Can Malware Run itself without being executed?

[Andrew999]

Hi, I downloaded some Malware Samples from the MalwareHub and I disabled the Realtime Protection of Emsisoft and left the Behavior Blocker running and it popped up with something saying This Program Tried to execute itself so I quarantined it. I was wondering can Malware execute itself without you clicking on it? Luckily I have Emsisoft which has a good behavior blocker.

 

[Venustus]

Hi, I downloaded some Malware Samples from the MalwareHub and I disabled the Realtime Protection of Emsisoft and left the Behavior Blocker running and it popped up with something saying This Program Tried to execute itself so I quarantined it. I was wondering can Malware execute itself without you clicking on it? Luckily I have Emsisoft which has a good behavior blocker.

Generally not!
However, it can if you visit an infected site containing a java exploit etc!
What file are you referring to from the malware hub?

 

[Andrew999]

Generally not!
However, it can if you visit an infected site containing a java exploit etc!
What file are you referring to from the malware hub?

I can't remember it was about a week ago. Also today I got another popup it said it blocked a file from Temp/Svchost.exe

 

[safe1st]

of course not. that never happen to me before...

 

[Venustus]

I can't remember it was about a week ago. Also today I got another popup it said it blocked a file from Temp/Svchost.exe

Are you certain your system is clean?

 

[Andrew999]

Are you certain your system is clean?

I am pretty sure. I ran a scan with Zemana Anti-Malware and it detected nothing last night. I might run another scan.

 

[Venustus]

Are you certain your system is clean?

It may be wise, as this behavoiur to me indicates some type of infecion!
I may be wrong though??

If you want further assistance post here:
Malware Removal Assistance

 

[hjlbx]

Hi, I downloaded some Malware Samples from the MalwareHub and I disabled the Realtime Protection of Emsisoft and left the Behavior Blocker running and it popped up with something saying This Program Tried to execute itself so I quarantined it. I was wondering can Malware execute itself without you clicking on it? Luckily I have Emsisoft which has a good behavior blocker.

As a courtesy you should identify the sample yourself - and then ask an advanced user, like @Klipsh, to make an investigation of it.

I'm not giving you a hard time nor criticizing you in any way - I'm just pointing out that it is not proper etiquette to expect someone else to track down a sample.

Besides, it can be any number of things - so - it is best to have the suspected file identified and available for analysis - because that is what you are asking to be done.

 

[silversurfer]

I can't remember it was about a week ago. Also today I got another popup it said it blocked a file from Temp/Svchost.exe it was from this MalwarePack https://malwaretips.com/threads/samples-8.56457/

Under my samples is none that execute itself. It could be a FP from the behavior blocker ?

 

[hjlbx]

Hi, I downloaded some Malware Samples from the MalwareHub and I disabled the Realtime Protection of Emsisoft and left the Behavior Blocker running and it popped up with something saying This Program Tried to execute itself so I quarantined it. I was wondering can Malware execute itself without you clicking on it? Luckily I have Emsisoft which has a good behavior blocker.

Asking about this after-the-fact makes this all mere speculation as to what happened, how it happened and why it happened.

Emsi detected something via behavior blocker - but knowing how it works - it could be a "false" alert or something more sinister.

Emsi behavior blocker doesn't discriminate between legitimate and malicious action - it just detects and notifies.

If you quarantined it @Andrew999, is it still in quarantine ? If yes, then the file can be recovered and submitted for analysis.

 

[marzametal]

We're talking about code here; anything is possible, therefore I wouldn't be suprised if it can be automated. All it has to do is sync up with your clock/system time or have an internal countdown function and bye bye. To say otherwise is to mistake this security forum with one about pots and plants.

 

[Venustus]

We're talking about code here; anything is possible, therefore I wouldn't be suprised if it can be automated. All it has to do is sync up with your clock/system time or have an internal countdown function and bye bye. To say otherwise is to mistake this security forum with one about pots and plants.

That is a possibility,however the malware needs to "execute" or "autorun" such as from a USB,or from visiting an infected site,with a java drive by for example!Or an infected word document or other file from en email attachment!
There is no way that a piece of malware can infect without some sort of user interaction,which includes visiting malicious sites,autorun on removable media enabled etc etc!!
Even Stuxnet needed autorun.inf enabled to infect Iran's computers!!

 

[Andrew999]

Asking about this after-the-fact makes this all mere speculation as to what happened, how it happened and why it happened.

Emsi detected something via behavior blocker - but knowing how it works - it could be a "false" alert or something more sinister.

Emsi behavior blocker doesn't discriminate between legitimate and malicious action - it just detects and notifies.

If you quarantined it @Andrew999, is it still in quarantine ? If yes, then the file can be recovered and submitted for analysis.

I clear out my Quarantine regularly so sorry it is gone.

 

[hjlbx]

I clear out my Quarantine regularly so sorry it is gone.

For future reference, you can keep quarantined files - they cannot harm your computer. They are either encrypted and\or made inert by changing the file type extension.

Emsisoft will rescan quarantined items and will alert you if one is determined to be a false positive. Sometimes it might take weeks until a final determination is made.

 

[Online_Sword]

it popped up with something saying This Program Tried to execute itself

it was from this MalwarePack https://malwaretips.com/threads/samples-8.56457/

I guess you refer to the samples ahynywot.exe or egopuxec.exe?

 

[silversurfer]

Some users are probably not aware of the risks what can happen with malware.

It is recommended to always use a VM, if you want to test malware samples.

 

[phyniks]

Hi, I downloaded some Malware Samples from the MalwareHub and I disabled the Realtime Protection of Emsisoft and left the Behavior Blocker running and it popped up with something saying This Program Tried to execute itself so I quarantined it. I was wondering can Malware execute itself without you clicking on it? Luckily I have Emsisoft which has a good behavior blocker.

I think a virus and a worm can be executed without being clicked
Others,I m not sure

 

[Atlas147]

Most if not all malware from the malwarehub have to be executed to damage any system, why you got a detection would probably be because you extracted the malware from a zip file and didn't totally deactivate all protection including BB. It is highly unlikely for a malware to run itself, especially coming from a zipped folder.

 

[LabZero]

One of the few malware that might "auto-start-Itself" in a real scenario is MBR rootkit that copies its code in the Bootsector.
If the infection is through a code injection using a web site exploit, the human interaction is minimal, but still must be indirectly present the first time.

 

[Rishi]

You can try scanning with the security products which detected the samples or their payloads , e.g. Bitdefender or Eset online scanner just to be sure.Most likely it is a false positive.Usually, malware requires some kind of user input and later it may add autostart entries, but first thing an external binary must encounter is the UAC, unless it is some browser script/injection.