Full Disclosure mailing list archives
RE: http://molecularmultimedia.com/
From: "Christopher Carpenter" <ccarpenter () dswa net>
Date: Tue, 4 Oct 2005 15:04:27 -0700
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of yorn () governmentsecurity org Sent: Tuesday, October 04, 2005 10:52 AM To: full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] http://molecularmultimedia.com/ http://molecularmultimedia.com/x.chm x.chm contains money.exe (needs to be added to virusscanners) I don't have time to analyze the file, but it is attached here in a zip file. Password to extract is 'money'. Anyone want to run some analysis? <snip>
From VirusTotal.com:
Antivirus Version Update Result AntiVir 6.32.0.6 10.04.2005 no virus found Avast 4.6.695.0 09.30.2005 no virus found AVG 718 10.04.2005 no virus found Avira 6.32.0.6 10.04.2005 no virus found BitDefender 7.2 10.04.2005 BehavesLike:Trojan.FirewallBypass CAT-QuickHeal 8.00 10.04.2005 (Suspicious) - DNAScan ClamAV devel-20050917 10.04.2005 no virus found DrWeb 4.32b 10.02.2005 no virus found eTrust-Iris 7.1.194.0 10.04.2005 no virus found eTrust-Vet 11.9.1.0 10.04.2005 no virus found Fortinet 2.48.0.0 10.04.2005 BDoor.BAC-bdr F-Prot 3.16c 10.04.2005 no virus found Ikarus 0.2.59.0 10.04.2005 no virus found Kaspersky 4.0.2.24 10.04.2005 Trojan-Proxy.Win32.Agent.gx McAfee 4596 10.04.2005 BackDoor-BAC.dr NOD32v2 1.1241 10.04.2005 no virus found Norman 5.70.10 10.04.2005 no virus found Panda 8.02.00 10.04.2005 no virus found Sophos 3.98.0 10.04.2005 no virus found Symantec 8.0 10.04.2005 Backdoor.Haxdoor.F TheHacker 5.8.2.117 10.03.2005 no virus found VBA32 3.10.4 10.04.2005 Trojan-Proxy.Win32.Agent.gx
From the Norman Sandbox:
Norman Scanner Engine 5.83. 7
Sandbox 05.83, dated 27/08-2005
Your message ID (for later reference): 20051005-004
money.exe : Not detected by sandbox (Signature: NO_VIRUS) [ General
information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS () NORMAN NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 8605 bytes.
[ Changes to filesystem ]
* Creates file sksdll.dll.
* Creates file sksdrvr2.sys.
[ Changes to registry ]
* Creates key "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "DllName"="sksdll.dll" in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "Startup"="sksdll" in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "Impersonate"=" " in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "Asynchronous"=" " in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Sets value "MaxWait"=" " in key "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
* Creates key "HKLM\System\CurrentControlSet\Services\sksdrvr2".
* Sets value "ImagePath"="sksdrvr2.sys" in key
"HKLM\System\CurrentControlSet\Services\sksdrvr2".
* Sets value "DisplayName"="USB sksDRVR2" in key
"HKLM\System\CurrentControlSet\Services\sksdrvr2".
[ Process/window information ]
* Creates service "sksdrvr2 (USB sksDRVR2)" as "sksdrvr2.sys".
(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information
source only.
Sent by ccarpenter () dswa net to sandbox.
Received 5.Oct 2005 at 00.03 - processed 5.Oct 2005 at 00.03.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: http://molecularmultimedia.com/ yorn (Oct 04)
- <Possible follow-ups>
- RE: http://molecularmultimedia.com/ Christopher Carpenter (Oct 04)