thank you Symantec]. The server response got so bad and actually lost the desktop and I had to kill it. After a restart, SEP found nothing and there was nothing in the log of the item it ignored. SAS found some tracking cookies but also found this:

d:\program files\symantec\symantec endpoint protection manager\bin\winexec.exe

and claimed it was Worm.Evilbot-B

How can I determine, outside of getting a CRC from Symantec that this file is legit [false positive] and not infected?

Def DB: Core: 3535 Trace: 1524

Program ver: Free 4.15.1000

Def Update: 08/12/2008 11:31 PM Last Scan: 08/13/2008 02:31 AM

Share this post


Link to post
Share on other sites
Guest

The site needs work. I uploaded the file but it never responded with anything and didn't appear to be actually running. I went back to resend with SAS down thinking it might have interfered with the upload. However, this is the responde I received on the 2nd attempt:

File has already been analysed:

MD5:

First received:

Date:

Results:

Permalink:

That's great but it would be nice to get a response, even if it has been already analyzed. Is it possible it's a scriping issue because I sent it from a server?

Share this post


Link to post
Share on other sites
Yes, that was it. The info returned:

File has already been analysed:

MD5: 5d163016cbd22d4958b5dc4c292d2398

First received: -

Date: 08.13.2008 19:54:01 (CET) [<1D]

Results: 0/36

Permalink: http://www.virustotal.com/analisis/705c ... c565b1f296

So it must be a false positive. Send it to the email that SUPERAntiSpy provided!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×