[[analysis:norman:46e9d85b95bd99af386f984ad675c4bf]]
 
Trace: home » analysis » norman » 46e9d85b95bd99af386f984ad675c4bf 
Norman Scanner Engine 5.83.  2
Sandbox 05.83, dated 17/07-2005

Your message ID (for later reference): 20050830-090

nepenthes-46e9d85b95bd99af386f984ad675c4bf-bot : [SANDBOX] contains a security risk - W32/Malware (Signature: W32/Gaobot_based.A)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File might be compressed.
    * File length:        89461 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\winIogin.exe.
    * Deletes file c:\sample.exe.

 [ Changes to registry ]
    * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows".
    * Sets value "DisableSR"="1" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows".
    * Creates key "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows".
    * Sets value "DisableSR"="1" in key "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows".
    * Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU".
    * Sets value "NoAutoUpdate"="1" in key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU".
    * Sets value "AUOptions"="1" in key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU".
    * Creates key "HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU".
    * Sets value "NoAutoUpdate"="1" in key "HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU".
    * Sets value "AUOptions"="1" in key "HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU".
    * Modifies value "FirewallDisableNotify"="1" in key "HKLM\Software\Microsoft\Security Center".
    * Modifies value "UpdatesDisableNotify"="1" in key "HKLM\Software\Microsoft\Security Center".
    * Modifies value "AntiVirusDisableNotify"="1" in key "HKLM\Software\Microsoft\Security Center".
    * Creates key "HKCU\Software\Microsoft\Security Center".
    * Sets value "FirewallDisableNotify"="1" in key "HKCU\Software\Microsoft\Security Center".
    * Sets value "UpdatesDisableNotify"="1" in key "HKCU\Software\Microsoft\Security Center".
    * Sets value "AntiVirusDisableNotify"="1" in key "HKCU\Software\Microsoft\Security Center".
    * Sets value "restrictanonymous"="00000001" in key "HKLM\System\CurrentControlSet\Control\Lsa".
    * Sets value "AUOptions"="1" in key "HKLM\System\CurrentControlSet\Control\Lsa".
    * Creates value "Windows Login"="winIogin.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "Windows Login"="winIogin.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".

 [ Network services ]
    * Connects to "05.devoid.us" on port 7000 (TCP).
    * Sends data stream (10 bytes) to remote address "05.devoid.us", port 7000.
    * Connects to IRC Server.

 [ Security issues ]
    * Possible backdoor functionality [UNKNOWN] port 500.

 [ Process/window information ]
    * Enumerates running processes.
    * Attemps to open net.exe share c$ /delete /y.
    * Attemps to open net.exe share d$ /delete /y.
    * Attemps to open net.exe share ipc$ /delete /y.
    * Attemps to open net.exe share admin$ /delete /y.
    * Attemps to open net.exe user guest /ACTIVE:NO.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 30.Aug 2005 at 02.10 - processed 30.Aug 2005 at 02.10.
 
analysis/norman/46e9d85b95bd99af386f984ad675c4bf.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki