[[analysis:norman:e928f3891fcf47a31a4baf899c6a9898]]
 
Trace: home » analysis » norman » e928f3891fcf47a31a4baf899c6a9898 
Norman Scanner Engine 5.82.  1
Sandbox 05.82, dated  2/05-2005

Your message ID (for later reference): 20050607-342

nepenthes-e928f3891fcf47a31a4baf899c6a9898-bar : [SANDBOX] contains a security risk - W32/Backdoor (Signature: NO_VIRUS)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:        40240 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\Rn0gpVVMNSkavAh.exe.

 [ Changes to registry ]
    * Creates value "MCTOOL"="C:\WINDOWS\Rn0gpVVMNSkavAh.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Modifies value "Dir1"="012345:C:\WINDOWS\Drivers" in key "HKCU\Software\Kazaa\LocalContent".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "wormmez.hopto.org" on port 6667 (IP).
    * Connects to IRC server.
    * IRC: Uses nickname CurrentUser62.
    * IRC: Uses username CurrentUser62.
    * IRC: Sets the usermode for user CurrentUser62 to +i.

 [ Security issues ]
    * Possible backdoor functionality [Authenticate] port 113.

 [ Process/window information ]
    * Creates a mutex Lepanov.
    * Will automatically restart after boot (I'll be back...).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Sent by removed@email.com to sandbox.

Received 7.June 2005 at 10.24 - processed 7.June 2005 at 10.27.
 
analysis/norman/e928f3891fcf47a31a4baf899c6a9898.txt · Last modified: 2006/03/05 20:14
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki