Norman Scanner Engine 5.83. 10
Sandbox 05.83, dated 1/01-2006
Your message ID (for later reference): 20060210-433
nepenthes-8676210e6246948201aa014db471de90-mslaugh.exe : [SANDBOX] contains a security risk - W32/Blaster.A (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Decompressing UPX.
* File length: 6176 bytes.
[ Changes to registry ]
* Creates value "Windows Automation"="mslaugh.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
[ Network services ]
* Looks for an Internet connection.
* Connects to "31.108.63.1" on port 135 (IP).
* Connects to "31.108.63.2" on port 135 (IP).
* Connects to "31.108.63.3" on port 135 (IP).
* Connects to "31.108.63.4" on port 135 (IP).
* Connects to "31.108.63.5" on port 135 (IP).
* Connects to "31.108.63.6" on port 135 (IP).
* Connects to "31.108.63.7" on port 135 (IP).
* Connects to "31.108.63.8" on port 135 (IP).
* Connects to "31.108.63.9" on port 135 (IP).
* Connects to "31.108.63.10" on port 135 (IP).
* Connects to "31.108.63.11" on port 135 (IP).
* Connects to "31.108.63.12" on port 135 (IP).
* Connects to "31.108.63.13" on port 135 (IP).
* Connects to "31.108.63.14" on port 135 (IP).
* Connects to "31.108.63.15" on port 135 (IP).
* Connects to "31.108.63.16" on port 135 (IP).
* Connects to "31.108.63.17" on port 135 (IP).
* Connects to "31.108.63.18" on port 135 (IP).
* Connects to "31.108.63.19" on port 135 (IP).
* Connects to "31.108.63.20" on port 135 (IP).
* Connects to "119.211.28.139" on port 4444 (IP).
* Starts remote TFTP session.
[ Security issues ]
* Uses DCOM RPC vulnerability (MS03-026).
[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Creates a mutex SILLY.
(C) 2004-2006 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.
Received 10.Feb 2006 at 08.36 - processed 10.Feb 2006 at 08.38.
