2 suspicious exe files

Hello! I face a problem. I have 2 suspicious exe files one is over 250MB and other 750MB. Now normal AV can’t find anything if I scan exe itself. No digital signature. But once you try to install it some malware pop up, firewall goes crazy (calling home with port 80) and it try to install global hooks. Virus total can’t scan it since it’s big. Comodo valkyrie not working for me go figure why so is comodo instant malware analysis not working. Also I told my CIS to check it and upload to Comodo servers but still have nothing back. Any ideas? Thank you.

Well most services have a file size limit, Comodo Valkyrie is currently 20Mb, it says so to the right of the ‘Upload File’ button, I would presume Camas is the same, about same size too, there for your files are way to large to upload!

Wonder if they are like some sort of self-extracting archive’s , those sizes are pretty big to be normal executables, so would imagine theres a lot of other stuff packed in there which could be malicious 88)

Have come across these kinda files myself, and from others, always on site they was movies, ISO’s or something else large in size, yet the file extension are .EXE which is suspicious considering the file size, most likely they contain malware of some type thats packed up inside.

Unless you can analyze these files yourself safely or send them to someone that can, the best policy would be to always delete them and never execute them, in fact never download them in first place :slight_smile:

Yeah CIS told me as well now the files are too big to analyze. The site where I got them from has no infection. That’s the thing nobody can analyze them due to size. Oh well… Now if I run them I face the risk to my PC or delete and forget. Thanks ;D

Unpack the EXE’s. Using something like 7-Zip, extract the EXE to a folder (you’ll probably need to temporarily disable your AV to do this) and then scan the individual components.

What are the EXE’s? Where did they come from?

update: On second thoughts, rather than disable your AV… exclude the folder that your are extracting the EXE’s into. That would probably be more prudent.

I have WinRAR. I already tested them in Comodo Sandbox with blocking actions. It has no individual components. It is 2 exe games. I got them from the game website.

AV don’t block it in any way. Until I run the files. This infection comes up as VirTool:Win32/DelfInject.gen!BI

A game, in a single EXE, that’s 750MB? Doesn’t it install? What’s the game? It’s very likely that running the EXE is just unpacking it prior to installation.

I’ve no idea what WinRAR is capable of (or not). Trying using WinRAR to unpack (extract) the EXE’s. If that fails, get 7-Zip or something like it. If it merely unpacks more EXE’s, unpack those as well.

Yes. It does install but during installing my AV find some virus after that firewall goes crazy and it seem to be doing some doggy things to my PC. So I abort the installation. The game is legitimate Counter Strike.

OK, since it’s CS the EXE will not protected in anyway… so, unpack it and scan it manually like I suggested previously.

I done what you told me. EXE won’t allow unpacking/extraction. It fails. Looks like something prevents this for a good reason to infect PC. Thank you for your help :slight_smile:

Could you expand on “it fails” a little, thanks. You unpacking the EXE would be no different to actually running it, since unpacking the EXE is the first thing that will happen.

Perhaps “something” is your AV. But, if you did what I told you… the AV would either be disabled or the EXE (and the unpacked destination) would be excluded in the AV. :slight_smile:

Well it just says that it can’t unpack due to files being in format ACE or something. But ACE is supported. Well looks like it’s different. No AV has nothing to do with it because it was disabled.

Then, as suggested above, try another archive app other than WinRAR. Unless, of course, you don’t want to investigate this further.

I tried WinRAR and Universal Extractor. Both failed. I give up. Thank you for your help once again :slight_smile:

OK, no problem.

Although I must say that a ACE installation EXE that cannot be unpacked for CS is somewhat suspicious. In addition, 750MB sounds too big for CS (1.6 I assume).

Anyway, I’ll lock this topic now. If you need it unlocked again, just ask any on-line Mod via PM.