lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Oct 4 23:04:37 2005 From: ccarpenter at dswa.net (Christopher Carpenter) Subject: http://molecularmultimedia.com/ -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of yorn@...ernmentsecurity.org Sent: Tuesday, October 04, 2005 10:52 AM To: full-disclosure@...ts.grok.org.uk Subject: RE: [Full-disclosure] http://molecularmultimedia.com/ http://molecularmultimedia.com/x.chm x.chm contains money.exe (needs to be added to virusscanners) I don't have time to analyze the file, but it is attached here in a zip file. Password to extract is 'money'. Anyone want to run some analysis? <snip> >From VirusTotal.com: Antivirus Version Update Result AntiVir 6.32.0.6 10.04.2005 no virus found Avast 4.6.695.0 09.30.2005 no virus found AVG 718 10.04.2005 no virus found Avira 6.32.0.6 10.04.2005 no virus found BitDefender 7.2 10.04.2005 BehavesLike:Trojan.FirewallBypass CAT-QuickHeal 8.00 10.04.2005 (Suspicious) - DNAScan ClamAV devel-20050917 10.04.2005 no virus found DrWeb 4.32b 10.02.2005 no virus found eTrust-Iris 7.1.194.0 10.04.2005 no virus found eTrust-Vet 11.9.1.0 10.04.2005 no virus found Fortinet 2.48.0.0 10.04.2005 BDoor.BAC-bdr F-Prot 3.16c 10.04.2005 no virus found Ikarus 0.2.59.0 10.04.2005 no virus found Kaspersky 4.0.2.24 10.04.2005 Trojan-Proxy.Win32.Agent.gx McAfee 4596 10.04.2005 BackDoor-BAC.dr NOD32v2 1.1241 10.04.2005 no virus found Norman 5.70.10 10.04.2005 no virus found Panda 8.02.00 10.04.2005 no virus found Sophos 3.98.0 10.04.2005 no virus found Symantec 8.0 10.04.2005 Backdoor.Haxdoor.F TheHacker 5.8.2.117 10.03.2005 no virus found VBA32 3.10.4 10.04.2005 Trojan-Proxy.Win32.Agent.gx >From the Norman Sandbox: Norman Scanner Engine 5.83. 7 Sandbox 05.83, dated 27/08-2005 Your message ID (for later reference): 20051005-004 money.exe : Not detected by sandbox (Signature: NO_VIRUS) [ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@...MAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * File length: 8605 bytes. [ Changes to filesystem ] * Creates file sksdll.dll. * Creates file sksdrvr2.sys. [ Changes to registry ] * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll". * Sets value "DllName"="sksdll.dll" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll". * Sets value "Startup"="sksdll" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll". * Sets value "Impersonate"=" " in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll". * Sets value "Asynchronous"=" " in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll". * Sets value "MaxWait"=" " in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll". * Creates key "HKLM\System\CurrentControlSet\Services\sksdrvr2". * Sets value "ImagePath"="sksdrvr2.sys" in key "HKLM\System\CurrentControlSet\Services\sksdrvr2". * Sets value "DisplayName"="USB sksDRVR2" in key "HKLM\System\CurrentControlSet\Services\sksdrvr2". [ Process/window information ] * Creates service "sksdrvr2 (USB sksDRVR2)" as "sksdrvr2.sys". (C) 2004 Norman ASA. All Rights Reserved. The material presented is distributed by Norman ASA as an information source only. Sent by ccarpenter@...a.net to sandbox. Received 5.Oct 2005 at 00.03 - processed 5.Oct 2005 at 00.03.
Powered by blists - more mailing lists