Norman's Sanbox

Discussion in 'other anti-virus software' started by izi, Feb 11, 2005.

Thread Status:
Not open for further replies.
  1. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050213-308

    readme.htm .pif : [SANDBOX] infected with unknown worm - W32/P2PWorm (Signature: MyDoom.A@mm)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 22528 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\shimgapi.dll.
    * Creates file C:\WINDOWS\TEMP\Message.
    * Creates file C:\WINDOWS\SYSTEM\taskmon.exe.
    * Deletes file C:\WINDOWS\SYSTEM\taskmon.exe.
    * Creates file C:\Progra~1\Kazaa\Myshar~1\activation_crack.pif.

    [ Changes to registry ]
    * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version".
    * Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version".
    * Creates value "TaskMon"="C:\WINDOWS\SYSTEM\taskmon.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

    [ Spreading through P2P networks ]
    * P2P worm; drops files in P2P upload/download directory.

    [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
     
  2. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050213-309

    topseller.doc.scr : [SANDBOX] infected with unknown worm - W32/EMailWorm (Signature: Netsky.B@mm)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * Display message box (Error) : The file could not be opened!.
    * File length: 22016 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\services.exe.

    [ Changes to registry ]
    * Creates value "service"="C:\WINDOWS\services.exe -serv" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Taskmon" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Taskmon" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Explorer" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Explorer" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "KasperskyAv" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "system." in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "system." in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".

    [ Network services ]
    * Looks for an Internet connection.
    * Connects to "CONFIGURED_DNS" on port 53 (IP).
    * Connects to "mailin-02.mx.bergen.net" on port 25 (TCP).
    * **Connects SMTP server.

    [ Network ]
    * **Uses IPHLPAPI services.

    [ Spreading through EMail ]
    * To : <hanne.jensen@bergen.net>.
    * From : skynet@skynet.de.
    * Subject: unknown.
    * Mass-mailer; spreads through SMTP.

    [ Process/window information ]
    * Creates a mutex AdmSkynetJklS003.
    * Will automatically restart after boot (I'll be back...).
     
  3. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050213-313

    Surprise.exe : [SANDBOX] infected with unknown worm - W32/P2PWorm (Signature: Zafi.B@mm)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 12800 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\fxowsrwn.exe.
    * Creates file C:\WINDOWS\SYSTEM\phwzrymn.dll.
    * Creates file C:\WINDOWS\SYSTEM\bnydwnsh.dll.
    * Creates file C:\WINDOWS\SYSTEM\eujczorl.dll.
    * Creates file C:\WINDOWS\SYSTEM\voealgzk.dll.
    * Creates file C:\WINDOWS\SYSTEM\yyxwgtry.dll.
    * Creates file C:\WINDOWS\SYSTEM\cuppnbqb.dll.
    * Creates file C:\WINDOWS\SYSTEM\tsujssht.dll.
    * Creates file C:\WINDOWS\SYSTEM\kojxewhy.dll.
    * Creates file C:\WINDOWS\SYSTEM\kadyefrs.dll.
    * Creates file C:\WINDOWS\SYSTEM\kmvmvkpu.dll.
    * Creates file C:\WINDOWS\SYSTEM\ytvlvhku.dll.
    * Creates file Total Commander 7.0 full_install.exe.

    [ Changes to registry ]
    * Creates key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "cD"="" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "b1"="Mr.X" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Reads value "SMTP Email Address"="<unreal@sandbox.com>" in key "HKCU\Software\Microsoft\Internet Account Manager\Accounts\unreal".
    * Sets value "b2"="<unreal@sandbox.com>" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "cC"="SMTP.unreal.no" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "b3"="C:\WINDOWS\SYSTEM\fxowsrwn.exe" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "b4"="C:\WINDOWS\SYSTEM\phwzrymn.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "b5"="C:\WINDOWS\SYSTEM\bnydwnsh.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "b6"="C:\WINDOWS\SYSTEM\eujczorl.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "b7"="C:\WINDOWS\SYSTEM\voealgzk.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "b8"="C:\WINDOWS\SYSTEM\yyxwgtry.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "b9"="C:\WINDOWS\SYSTEM\cuppnbqb.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "bA"="C:\WINDOWS\SYSTEM\tsujssht.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "bB"="C:\WINDOWS\SYSTEM\kojxewhy.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "bC"="C:\WINDOWS\SYSTEM\kadyefrs.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "bD"="C:\WINDOWS\SYSTEM\kmvmvkpu.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Sets value "bE"="C:\WINDOWS\SYSTEM\ytvlvhku.dll" in key "HKLM\Software\Microsoft\_Hazafibb".
    * Creates value "_Hazafibb"="C:\WINDOWS\SYSTEM\fxowsrwn.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

    [ Spreading through P2P networks ]
    * P2P worm; drops files in P2P upload/download directory.

    [ Process/window information ]
    * Creates a mutex _Hazafibb.
    * Will automatically restart after boot (I'll be back...).
     
  4. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Norman's Sandbox detect all major worms. Great work!!!
     
  5. ---

    --- Guest

    Well ... what does this mean now?

    I conclude:

    1.
    The sandbox analyses malware but does not provide for the analysis data which has been posted here (e.g., changes to filesystem, changes to registry etc.).

    In principle, such detailed information may stem from the ordinary scan engine in connection with the signature database. However, such theory would not be in line with Technodrome's Netsky.B sample which was not properly detected.

    Since the file could not be opened it seems to me that also the sandbox could not analyze it.

    Therefore, I assume that it was executed on a Norman test machine and the analysis data shows what actually happened.


    2.
    The generic detection mechanism of the sandbox does not work with compressed malware because the sandbox is not supported by an unpacking engine or a memory scanner. (Compressed malware is only detected by the ordinary scan engine provide a special signature was created.)



    Does everybody agree? If not: why not?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.