Hello. I'm sorry if this is the wrong forum or, not to mind that, the wrong forums for this kind of query, but I have a file here that I have cause to be suspicious about. It's from an emulated world of warcraft server (which is to say you modify one file in your client that designates what server it should connect to and make it connect to a small private machine containing a third party program called a server core which then emulates the software found on Blizzard Entertainment's actual company servers, sending similar messages back and forth between clients and storing information blah blah,) I play on, found here. This server recently updated from one expansion pack (Mists of Pandaria) to another (Warlords of Draenor, specifically patch 6.2.2a, if it helps) and now everyone's game clients need to be updated to continue connecting. In order to facilitate this, the staff have provided an incredibly stripped down and minuscule 12 MB client (full scale WoW clients are typically more than 10 GB and can be over 20 gigs) which has all the essential data and streams the rest during play. That tiny client is what I am suspicious about, and comes in the form of a compressed folder and can be found in this link hosted on their site for your perusal. This is not new or alien to world of warcraft in general. Blizzard themselves have had the functionality to stream most of the data during play since at least Cataclysm, which was the expansion before Mists of Pandaria, but that's somewhat unimportant. What's important is that I know the people who devised this modified client and I don't trust them as far as I could throw them, and can absolutely see them trying to slip some rootkit or trojan in on the back of the data stream in the hope some idiot has financially sensitive information lying around unencrypted or whatever.
Now, this is mildly irrelevant to me. I don't have any financially valuable accounts on other games to be stolen, I don't keep any important personal details like PIN numbers to be uncovered, I don't write soggy embarrassing poetry or have any compromising pictures of myself suffering through coitus with Miley Cyrus to spread all over tumblr, so in theory I could just encrypt the absolute bleep out of everything and keep it on an external and nuke all cookies and leftover trash files and the rest of that security jazz and do my thing, but it's against basic principle to just let people go through my hard drive at their whim. It's mine.
So the first instruction in the connection guide for the new Warlords of Draenor server after you've converted your existing account and then downloaded the compressed folder above is to run an .exe in that folder called RPHConnect.exe. So I did what any paranoid internet denizen does when told to run an executable and chucked it straight into VirusTotal, yielding a negative result on everything (AVG, Avast, McAfee, BitDefender, the works) except for an obscure antivirus I've never heard of before called Qihoo-360, which coughed up the result "HEUR/QVM06.1.Malware.Gen."
Full analysis page here. While I know that 1/54 is very good and this is probably just a false positive, I'm very hesitant (read: paranoid paranoid paranoid) to discount the idea that this developer who is capable of doing the job of Blizzard's whole maintenance team and keeping things running smoothly is not also capable of meticulously testing his own special little malware baby against all the major antiviruses one by one and making sure it doesn't make their alarm bells ring and that he just didn't pay attention to Qihoo-360 because it's too small and underused. They're quite clever and I don't trust them even a little bit.
But I don't know where to go with that. I don't have any of the expertise I would need to peel the .exe apart and see exactly what it does or where it streams from or what it is streaming (well actually the wow-64.exe or wow.exe also found in the compressed folder I linked should theoretically do the streaming, so I really don't know what RPHConnect.exe does at all and I suppose that's just one more reason to be suspicious about it,) and I don't trust my own antivirus to pick up on anything devious it does because it already registers the file as clean on VirusTotal. So I'm hoping that someone around here has the programming skills to do some reverse compiling magic stuff on the .exe and see if it does anything outside downloading world of warcraft files to a world of warcraft folder. I've heard things about running RPHConnect.exe making people's windows explorer goes unresponsive, which makes me very suspicious for reasons I'm sure I don't need to explain in a place like this.
I'm not even sure what I'm asking for. I'll recognise files that are a necessary part of WoW, so if anyone here knows how to run suspect files like this in a controlled environment while logging everything they do and what traffic they send and receive that might shed some light on it? What do you even do first to tell if an .exe makes it possible for a hacker to view the contents of your computer? If it does allow for browsing in folders where it has no business, I would certainly settle for some method to lock it down and prevent it from accessing anything but what it needs to access to function as a WoW client. If you need to know anything about World of Warcraft emulation before you can say what is and isn't safe, this site contains a significant wealth of information about the practice and will probably tell you everything important, but don't quote me on that, I'm not in the business, as it were. I don't know how much work this kind of investigation calls for so if I'm unwittingly begging for days of your time here then I apologise profusely for presuming to ask for that much effort.
I'm sorry if I'm barking up the wrong tree and if someone has some other community more specifically dedicated to tearing out the guts of potentially dangerous programs and figuring out what they're doing to send me on to, that would be very helpful, especially if the place is full of antisocial geniuses who unwind puzzles like this in twenty minutes for the fun of it.
Lastly, please don't give me advice like "if you don't trust them don't play on their server." I recognise this is indeed wisdom, but if I hadn't already decided I was going to cautiously risk it anyway I wouldn't be here looking to make sure. Thank you in advance.