[[analysis:norman:ac623f3a6758ad678227b642dcf682a6]]
 
Trace: home » analysis » norman » ac623f3a6758ad678227b642dcf682a6 
Norman Scanner Engine 5.83.  2
Sandbox 05.83, dated 17/07-2005

Your message ID (for later reference): 20050829-362

nepenthes-ac623f3a6758ad678227b642dcf682a6-bling.exe : [SANDBOX] contains a security risk - W32/Backdoor (Signature: NO_VIRUS)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * **Locates window "NULL [class mIRC]" on desktop.
    * File length:        97280 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\xag.exe.
    * Deletes file 1.

 [ Changes to registry ]
    * Creates value "blah service"="xag.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "blah service"="xag.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Creates key "HKCU\Software\Microsoft\OLE".
    * Sets value "blah service"="xag.exe" in key "HKCU\Software\Microsoft\OLE".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "overbeat.no-ip.org" on port 6667 (TCP).
    * Connects to IRC server.
    * IRC: Uses nickname war80340.
    * IRC: Uses username ezkieya.
    * IRC: Joins channel #test with password pass.
    * IRC: Sets the usermode for user war80340 to +x.

 [ Process/window information ]
    * Creates a mutex urxbot.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 29.Aug 2005 at 10.15 - processed 29.Aug 2005 at 10.15.
 
analysis/norman/ac623f3a6758ad678227b642dcf682a6.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki