[Bug 8178] Microsoft Dynamics GP Standard demo install fails

wine-bugs at winehq.org wine-bugs at winehq.org
Sun May 22 12:26:36 CDT 2011 

http://bugs.winehq.org/show_bug.cgi?id=8178

--- Comment #26 from Anastasius Focht <focht at gmx.net> 2011-05-22 12:26:35 CDT ---
Hello,

--- quote ---
What's in that .exe?  I'm tempted to delete it, since it's not
clear what's in it, and you didn't describe it at all.
--- quote ---

that binary is a compiled (password protected) AutoIt script.

AV scanners can't really decompile these scripts hence some flag it
precautionary as "trojan":

http://www.autoitscript.com/forum/topic/34658-are-my-autoit-exes-really-infected/

Raw scan (not unpacked):

http://www.virustotal.com/file-scan/report.html?id=9b47462b62f7a094fdab42b9f36ea24375874cc189c56fa5d0b71e45f9e40b93-1306080042

Interestingly when I manually unpacked the thing (UPX) it gave less hits: 

http://www.virustotal.com/file-scan/report.html?id=50815f7712bbbaf7dfccdca838e7522260d1033b35fc58833ff0b04350676db5-1306080198

Now to the real thing ... it looks to me like a script someone made to create
an inventory of Windows PCs.

1. if no parameters given -> do nothing -> exit

2. when given a "zone" command line parameter: map a Windows file server
network share from Universitat de Barcelona (spain) with hard coded credentials
(that's what I got from following DNS info) 

3. run an executable from that share (from the name it looks like some kind of
inventory tool) 

4. wait for some specific process to exit (probably a sub-process spawned from
the initial agent process).

5. write back a file back to a specific share location (probably inventory
list)

6. *boom* ... hehe no, just exit

Depending on the remote binaries it executes it _might_ be harmful or
legitimate.
I did not exploit the credentials to fetch the remote binaries ...

It should be deleted anyway.

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list