Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Three Strange Files?


  • Please log in to reply
8 replies to this topic

#1 z3n_Force

z3n_Force

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 15 July 2014 - 09:31 AM

Does anyone have any ideas on what the files t630, t630.1 and t630.2 might be?

 

I have absolutely no idea where they came from. I deleted them before and they appeared again. As the exact same name btw, no change.

 

 

 

h18TTkr.png

 

 

They're not in my c drive, they're actually on my d drive which I use solely for games, as a SSD.

 

 

Would they be some kind of thing for spyware or something similar? They don't appear in my C drive.

 

 

 

They also appear to have some kind of code, when opened with notepad++ all three files have this. the first is primarily using 'nul', the other two have other commands like stx soh eot.

 

The third file has by far the most complicated code, it would appear so anyways.

 

dO0fkQ2.png

 
 
Maybe somebody knows of a malware anaylisis place? or spyware? or they have an idea of what these files are? I tried google but came up with nothing relevant.
 
 
 
Cheers.


BC AdBot (Login to Remove)

 


m

#2 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 AM

Posted 15 July 2014 - 10:37 AM

1.  Where (folder) are they located?

2.  Do you have a lexmark printer, because that was the only reference I could find for T630 when relating to computers.

 

Best of luck, and have a great day!

:bananas: :bounce:



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 15 July 2014 - 03:46 PM

Can you submit these 3 files to VirusTotal and report the links back here, so that I can have a look?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 z3n_Force

z3n_Force
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 15 July 2014 - 06:12 PM

Each came up like this

 

https://www.virustotal.com/en/file/a115516d0102584edc629cb65ef76d0fd5e32f010845cb681d17f21fe1240e48/analysis/1405465836/

 

 

For now I'm making all 3 jpg format. It's the only format I can think of at the moment that might make code useless..



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 16 July 2014 - 02:55 PM

The file you submitted to VirusTotal starts with bytes FF FE. This indicates that it is a UNICODE file. http://en.wikipedia.org/wiki/Byte_order_mark

 

The file doesn't contain executable code.

 

If you really want to find out which program uses these files, use Sysinternals' Process Monitor and search for the filename in the path column.

 

For now I'm making all 3 jpg format. It's the only format I can think of at the moment that might make code useless..

 

I don't understand exactly what you mean, but it is not JPG. I doesn't contain JPEG structures.


Edited by Didier Stevens, 16 July 2014 - 02:56 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 z3n_Force

z3n_Force
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 19 July 2014 - 03:19 PM

I just added the extension .jpg to them all. That should probably prevent it from executing if it was going too no?

 

And would it 'indicate' a unicode file due to the transformation from it's original extension into a txt extension in which I viewed them in notepad++? 

 

 

Furthermore if it is a unicode extension, couldn't the code be located there and a different file be used to execute it? Basically like an application. I believe that's possible from what modifications to games/apps I've done before. Or do you know from looking at the picture, that it's really not code?



#7 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:09:09 PM

Posted 19 July 2014 - 08:49 PM

Goto https://www.virustotal.com/en/file/a115516d0102584edc629cb65ef76d0fd5e32f010845cb681d17f21fe1240e48/analysis/1405465836/ and look at the "additional information" tab.

There you'll see "Magic literal data", implying the magic number of a file. http://en.wikipedia.org/wiki/Magic_number_(programming)#Examples

Look at http://en.wikipedia.org/wiki/List_of_file_signatures and http://en.wikipedia.org/wiki/List_of_file_formats also.

These 3 files are "data" files of some kind?

I think you should just zip the 3 files in question and delete.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 20 July 2014 - 04:17 AM

I just added the extension .jpg to them all. That should probably prevent it from executing if it was going too no?

 

And would it 'indicate' a unicode file due to the transformation from it's original extension into a txt extension in which I viewed them in notepad++? 

 

 

Furthermore if it is a unicode extension, couldn't the code be located there and a different file be used to execute it? Basically like an application. I believe that's possible from what modifications to games/apps I've done before. Or do you know from looking at the picture, that it's really not code?

 

It's not necessary to change the extension. The original extensions are not associated with execution of PE files.

 

Did you save the file from notepad++?

 

It doesn't contain code, I looked at the content of the file via VirusTotal. If have a VirusTotal account that allows me to view the content of files.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 z3n_Force

z3n_Force
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 20 July 2014 - 01:04 PM

Ahh, thank you both I learnt something new today. :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users