[[analysis:norman:6c27829c7db9c2c275b0c295fdd7adda]]
 
Trace: home » analysis » norman » 6c27829c7db9c2c275b0c295fdd7adda 
Norman Scanner Engine 5.82.  1
Sandbox 05.82, dated  2/05-2005

Your message ID (for later reference): 20050604-263

nepenthes-6c27829c7db9c2c275b0c295fdd7adda-venom.exe : [SANDBOX] contains a security risk - W32/Malware (Signature: W32/Spybot.ALM)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * **Locates window "NULL [class mIRC]" on desktop.
    * File length:       124928 bytes.

 [ Changes to filesystem ]
    * Creates file C:\ftp32.log.
    * Creates file C:\WINDOWS\SYSTEM\sysmsvc.exe.
    * Deletes file 1.

 [ Changes to registry ]
    * Creates value "MsWindows SysDate"="sysmsvc.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "MsWindows SysDate"="sysmsvc.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Creates key "HKCU\Software\Microsoft\OLE".
    * Sets value "MsWindows SysDate"="sysmsvc.exe" in key "HKCU\Software\Microsoft\OLE".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "fear.godofthe.net" on port 8080 (TCP).

 [ Security issues ]
    * Possible backdoor functionality [Authenticate] port 113.

 [ Process/window information ]
    * Creates a mutex ad53.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 4.June 2005 at 08.55 - processed 4.June 2005 at 08.56.
 
analysis/norman/6c27829c7db9c2c275b0c295fdd7adda.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki