Norman's Sanbox

[izi]

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050213-308

readme.htm .pif : [SANDBOX] infected with unknown worm - W32/P2PWorm (Signature: MyDoom.A@mm)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 22528 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\shimgapi.dll.
* Creates file C:\WINDOWS\TEMP\Message.
* Creates file C:\WINDOWS\SYSTEM\taskmon.exe.
* Deletes file C:\WINDOWS\SYSTEM\taskmon.exe.
* Creates file C:\Progra~1\Kazaa\Myshar~1\activation_crack.pif.

[ Changes to registry ]
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version".
* Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version".
* Creates value "TaskMon"="C:\WINDOWS\SYSTEM\taskmon.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Spreading through P2P networks ]
* P2P worm; drops files in P2P upload/download directory.

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).

[izi]

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050213-309

topseller.doc.scr : [SANDBOX] infected with unknown worm - W32/EMailWorm (Signature: Netsky.B@mm)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Display message box (Error) : The file could not be opened!.
* File length: 22016 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\services.exe.

[ Changes to registry ]
* Creates value "service"="C:\WINDOWS\services.exe -serv" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Taskmon" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Taskmon" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Explorer" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Explorer" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "KasperskyAv" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "system." in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "system." in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".

[ Network services ]
* Looks for an Internet connection.
* Connects to "CONFIGURED_DNS" on port 53 (IP).
* Connects to "mailin-02.mx.bergen.net" on port 25 (TCP).
* **Connects SMTP server.

[ Network ]
* **Uses IPHLPAPI services.

[ Spreading through EMail ]
* To : <hanne.jensen@bergen.net>.
* From : skynet@skynet.de.
* Subject: unknown.
* Mass-mailer; spreads through SMTP.

[ Process/window information ]
* Creates a mutex AdmSkynetJklS003.
* Will automatically restart after boot (I'll be back...).

[izi]

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050213-313

Surprise.exe : [SANDBOX] infected with unknown worm - W32/P2PWorm (Signature: Zafi.B@mm)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 12800 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\fxowsrwn.exe.
* Creates file C:\WINDOWS\SYSTEM\phwzrymn.dll.
* Creates file C:\WINDOWS\SYSTEM\bnydwnsh.dll.
* Creates file C:\WINDOWS\SYSTEM\eujczorl.dll.
* Creates file C:\WINDOWS\SYSTEM\voealgzk.dll.
* Creates file C:\WINDOWS\SYSTEM\yyxwgtry.dll.
* Creates file C:\WINDOWS\SYSTEM\cuppnbqb.dll.
* Creates file C:\WINDOWS\SYSTEM\tsujssht.dll.
* Creates file C:\WINDOWS\SYSTEM\kojxewhy.dll.
* Creates file C:\WINDOWS\SYSTEM\kadyefrs.dll.
* Creates file C:\WINDOWS\SYSTEM\kmvmvkpu.dll.
* Creates file C:\WINDOWS\SYSTEM\ytvlvhku.dll.
* Creates file Total Commander 7.0 full_install.exe.

[ Changes to registry ]
* Creates key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "cD"="" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "b1"="Mr.X" in key "HKLM\Software\Microsoft\_Hazafibb".
* Reads value "SMTP Email Address"="<unreal@sandbox.com>" in key "HKCU\Software\Microsoft\Internet Account Manager\Accounts\unreal".
* Sets value "b2"="<unreal@sandbox.com>" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "cC"="SMTP.unreal.no" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "b3"="C:\WINDOWS\SYSTEM\fxowsrwn.exe" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "b4"="C:\WINDOWS\SYSTEM\phwzrymn.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "b5"="C:\WINDOWS\SYSTEM\bnydwnsh.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "b6"="C:\WINDOWS\SYSTEM\eujczorl.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "b7"="C:\WINDOWS\SYSTEM\voealgzk.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "b8"="C:\WINDOWS\SYSTEM\yyxwgtry.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "b9"="C:\WINDOWS\SYSTEM\cuppnbqb.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "bA"="C:\WINDOWS\SYSTEM\tsujssht.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "bB"="C:\WINDOWS\SYSTEM\kojxewhy.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "bC"="C:\WINDOWS\SYSTEM\kadyefrs.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "bD"="C:\WINDOWS\SYSTEM\kmvmvkpu.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Sets value "bE"="C:\WINDOWS\SYSTEM\ytvlvhku.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
* Creates value "_Hazafibb"="C:\WINDOWS\SYSTEM\fxowsrwn.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Spreading through P2P networks ]
* P2P worm; drops files in P2P upload/download directory.

[ Process/window information ]
* Creates a mutex _Hazafibb.
* Will automatically restart after boot (I'll be back...).

[izi]

Norman's Sandbox detect all major worms. Great work!!!

Well ... what does this mean now?

I conclude:

1.
The sandbox analyses malware but does not provide for the analysis data which has been posted here (e.g., changes to filesystem, changes to registry etc.).

In principle, such detailed information may stem from the ordinary scan engine in connection with the signature database. However, such theory would not be in line with Technodrome's Netsky.B sample which was not properly detected.

Since the file could not be opened it seems to me that also the sandbox could not analyze it.

Therefore, I assume that it was executed on a Norman test machine and the analysis data shows what actually happened.


2.
The generic detection mechanism of the sandbox does not work with compressed malware because the sandbox is not supported by an unpacking engine or a memory scanner. (Compressed malware is only detected by the ordinary scan engine provide a special signature was created.)



Does everybody agree? If not: why not?