lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <78744869705CEF41A32C103C5C04F2200163A6C8@phxexc1.dswa.net>
Date: Tue Oct  4 23:04:37 2005
From: ccarpenter at dswa.net (Christopher Carpenter)
Subject: http://molecularmultimedia.com/ 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
yorn@...ernmentsecurity.org
Sent: Tuesday, October 04, 2005 10:52 AM
To: full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] http://molecularmultimedia.com/

http://molecularmultimedia.com/x.chm

x.chm contains money.exe (needs to be added to virusscanners)

I don't have time to analyze the file, but it is attached here in a zip
file. Password to extract is 'money'. Anyone want to run some analysis?


<snip>

>From VirusTotal.com:

Antivirus	Version	Update	Result
AntiVir	6.32.0.6	10.04.2005	no virus found
Avast	4.6.695.0	09.30.2005	no virus found
AVG	718	10.04.2005	no virus found
Avira	6.32.0.6	10.04.2005	no virus found
BitDefender	7.2	10.04.2005
BehavesLike:Trojan.FirewallBypass
CAT-QuickHeal	8.00	10.04.2005	(Suspicious) - DNAScan
ClamAV	devel-20050917	10.04.2005	no virus found
DrWeb	4.32b	10.02.2005	no virus found
eTrust-Iris	7.1.194.0	10.04.2005	no virus found
eTrust-Vet	11.9.1.0	10.04.2005	no virus found
Fortinet	2.48.0.0	10.04.2005	BDoor.BAC-bdr
F-Prot	3.16c	10.04.2005	no virus found
Ikarus	0.2.59.0	10.04.2005	no virus found
Kaspersky	4.0.2.24	10.04.2005
Trojan-Proxy.Win32.Agent.gx
McAfee	4596	10.04.2005	BackDoor-BAC.dr
NOD32v2	1.1241	10.04.2005	no virus found
Norman	5.70.10	10.04.2005	no virus found
Panda	8.02.00	10.04.2005	no virus found
Sophos	3.98.0	10.04.2005	no virus found
Symantec	8.0	10.04.2005	Backdoor.Haxdoor.F
TheHacker	5.8.2.117	10.03.2005	no virus found
VBA32	3.10.4	10.04.2005	Trojan-Proxy.Win32.Agent.gx

>From the Norman Sandbox:

Norman Scanner Engine 5.83.  7
Sandbox 05.83, dated 27/08-2005

Your message ID (for later reference): 20051005-004

money.exe : Not detected by sandbox (Signature: NO_VIRUS)  [ General
information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@...MAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:         8605 bytes.

 [ Changes to filesystem ]
    * Creates file sksdll.dll.
    * Creates file sksdrvr2.sys.

 [ Changes to registry ]
    * Creates key "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "DllName"="sksdll.dll" in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "Startup"="sksdll" in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "Impersonate"=" " in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "Asynchronous"=" " in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "MaxWait"=" " in key "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Creates key "HKLM\System\CurrentControlSet\Services\sksdrvr2".
    * Sets value "ImagePath"="sksdrvr2.sys" in key
"HKLM\System\CurrentControlSet\Services\sksdrvr2".
    * Sets value "DisplayName"="USB sksDRVR2" in key
"HKLM\System\CurrentControlSet\Services\sksdrvr2".

 [ Process/window information ]
    * Creates service "sksdrvr2 (USB sksDRVR2)" as "sksdrvr2.sys".


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information
source only.

Sent by ccarpenter@...a.net to sandbox.
Received 5.Oct 2005 at 00.03 - processed 5.Oct 2005 at 00.03.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ