[[analysis:norman:0b258b7acee3eccbd9c5b67213c2abfb]]
 
Trace: home » analysis » norman » 0b258b7acee3eccbd9c5b67213c2abfb 
Norman Scanner Engine 5.83.  2
Sandbox 05.83, dated 15/08-2005

Your message ID (for later reference): 20050918-620

nepenthes-0b258b7acee3eccbd9c5b67213c2abfb-SUCHOST.EXE : [SANDBOX] contains a security risk - W32/Malware (Signature: W32/Spybot.GRO)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:       309760 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\SUCHOST.EXE.
    * Deletes file 1.

 [ Changes to registry ]
    * Creates value "Automatic Microsoft Windows Updater"="SUCHOST.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "Automatic Microsoft Windows Updater"="SUCHOST.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Creates value "Automatic Microsoft Windows Updater"="SUCHOST.EXE" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "ctgbn.stellaremperor.com" on port 32440 (TCP).
    * Connects to IRC Server.

 [ Security issues ]
    * Possible backdoor functionality [Authenticate] port 113.

 [ Process/window information ]
    * Creates a mutex [CTGv5].
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 18.Sep 2005 at 16.59 - processed 18.Sep 2005 at 17.06.
 
analysis/norman/0b258b7acee3eccbd9c5b67213c2abfb.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki