[<prev] [next>] [day] [month] [year] [list]
Message-ID: <78744869705CEF41A32C103C5C04F2200163A6C8@phxexc1.dswa.net>
Date: Tue Oct 4 23:04:37 2005
From: ccarpenter at dswa.net (Christopher Carpenter)
Subject: http://molecularmultimedia.com/
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
yorn@...ernmentsecurity.org
Sent: Tuesday, October 04, 2005 10:52 AM
To: full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] http://molecularmultimedia.com/
http://molecularmultimedia.com/x.chm
x.chm contains money.exe (needs to be added to virusscanners)
I don't have time to analyze the file, but it is attached here in a zip
file. Password to extract is 'money'. Anyone want to run some analysis?
<snip>
>From VirusTotal.com:
Antivirus Version Update Result
AntiVir 6.32.0.6 10.04.2005 no virus found
Avast 4.6.695.0 09.30.2005 no virus found
AVG 718 10.04.2005 no virus found
Avira 6.32.0.6 10.04.2005 no virus found
BitDefender 7.2 10.04.2005
BehavesLike:Trojan.FirewallBypass
CAT-QuickHeal 8.00 10.04.2005 (Suspicious) - DNAScan
ClamAV devel-20050917 10.04.2005 no virus found
DrWeb 4.32b 10.02.2005 no virus found
eTrust-Iris 7.1.194.0 10.04.2005 no virus found
eTrust-Vet 11.9.1.0 10.04.2005 no virus found
Fortinet 2.48.0.0 10.04.2005 BDoor.BAC-bdr
F-Prot 3.16c 10.04.2005 no virus found
Ikarus 0.2.59.0 10.04.2005 no virus found
Kaspersky 4.0.2.24 10.04.2005
Trojan-Proxy.Win32.Agent.gx
McAfee 4596 10.04.2005 BackDoor-BAC.dr
NOD32v2 1.1241 10.04.2005 no virus found
Norman 5.70.10 10.04.2005 no virus found
Panda 8.02.00 10.04.2005 no virus found
Sophos 3.98.0 10.04.2005 no virus found
Symantec 8.0 10.04.2005 Backdoor.Haxdoor.F
TheHacker 5.8.2.117 10.03.2005 no virus found
VBA32 3.10.4 10.04.2005 Trojan-Proxy.Win32.Agent.gx
>From the Norman Sandbox:
Norman Scanner Engine 5.83. 7
Sandbox 05.83, dated 27/08-2005
Your message ID (for later reference): 20051005-004
money.exe : Not detected by sandbox (Signature: NO_VIRUS) [ General
information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@...MAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 8605 bytes.
[ Changes to filesystem ]
* Creates file sksdll.dll.
* Creates file sksdrvr2.sys.
[ Changes to registry ]
* Creates key "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "DllName"="sksdll.dll" in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "Startup"="sksdll" in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "Impersonate"=" " in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "Asynchronous"=" " in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "MaxWait"=" " in key "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Creates key "HKLM\System\CurrentControlSet\Services\sksdrvr2".
* Sets value "ImagePath"="sksdrvr2.sys" in key
"HKLM\System\CurrentControlSet\Services\sksdrvr2".
* Sets value "DisplayName"="USB sksDRVR2" in key
"HKLM\System\CurrentControlSet\Services\sksdrvr2".
[ Process/window information ]
* Creates service "sksdrvr2 (USB sksDRVR2)" as "sksdrvr2.sys".
(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information
source only.
Sent by ccarpenter@...a.net to sandbox.
Received 5.Oct 2005 at 00.03 - processed 5.Oct 2005 at 00.03.
Powered by blists - more mailing lists