[[analysis:norman:2eb47bf8392d1202e824239f6de07e90]]
 
Trace: home » analysis » norman » 2eb47bf8392d1202e824239f6de07e90 
Norman Scanner Engine 5.82.  1
Sandbox 05.82, dated 29/03-2005

Your message ID (for later reference): 20050523-562

nepenthes-2eb47bf8392d1202e824239f6de07e90- : [SANDBOX] contains a security risk - W32/Backdoor (Signature: W32/Spybot.JWM)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * **Locates window "NULL [class mIRC]" on desktop.
    * File length:        94208 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\xagwxz.exe.
    * Deletes file 1.

 [ Changes to registry ]
    * Creates value "DoS 0WN3D YOU"="xagwxz.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "DoS 0WN3D YOU"="xagwxz.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Creates value "DoS 0WN3D YOU"="xagwxz.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "botnet.heyboy.org" on port 6667 (TCP).
    * Connects to IRC server.
    * IRC: Uses nickname ezkieyacag.
    * IRC: Uses username ezkieyacag.
    * IRC: Joins channel #heyboy with password heyboy.

 [ Security issues ]
    * Possible backdoor functionality [Authenticate] port 113.

 [ Process/window information ]
    * Creates a mutex asd.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 23.May 2005 at 17.56 - processed 23.May 2005 at 17.57.
 
analysis/norman/2eb47bf8392d1202e824239f6de07e90.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki