[[analysis:norman:b3be02eced909200df0856a7500b691c]]
 
Trace: home » analysis » norman » b3be02eced909200df0856a7500b691c 
Norman Scanner Engine 5.83.  2
Sandbox 05.83, dated 17/07-2005

Your message ID (for later reference): 20050904-234

nepenthes-b3be02eced909200df0856a7500b691c-bar : [SANDBOX] contains a security risk - W32/Malware (Signature: W32/Gobot.A)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * Display message box (Error) : Application attempted to read memory at 0xFFFFFFFFh!.
    * File length:        42970 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\xRn0gpVV.exe.

 [ Changes to registry ]
    * Creates value "FNRB32"="C:\WINDOWS\xRn0gpVV.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Modifies value "Dir1"="012345:C:\WINDOWS\Drivers" in key "HKCU\Software\Kazaa\LocalContent".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "193.159.249.35" on port 3127 (IP).

 [ Security issues ]
    * Uses common backdoor to infect remote system(s).

 [ Process/window information ]
    * Creates a mutex Ghost.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 4.Sep 2005 at 06.50 - processed 4.Sep 2005 at 06.51.
 
analysis/norman/b3be02eced909200df0856a7500b691c.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki