analysis:norman:444db5c5c39a72d78bc8c6156411479e [Nepenthes - finest collection -]

Norman Scanner Engine 5.83.  2
Sandbox 05.83, dated 20/05-2005

Your message ID (for later reference): 20050808-595

nepenthes-444db5c5c39a72d78bc8c6156411479e-svchose.exe : [SANDBOX] contains a security risk - W32/Backdoor (Signature: NO_VIRUS)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * **Locates window "NULL [class mIRC]" on desktop.
    * File length:        73216 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\svchose.exe.
    * Deletes file 1.

 [ Changes to registry ]
    * Creates value "Micrcoft Exploerer"="svchose.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "Micrcoft Exploerer"="svchose.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Creates key "HKCU\Software\Microsoft\OLE".
    * Sets value "Micrcoft Exploerer"="svchose.exe" in key "HKCU\Software\Microsoft\OLE".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "ircbot.dynu.com" on port 6667 (TCP).
    * Connects to IRC server.
    * IRC: Uses nickname |98530.
    * IRC: Uses username ktrsycz.
    * IRC: Joins channel #ao with password km5626.
    * IRC: Sets the usermode for user |98530 to +i+x.

 [ Process/window information ]
    * Creates a mutex Skerr.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 8.Aug 2005 at 16.26 - processed 8.Aug 2005 at 16.26.
nepenthes

Development

Scene

Service

Misc
