http://bugs.winehq.org/show_bug.cgi?id=8178
--- Comment #26 from Anastasius Focht focht@gmx.net 2011-05-22 12:26:35 CDT --- Hello,
--- quote --- What's in that .exe? I'm tempted to delete it, since it's not clear what's in it, and you didn't describe it at all. --- quote ---
that binary is a compiled (password protected) AutoIt script.
AV scanners can't really decompile these scripts hence some flag it precautionary as "trojan":
http://www.autoitscript.com/forum/topic/34658-are-my-autoit-exes-really-infe...
Raw scan (not unpacked):
http://www.virustotal.com/file-scan/report.html?id=9b47462b62f7a094fdab42b9f...
Interestingly when I manually unpacked the thing (UPX) it gave less hits:
http://www.virustotal.com/file-scan/report.html?id=50815f7712bbbaf7dfccdca83...
Now to the real thing ... it looks to me like a script someone made to create an inventory of Windows PCs.
1. if no parameters given -> do nothing -> exit
2. when given a "zone" command line parameter: map a Windows file server network share from Universitat de Barcelona (spain) with hard coded credentials (that's what I got from following DNS info)
3. run an executable from that share (from the name it looks like some kind of inventory tool)
4. wait for some specific process to exit (probably a sub-process spawned from the initial agent process).
5. write back a file back to a specific share location (probably inventory list)
6. *boom* ... hehe no, just exit
Depending on the remote binaries it executes it _might_ be harmful or legitimate. I did not exploit the credentials to fetch the remote binaries ...
It should be deleted anyway.
Regards