[[analysis:norman:1e7ad998a68fbdb0e11916d67e9d74c0]]
 
Trace: home » analysis » norman » 1e7ad998a68fbdb0e11916d67e9d74c0 
Norman Scanner Engine 5.83.  2
Sandbox 05.83, dated 20/05-2005

Your message ID (for later reference): 20050814-494

nepenthes-1e7ad998a68fbdb0e11916d67e9d74c0-bar : [SANDBOX] contains a security risk - W32/Malware (Signature: Gobot.A)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:        44405 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\uSGdj341.exe.

 [ Changes to registry ]
    * Creates value "CTRL"="C:\WINDOWS\uSGdj341.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "98.203.1.174" on port 3127 (IP).

 [ Security issues ]
    * Possible backdoor functionality [Authenticate] port 113.
    * Uses common backdoor to infect remote system(s).

 [ Process/window information ]
    * Creates a mutex GhostBOT0.58e.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 14.Aug 2005 at 21.03 - processed 15.Aug 2005 at 09.18.
 
analysis/norman/1e7ad998a68fbdb0e11916d67e9d74c0.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki