analysis:norman:12272d7cd98a4b4decbdfb1f32698961 [Nepenthes - finest collection -]

Norman Scanner Engine 5.83.  7
Sandbox 05.83, dated 27/09-2005

Your message ID (for later reference): 20051028-081

nepenthes-12272d7cd98a4b4decbdfb1f32698961-sound.exe : [SANDBOX] contains a security risk - W32/Spybot.gen3 (Signature: NO_VIRUS)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * **Locates window "NULL [class mIRC]" on desktop.
    * File length:       177664 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\sound.exe.
    * Deletes file 1.

 [ Changes to registry ]
    * Creates value "sound driver"="sound.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "sound driver"="sound.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Creates value "sound driver"="sound.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "bawtz.n00bs.org" on port 6667 (TCP).
    * Connects to IRC server.
    * IRC: Uses nickname sound-|-80340.
    * IRC: Uses username ezkieya.
    * IRC: Joins channel ###@### with password 0wn3dn1qqa.
    * IRC: Sets the usermode for user sound-|-80340 to -x.

 [ Security issues ]
    * Possible backdoor functionality [Authenticate] port 113.

 [ Process/window information ]
    * Creates a mutex sound.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 28.Oct 2005 at 13.07 - processed 28.Oct 2005 at 13.43.
nepenthes

Development

Scene

Service

Misc
