AutoIt .exe file found cleaning a PC

[LostUser]

Hi all.

I was cleaning up someones PC from virus/spyware/etc. and came across this AutoIt file in the C:\WINDOWS\SYSTEM32 directory on a WinXP machine.

mm-99-829-0000156.exe

It seems to be pretty small compared to any small AutoIt executables I have made at 118 kbs.

The file creation date is 10-10-2005, the version it reads is 3.1.1.0.

I know this person wouldn't have installed AutoIt and it doesn't seem to have even been installed on the PC.

Anyone know a way to identify what it could possibly do or how to decompile it rather than just running it?

I have been viewing the contents textually and there is some info in there but it seems to be generically the same as any other executables I've done in AutoIt.

I normally would have just deleted it but since I use AutoIt, I was curious as to what it does. I know there have been issues in the past with AutoIt files being detected as virus and don't want anything to contribute to it.

Thanks

[lod3n]

Have you tried the Decompile option found in the AutoIt Extras?

[LostUser]

Have you tried the Decompile option found in the AutoIt Extras?

I just tried and it has a passphrase. Also, before I could get it on my PC to check it out, my virus software detected is a Downloader.aj and deleted it. That copy had the AutoIt icon look to it. I copied another one I found on the other PC and the virus software doesn't pick it up as a virus and it doesn't have the AutoIt icon look to it but properties version shows it as AutoIt created.

I thought maybe it had gotten infected but then why does the non-detectable one not have the AutoIt icon look. Also, it doesn't give a message when I try to decompile it that it isn't an AutoIt compiled program.

[lod3n]

Some virus scanners incorrectly identify some compiled AutoIt scripts as viruses, so you might want to try a few different ones, like Avast, AVG, Housecall, et. all.

If you are really curious as to what it does, set up a test system. Put a fresh install of Windows on it, get process monitor open, regmon, and filemon, and run the script. (make sure it's not plugged into the network.)

That'll tell you better than anything else. Also, there's a way to crack the passphrase, but I don't know what it is. Try searching on the forum, you might find some clues.