analysis:norman:7afd7cda9d053f3b8f671575de652d34 [Nepenthes - finest collection -]

Norman Scanner Engine 5.82.  1
Sandbox 05.82, dated 29/03-2005

Your message ID (for later reference): 20050519-744

nepenthes-7afd7cda9d053f3b8f671575de652d34- : [SANDBOX] contains a security risk - W32/Malware (Signature: W32/Spybot.JWG)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:        85630 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\crssrs.exe.
    * Deletes file 1.

 [ Changes to registry ]
    * Creates value "SP2 Firewall/Internet Updater"="crssrs.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "SP2 Firewall/Internet Updater"="crssrs.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Creates value "SP2 Firewall/Internet Updater"="crssrs.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Sets value "restrictanonymous"="" in key "HKLM\System\CurrentControlSet\Control\Lsa".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "xdcc.mo-weed.com" on port 7000 (TCP).
    * Sends data stream (14 bytes) to remote address "xdcc.mo-weed.com", port 7000.
    * Connects to IRC Server.
    * Attempts to delete share named "IPC$" on local system.
    * Attempts to delete share named "ADMIN$" on local system.
    * Attempts to delete share named "C$" on local system.
    * Attempts to delete share named "D$" on local system.

 [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.
nepenthes

Development

Scene

Service

Misc
