Help, I ran a video exe file by accident
July 31st, 2016
What should I do?
If I never save passwords in my browser, am I safe?
Thank you,
Here is my analysis with Sandboxie:
I doubt your safe. Anything that tries to access the internet especially without your knowledge or permission especially via FTP is trouble. I would run a complete virus scan overnight as you sleep to be on the safe side. That IP address is a dedicated server in France:
(Asked whois.ripe.net:43 about 94.23.41.37)
inetnum: 94.23.0.0 - 94.23.63.255 netname: OVH descr: OVH SAS descr: Dedicated Servers descr: http://www.ovh.com country: FR admin-c: OK217-RIPE tech-c: OTC2-RIPE status: ASSIGNED PA mnt-by: OVH-MNT source: RIPE Filtered role: OVH Technical Contact address: OVH SAS address: 140 Quai du Sartel address: 59100 Roubaix address: France admin-c: OK217-RIPE tech-c: GM84-RIPE nic-hdl: OTC2-RIPE remarks: ======================================== remarks: support : support@ovh.com remarks: 899 701 761 (france only) remarks: ======================================== remarks: troubles: remarks: network : abuse@ovh.net remarks: spam : http://www.spam-rbl.com remarks: ========================================
There shouldn’t be a problem if you didn’t run one of the containing files.
Write to the abuse email from that server and say its being used for illegal hacking. That’ll show that hacker lolz Well good thing your AV caught it, i would suggest you disconnect from the internet and do a full scan. Get SuperAntiSpyware and Malwarebytes, scan with those. Make sure you deleted all the files you downloaded. Also do a web scan with Kaspersky scanner its free on their site.
Most of the password stealers don’t just try to grab browser passwords, it can be Messenger and FTP programs and even cookies. They can hack your account using cookies which is something which is difficult to guard against, except for blocking it with a Firewall. If you did block it then you wouldn’t of lost anything. The fact that it has tried to access the internet means it must of found something useful on your system otherwise it wouldn’t of attempted a connection.
They frequently do use common names such as IE to try and get people to allow them access to the internet. I have seen IE used a few times before.
It might be worth extracting the infected file and sending it to an online Sandbox for analysis, Sunbelt have a good one. That would give a better idea on what it does. They usually send the details out and then delete themselves so there is not usually any resident infection.
You can use Uniextract to extract the files. It is usually compressed twice and both have an infected file attached which runs.
http://legroom.net/software/uniextract
Also send the file to Virus Total to see how many AV’s can detect it.
http://www.sunbeltsecurity.com/Submit.aspx
http://www.virustotal.com/
Finding out whether it can be detected is important, doing a scan could be useless if nothing can detect it yet.
Another thing to try is Kaspersky GSI 4
http://www.getsysteminfo.com/
Download GetSystemInfo.exe from their site and run it. It will scan your computer and generate a long detailed complicated log of your system. You upload that log to their site www.getsysteminfo.com and it analyze it and detects incompatible software, possible known and unknown malware on your computer, and also detects program function errors.
It’s a pretty good tool.
Thanks all for your expertise. I had time to run 2 tests:
http://www.virustotal.com/analisis/eabd12d4f806bec31da064fb645df53205bbcadc1d7c9aad9796f8293e7711b3-1245900551
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9161659&cs=84B4E11808821360876635086E5FDF6B
I have already scanned clean with the latest Malwarebytes, SUPERAntiSpyware and Spybot.
Currently running Kaspersky Online Scanner. Next will be ESET NOD32 with latest defs.
Thanks all for your expertise. I had time to run 2 tests:
http://www.virustotal.com/analisis/eabd12d4f806bec31da064fb645df53205bbcadc1d7c9aad9796f8293e7711b3-1245900551
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9161659&cs=84B4E11808821360876635086E5FDF6B
I have already scanned clean with the latest Malwarebytes, SUPERAntiSpyware and Spybot.
Currently running Kaspersky Online Scanner. Next will be ESET NOD32 with latest defs.
Did Virus Total say it had already been scanned when you uploaded it? Did you do a rescan? If not then it must be a new form as I have already sent several with that filename to some AV companies including Kaspersky. But they are constantly changing them to avoid detection.
That is why you should NEVER run an exe just because your AV allows it or doesn’t detect anything. Turning off your AV from realtime scanning and posting a note on your forehead to remind you to be very careful might do what is needed and prevent you and other people from taking unnecessary risks. People wouldn’t take such risks if they did not have the security blanket of an AV running.
The sandbox result doesn’t look correct as it shows virtually nothing, not even what your picture above says it should. I have come across this once before where their sandbox gave little or no information and I suspect it is their system which is at fault. I have emailed them asking why that is.
Here is a test which I did quite some time back and shows what I would expect yours to of shown. Look at the network tab where it shows a FTP access like your screen shot indicates.
[EDIT] Actually I have just remembered that sunbelt can be a bit flakey at times and does not send emails with the result url like it should. The only way I found to get access to the result was to re-upload and use the url that it gives when it says that it has already been analysed to read the full results. So try that before doing anything else as sunbelt gives the most information when it works.
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=8886811&cs=0D3932785F77742B239CB1CD948E25F5
If re-submitting the file to sunbelt does not work then try submitting it to this site and see what it shows. I don’t like this site as much as sunbelt as the information is not as detailed.
http://anubis.iseclab.org/
Threatexpert provides a really detailed analysis most of the time
http://www.threatexpert.com/
Threatexpert provides a really detailed analysis most of the time
http://www.threatexpert.com/
Yes that is another that can be used and the Staff do know about it and others but as you say, “detailed analysis most of the time“. If the file has already been classified it doesn’t tell you anything but the Malware name. Which won’t help him know what this one does and whether it stays resident which is what he really needs to know.
I would say it only attempts to steal the passwords and then deletes itself like previous versions of that file and the fact that it attempted to connect to that server.
If the file has already been classified it doesn't tell you anything but the Malware name.
I believe you can access the details even the threat is classified before.(i.e
http://www.threatexpert.com/report.aspx?md5=d0066fd17bc7df5cfbe78d4ac6df5654