[[analysis:norman:d00dac2a8f2a604a0114dd0b5a9ecc83]]
 
Trace: home » analysis » norman » d00dac2a8f2a604a0114dd0b5a9ecc83 
Norman Scanner Engine 5.82.  1
Sandbox 05.82, dated 29/03-2005

Your message ID (for later reference): 20050518-337

nepenthes-d00dac2a8f2a604a0114dd0b5a9ecc83- : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:        70656 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\msconfg.exe.

 [ Changes to registry ]
    * Creates value "Microsoft Update"="msconfg.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "Microsoft Update"="msconfg.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
    * Creates value "Microsoft Update"="msconfg.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Sets value "restrictanonymous"="" in key "HKLM\System\CurrentControlSet\Control\Lsa".

 [ Network services ]
    * Looks for an Internet connection.
    * Attempts to delete share named "C$" on local system.
    * Attempts to delete share named "D$" on local system.
    * Attempts to delete share named "IPC$" on local system.
    * Attempts to delete share named "ADMIN$" on local system.
    * Connects to "blue32.mtf8.biz" on port 5555 (TCP).

 [ Security issues ]
    * Possible backdoor functionality [Authenticate] port 113.

 [ Process/window information ]
    * Creates a mutex rx01.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.
 
analysis/norman/d00dac2a8f2a604a0114dd0b5a9ecc83.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki