• Welcome to Valhalla Legends Archive.
 

InstCC.exe

Started by Barabajagal, August 28, 2008, 05:02 PM

Previous topic - Next topic

Barabajagal

Perhaps a false positive? And that's a lot of API calls for something that does nothing...

iago

#31
Well, Kaspersky detects it as a "PE_patch" format file, and most of the API calls seem to be related to file i/o and registry checks, so who knows?

<edit> From a quick look with Process Monitor, it looks at two interesting registry keys:
HKLM\SOFTWARE\Blizzard Entertainment\Internal\Protect Memory
HKLM\SOFTWARE\Blizzard Entertainment\Internal\Debug Memory

If "Protect Memory" is set to 1, the program ends right away. In all other cases I tested, it does a bunch of not-very-interesting stuff then exits. *shrug* it doesn't look malicious based on what it's doing, unless it's being clever about it.

This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Newby

Exception
Please report failure as: ErrorTime= "Sep 03 11:31:12"
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

|