[[analysis:norman:7ff709dcbb51ecd87446c772170b8a98]]
 
Trace: home » analysis » norman » 7ff709dcbb51ecd87446c772170b8a98 
Norman Scanner Engine 5.83.  2
Sandbox 05.83, dated 17/07-2005

Your message ID (for later reference): 20050903-637

nepenthes-7ff709dcbb51ecd87446c772170b8a98-svchose.exe : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * **Locates window "NULL [class mIRC]" on desktop.
    * File length:        87552 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\svchose.exe.
    * Deletes file 1.

 [ Changes to registry ]
    * Creates value "WINDOWS UPDAET"="svchose.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "WINDOWS UPDAET"="svchose.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Creates key "HKCU\Software\Microsoft\OLE".
    * Sets value "WINDOWS UPDAET"="svchose.exe" in key "HKCU\Software\Microsoft\OLE".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "fuckrx.aswend.net" on port 2001 (TCP).
    * Connects to IRC Server.

 [ Process/window information ]
    * Creates a mutex AM.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 3.Sep 2005 at 15.12 - processed 3.Sep 2005 at 15.12.
 
analysis/norman/7ff709dcbb51ecd87446c772170b8a98.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki