Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: http://molecularmultimedia.com/
From: "Christopher Carpenter" <ccarpenter () dswa net>
Date: Tue, 4 Oct 2005 15:04:27 -0700

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
yorn () governmentsecurity org
Sent: Tuesday, October 04, 2005 10:52 AM
To: full-disclosure () lists grok org uk
Subject: RE: [Full-disclosure] http://molecularmultimedia.com/

http://molecularmultimedia.com/x.chm

x.chm contains money.exe (needs to be added to virusscanners)

I don't have time to analyze the file, but it is attached here in a zip
file. Password to extract is 'money'. Anyone want to run some analysis?


<snip>

From VirusTotal.com:

Antivirus       Version Update  Result
AntiVir 6.32.0.6        10.04.2005      no virus found
Avast   4.6.695.0       09.30.2005      no virus found
AVG     718     10.04.2005      no virus found
Avira   6.32.0.6        10.04.2005      no virus found
BitDefender     7.2     10.04.2005
BehavesLike:Trojan.FirewallBypass
CAT-QuickHeal   8.00    10.04.2005      (Suspicious) - DNAScan
ClamAV  devel-20050917  10.04.2005      no virus found
DrWeb   4.32b   10.02.2005      no virus found
eTrust-Iris     7.1.194.0       10.04.2005      no virus found
eTrust-Vet      11.9.1.0        10.04.2005      no virus found
Fortinet        2.48.0.0        10.04.2005      BDoor.BAC-bdr
F-Prot  3.16c   10.04.2005      no virus found
Ikarus  0.2.59.0        10.04.2005      no virus found
Kaspersky       4.0.2.24        10.04.2005
Trojan-Proxy.Win32.Agent.gx
McAfee  4596    10.04.2005      BackDoor-BAC.dr
NOD32v2 1.1241  10.04.2005      no virus found
Norman  5.70.10 10.04.2005      no virus found
Panda   8.02.00 10.04.2005      no virus found
Sophos  3.98.0  10.04.2005      no virus found
Symantec        8.0     10.04.2005      Backdoor.Haxdoor.F
TheHacker       5.8.2.117       10.03.2005      no virus found
VBA32   3.10.4  10.04.2005      Trojan-Proxy.Win32.Agent.gx

From the Norman Sandbox:

Norman Scanner Engine 5.83.  7
Sandbox 05.83, dated 27/08-2005

Your message ID (for later reference): 20051005-004

money.exe : Not detected by sandbox (Signature: NO_VIRUS)  [ General
information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS () NORMAN NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:         8605 bytes.

 [ Changes to filesystem ]
    * Creates file sksdll.dll.
    * Creates file sksdrvr2.sys.

 [ Changes to registry ]
    * Creates key "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "DllName"="sksdll.dll" in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "Startup"="sksdll" in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "Impersonate"=" " in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "Asynchronous"=" " in key
"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Sets value "MaxWait"=" " in key "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sksdll".
    * Creates key "HKLM\System\CurrentControlSet\Services\sksdrvr2".
    * Sets value "ImagePath"="sksdrvr2.sys" in key
"HKLM\System\CurrentControlSet\Services\sksdrvr2".
    * Sets value "DisplayName"="USB sksDRVR2" in key
"HKLM\System\CurrentControlSet\Services\sksdrvr2".

 [ Process/window information ]
    * Creates service "sksdrvr2 (USB sksDRVR2)" as "sksdrvr2.sys".


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information
source only.

Sent by ccarpenter () dswa net to sandbox.
Received 5.Oct 2005 at 00.03 - processed 5.Oct 2005 at 00.03.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]