Norman Scanner Engine 5.83. 7
Sandbox 05.83, dated 5/09-2005
Your message ID (for later reference): 20051013-923
nepenthes-d1ee9d2e39e06495aa8b457e3d2d75a4-enbiei.exe : [SANDBOX] contains a security risk - W32/Malware (Signature: Blaster.F)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 11808 bytes.
[ Changes to registry ]
* Creates value "www.hidro.4t.com "="enbiei.exe " in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
[ Network services ]
* Looks for an Internet connection.
* Connects to "31.108.63.1" on port 135 (IP).
* Connects to "31.108.63.2" on port 135 (IP).
* Connects to "31.108.63.3" on port 135 (IP).
* Connects to "31.108.63.4" on port 135 (IP).
* Connects to "31.108.63.5" on port 135 (IP).
* Connects to "31.108.63.6" on port 135 (IP).
* Connects to "31.108.63.7" on port 135 (IP).
* Connects to "31.108.63.8" on port 135 (IP).
* Connects to "31.108.63.9" on port 135 (IP).
* Connects to "31.108.63.10" on port 135 (IP).
* Connects to "31.108.63.11" on port 135 (IP).
* Connects to "31.108.63.12" on port 135 (IP).
* Connects to "31.108.63.13" on port 135 (IP).
* Connects to "31.108.63.14" on port 135 (IP).
* Connects to "31.108.63.15" on port 135 (IP).
* Connects to "31.108.63.16" on port 135 (IP).
* Connects to "31.108.63.17" on port 135 (IP).
* Connects to "31.108.63.18" on port 135 (IP).
* Connects to "31.108.63.19" on port 135 (IP).
* Connects to "31.108.63.20" on port 135 (IP).
* Connects to "119.211.28.147" on port 4444 (IP).
* Starts remote TFTP session.
[ Security issues ]
* Uses DCOM RPC vulnerability (MS03-026).
[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Creates a mutex muuie.
(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.
Received 13.Oct 2005 at 18.42 - processed 13.Oct 2005 at 18.42.
