Norman Scanner Engine 5.90.  7
Sandbox 05.90, dated 21/01-2006

Your message ID (for later reference): 20060303-1232

nepenthes-f8b6a4d8f577138098fe0ef84c0db643-NWA== : Not detected by sandbox (Signature: W32/Poebot.IA)
 [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * Creating several executable files on hard-drive.
    * File length:        60928 bytes.
    * MD5 hash: f8b6a4d8f577138098fe0ef84c0db643.

 [ Changes to filesystem ]
    * Deletes file C:\WINDOWS\SYSTEM32\lssas.exe.
    * Creates file C:\WINDOWS\SYSTEM32\lssas.exe.
    * Deletes file qlkpxmgr.bat.
    * Creates file qlkpxmgr.bat.
    * Deletes file smhahia.bat.
    * Creates file smhahia.bat.
    * Deletes file C:\WINDOWS\SYSTEM32\spooIsv.exe.
    * Creates file C:\WINDOWS\SYSTEM32\spooIsv.exe.
    * Deletes file aotvg.bat.
    * Creates file aotvg.bat.
    * Deletes file mmxfiq.bat.
    * Creates file mmxfiq.bat.

 [ Changes to registry ]
    * Deletes value "Windows DLL Loader" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

 [ Process/window information ]
    * Creates a mutex 1AF5A9C700000000E678BD5439397B8A27F6334586E.
    * Attemps to open qlkpxmgr.bat NULL.
    * Attemps to open smhahia.bat NULL.
    * Attemps to open aotvg.bat NULL.
    * Attemps to open mmxfiq.bat NULL.

 [ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\lssas.exe (60928 bytes) : no signature detection.
    * qlkpxmgr.bat (124 bytes) : no signature detection.
    * C:\WINDOWS\SYSTEM32\spooIsv.exe (60928 bytes) : no signature detection.


(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

Sent by removed@email.com to sandbox.


Received 3.Mar 2006 at 17.33 - processed 3.Mar 2006 at 20.29.