Can you get me a valid archive? That drop.io one is coming up corrupted for me too, and I suspect the problem is different versions of 7-Zip.

Do the redirects happen in Internet Explorer or Chrome, or just Firefox?
What version of Firefox do you have?
If you get Firefox 3.6 Portable, then look in the addons list, what do you see? (It's absolutely critical you get 3.6 - previous versions of Firefox allowed addons to specify a hidden tag, which was used to great advantage by malware writers. See here for a prime example of the frustration caused by this kind of thing)

Can you get me a valid archive? That drop.io one is coming up corrupted for me too, and I suspect the problem is different versions of 7-Zip.
>> Sorry, I think I'm done posting archives. You could easily recreate the problem exe based on my 2nd post in this thread which is the 4th overall post. Or, you could use the latest 7-zip to open my archive and simultaneously update your 7-zip to latest!

Do the redirects happen in Internet Explorer or Chrome, or just Firefox?
>> Good question, I'm not sure. I'm completely FF focused so it had to be fixed asap. Another person trouble shooting something very similar (maybe the same) said it was only FF.

What version of Firefox do you have?
>> Like I said already "latest" which is 3.6. I guess latest could mean a beta/alpha but that would cause a mess with add ons.

If you get Firefox 3.6 Portable, then look in the addons list, what do you see? (It's absolutely critical you get 3.6 - previous versions of Firefox allowed addons to specify a hidden tag, which was used to great advantage by malware writers. See here for a prime example of the frustration caused by this kind of thing)
>> What do I see? I have a boat load of add ons so I see a ... boat load of add ons! They're all add ons I expect to see if that's what you're asking.

Seriously, thanks for the tip about malware writers doing FF add ons but like I've said several times in this thread with the invisible Bat to Exe running, random FF Google search redirect hijacks, with it stopped and deleted, all is fine. I really don't see how a malware FF add on would be triggered by my invisi Bat to Exe program.

I did my own test of this method with making the bat and converting and running

a) yes some vcheckers see this as a potential dropper this is because (as you have it set up) the file opens (invisibly conhost) and leaves it open yet produces no window

b) my google was not affected on niether IE nor FF (nor safari nor Opera nor Chrome)

thus again I must state that While, Yes this program can be used for malicious means, and can, yes create a trojan from a properly made batch file, it is not injecting any code into the exe.

all this program is doing is UPXing the batch


all of that said:
This is not the first report of issues with this program nor this site (the originator site)
http://www.siteadvisor.com/sites/f2ko.de
so I voted down on it we should at least hear the poster out and see if we can have somebody look into it more (with a v-machine or sandboxie)

I was hoping for the actual file triggering VT, since different batch files could have different results. I'll see what I can whip up, though.


If I can reproduce your Fx redirects, I'll try it in IE & Chrome as well.


Yep, that's what I was asking.


A malicious addon wouldn't necessarily be triggered by bat2exe - it could be installed instead. That seems to be what happened in that InformAction thread I linked to.


Malware-chasing is one of the things I most enjoy doing - count me in.
I won't be able to try this tonight, as I've got a boatload of stuff to do, but I'll test it ASAP.

I just tried converting a simple batch file to an exe; of course, I ran bat2exe inside Sandboxie. For some reason, the exe was never actually generated; bat2exe generated a lot of temp files, but no exe.
For the record, here's the batch file:

It didn't seem to matter what settings I used, either.
I'm not sure what happened, but I'm not particularly happy about it.

Unless/until we get to see the source for bat2exe, I won't touch it with a 10-foot pole.

Is that how you usually chase malware?
Doesn't seem exhaustive.

_________________

I usually have something to work with; it's hard to chase/analyze anything when you can't get a sample.
I didn't want to run it live on my PC, and I don't have a second one; I'll do it anyway, though.

OK, I just ran bat2exe live; I hope I'm not going to be sorry for this.

I don't know what's going on in bat2exe, but I don't think it's good. I tried to use RegFromApp and ProcessActivityView to attach to bat2exe; when I tried to run bat2exe from within RegFromApp, with "Start tracing immediately" on, bat2exe just showed a blank window. I used Process Monitor instead (which is what I should have done in the first place); bat2exe itself appears to be OK. It wrote a bunch of temp files, then finally converted the batch file to an exe. I made sure the "invisible application" setting was selected.
I then ran test.exe, the compiled batch file, with ProcMon tracking it again. For the most part, the exe seems to be doing fairly standard stuff; it's doing some monkeying with the Internet security zones, though. Here's part of the ProcMon log:




It also did a bunch of reading from HKLM\Software\Microsoft\Cryptography and its subkeys; I'm somewhat inclined to dismiss that as normal behavior, though, as I've seen a lot of legit apps reading from there.

I didn't see any of my Google searches get redirected, and my AV (Microsoft Forefront Client Security) didn't pop up a warning, but I'm still not happy.
* Why wouldn't bat2exe work within Sandboxie? It could clearly create files, since it left a mess of temp files; did it detect the Sandboxie service and terminate? (That's entirely possible; there's a growing number of malware apps that detect virtualization products and shutdown if one is found)
* Why wouldn't bat2exe work when I tried to use RegFromApp on it? (In fairness, bat2exe worked if I ran it, then attached RegFromApp & ProcessActivityViewer to it)
* Why is the executable reading from, and writing to, Internet Zone registry keys? (Once again, in fairness, I've seen other legit apps accessing these keys; I haven't been able to get much information about the keys, except that a lot of malware seems to write to them. If anybody knows exactly what they do, I'd appreciate the info)

I didn't see anything that clearly brands bat2exe as malware, but I still don't want to use it. Then again, most of my friends say I'm overly paranoid.

I've found some INTERESTING things when decompiling a converted bat file with hidden set:



Notice the VirtualProtect and VirtualFree? I believe that protects the program from being run in Virtual Environments.

Also Here is the decompiled bat to exe converter lines that are suspicious:

_________________
Over 15 programs coded. All Free, All Portable, and All Under 2 MB

No. These are standard Windows memory management routines.


Nothing suspicious here either.

_________________

Would you like the decompiled program? I have it and I can barely make heads or tells of it, I don't do pure programming...

_________________
Over 15 programs coded. All Free, All Portable, and All Under 2 MB

No, thanks. If I wanted, I'd get it myself.
If you don't know programming, don't waste your time, you won't be able to differentiate crapware from legit software, seriously.

_________________