[freespace2pilot]

this is a file i came across which was part of a homebrew email program i got from a forum i frequent. i found that the program will run without it, and it seems to add registry entries and create a file in system32, as well as access the internet. i would very much like an expert to examine this file and tell me what it does.

NOTE: for obvious security reasons, i have added a .vir to the end of this file. if you wish to run it, the .vir will have to be removed. if you dont know what you're doing, please DO NOT RUN THIS FILE, as it may well be malicious.
if you do run it by accident, you will need to
1) end the process mgs64.exe
2) remove the registry entry in the local->microsoft->windows->current version->run
which executes it.
3)delete mgs64.exe from your system root (sytem32 in XP computers, system in 9x)



File Removed - Please do not attach files which may contain malware. We have plenty of infected systems to deal with already.

Edited by ukbiker, 10 October 2005 - 09:35 AM.

[Advertisements]

Doing an online malware scan of the server.exe file came up with it was clean except for when it was scanned by NOD32, which came up with a Found probably unknown NewHeur_PE (probable variant). This could be a false positive as the website stated, but when looking up NOD32 on the internet it describes items found with this possible infection are flagged because they include common coding that is used in Internet Worms.

Just saying what the online scan found, I have no clue on the file itself lol

Fenor

[Fenor]

Doing an online malware scan of the server.exe file came up with it was clean except for when it was scanned by NOD32, which came up with a Found probably unknown NewHeur_PE (probable variant). This could be a false positive as the website stated, but when looking up NOD32 on the internet it describes items found with this possible infection are flagged because they include common coding that is used in Internet Worms.

Just saying what the online scan found, I have no clue on the file itself lol

Fenor

[ukbiker]

Hello

Posting a file which may contain malware is totally prohibited on these boards. Even though you added a warning, it is still irresponsible and a breach of our TOS. Do not do this again.

Anyone who has downloaded this file should delete it now. Do not run it.

[Thef0rce]

it was posted for educational purposes and the warning was sufficient to deter people from downloading it. He also put how to terminate the process if someone did run it. I personally don't see what the problem is. If people download this thinking its a legit file then they haven't paid attention properly to the warning.

I think the only way to figure out what this file really does is to decompile it.. using unix or linux so it wont affect the system.

[Michelle]

If someone wants to be educated about malware then join Geek U. It is irresponsible to blatently post an infected file in a open forum which can be downloaded by anyone.

I'll leave it at that.

[ukbiker]

it was posted for educational purposes and the warning was sufficient to deter people from downloading it. He also put how to terminate the process if someone did run it. I personally don't see what the problem is. If people download this thinking its a legit file then they haven't paid attention properly to the warning.

I think the only way to figure out what this file really does is to decompile it.. using unix or linux so it wont affect the system.

That may be so, however this board is not a venue for posting such files and it is a breach of our TOS. Remember, the members here range from experts who are capable of decompiling it through to newcomers who will click on anything!

We have a duty of care here, and although the file may not contain malware, i dont want another log to do from someone who found out the hard way that it did.

[ukbiker]

Upon reflection, I have decided to close this thread. The OP breached our TOS. End of Story.