[[analysis:norman:c558703d0afd65e85a66670f55aab00f]]
 
Trace: home » analysis » norman » c558703d0afd65e85a66670f55aab00f 
Norman Scanner Engine 5.82.  1
Sandbox 05.82, dated  2/05-2005

Your message ID (for later reference): 20050607-247

nepenthes-c558703d0afd65e85a66670f55aab00f-bar : [SANDBOX] contains a security risk - W32/Backdoor (Signature: NO_VIRUS)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:        37591 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\oHQwjTRF03qY.exe.

 [ Changes to registry ]
    * Creates value "MONITOR"="C:\WINDOWS\oHQwjTRF03qY.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

 [ Network services ]
    * Connects to "graz.at.eu.undernet.org" on port 6667 (IP).
    * Connects to IRC server.
    * IRC: Uses nickname NULL.
    * IRC: Uses username NULL.
    * IRC: Sets the usermode for user  to +i.
    * IRC: Joins channel #ssseee with password trojan.
    * IRC: Sets the channel mode for channel #ssseee to +nts.
    * IRC: Sets the channel mode for channel #ssseee to +k.
    * Looks for an Internet connection.
    * Connects to "212.113.203.1" on port 3127 (IP).

 [ Security issues ]
    * Uses common backdoor to infect remote system(s).

 [ Process/window information ]
    * Creates a mutex GhostBOT.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 7.June 2005 at 07.20 - processed 7.June 2005 at 07.21.
 
analysis/norman/c558703d0afd65e85a66670f55aab00f.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki