sandbox let me down in my latest test!

Discussion in 'Prevx Releases' started by PC__Gamer, Apr 10, 2010.

Thread Status:
Not open for further replies.
  1. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    SO, that makes me the fool. :p

    -------
    d:\games\battlefield bad company 2\support\battlefield bad company 2_code.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\battlefield bad company 2\support\battlefield bad company 2_uninst.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\call of juarez\cojbib_autoupdater.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\f.e.a.r\config.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\f.e.a.r\fear.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\f.e.a.r\fearmp.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\f.e.a.r\fearserver.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\f.e.a.r\fpupdate.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\f.e.a.r\wmfadist.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\fifa10\support\eadm\eadm-installer.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\fifa10\support\earegister.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\fifa10\support\fifa 10_code.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\fifa10\support\fifa 10_uninst.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\need for speed shift\support\eadm\eadm-installer.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\need for speed shift\support\need for speed shift_code.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\need for speed shift\support\need for speed shift_uninst.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\sims 3\support\eadm\eadm-installer.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\sonic & sega all-stars racing\config.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\sonic & sega all-stars racing\sonic & sega all-stars racing.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\unreal tournament 3\binaries\cookersync.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    [B] d:\games\unreal tournament 3\binaries\iscopyfiles.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    [B] d:\games\unreal tournament 3\binaries\uescriptprofiler.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    [B] d:\games\unreal tournament 3\binaries\unrealconsole.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    [B] d:\games\unreal tournament 3\binaries\unrealfrontend.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    [B] d:\games\unreal tournament 3\binaries\ut3.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    [B] d:\games\unreal tournament 3\binaries\ut3oshelper.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    [B] d:\games\unreal tournament 3\binaries\windows\ue3redist.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware

    --------------

    so, now im on a mission to get my system clean without hopefully losing my saved games. *lol*

    should be fun. :rolleyes:

    [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] < i hate you. (lol)

    ive done countless tests in the past, and this was by far my biggest challenge, but lets just say - there was a nasty little bugger in there that has caused Chaos.

    weird i would use that word, as my latest game is Just Cause 2 - the whole point is Chaos.

    lol[/B][/B][/B][/B][/B][/B][/B]
     
    Last edited: Apr 10, 2010
  2. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    599
    Location:
    UK
    Sandbox isn't perfect. Do you make backup images of your system. If so, you could just "roll" back using one of those. It helps to store your user data, like your saved games on another partition though.
     
  3. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    i backup most things, including the saved games.

    i think ive located it and sorted it, however... it did damage a few .exe files of my games, so i re-installation of those affected games may be needed.

    just thought id alert people to the possibilitys of some of the newer samples.
     
  4. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    ok, take it back.

    still not found the solution.

    prevx does pop up with an infection, even on a restored C:/, but im guessing it will be back.

    obviously its now linked to my 2nd HD with the games installed.

    time to use some tools and dig further. :)

    however, i can tell you - this particular sample avaded Prevx, Hitman Pro with all its engines & even Malwarebytes too.
     
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    did you confirm it is malware and what is it? very unlucky all 3 missed it
     
  6. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,262
    Location:
    Ontario, Canada
    Yes that's true because there are allot of scanning engines involved!

    TH
     
  7. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    there was definatly malware, its changed some .exe's in my game files.

    but figuring out how to track it is becoming troublesome!

    prevx still pops up with the little square in the bottom-right of the screen to say its blocked it,but sometime down the line, it will do the same saying its blocked it, HMP and all the rest dont detect anything?

    possible FP on this particular file?... maybe, shall see what Joe has to say, dont want to pester their support channels if its arrived from my-own-doing.
     
  8. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,405
    Download a-squared free, and scan your second drive with a deep scan. Found it and prevx to be quite good at identifying similar files.
     
  9. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    dont think i need to, think ive tracked it down to a file labelled 7433232.exe (i think it was called that) , i shall see if i notice anything from now on.

    hopefully, i shouldn't. :)

    messing with malware is a hobby of mine, sure.. i was a little stumped this time, but its all good fun trying to figure it out. ;)
     
  10. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    did you post this problem in the sandboxie forum?
     
  11. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,262
    Location:
    Ontario, Canada
    Upload to Virus Total and give the number of scanners that detect it as? Sounds like a nasty file infecter for sure!

    TH
     
  12. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    sorry TH, deleted it as soon as i found its location.

    but i can tell you, HMP with all its engines didnt find it, nor did prevx (although prevx did keep blocking what it was trying to do, although it didnt block it creating its autorun/process), Malwarebytes was no luck either and neither did Panda's cloud either.

    sometimes, the worst are the small ones, just 100k it was.

    but, still not 100% my machine is all better, only some time will tell me, but i cant see anything in my usual searching/testing.

    for safety reasons, ive also removed the games infected, most were old ones anyway so doubt i will be rushing to install them.

    lots of games installed, was around 300gb of them, now i have just 125gb of them to play on.
     
  13. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,262
    Location:
    Ontario, Canada
    That's because the file infecter infected them in a certain way to evade detection! The reason given Malware Group: High Risk Cloaked Malware

    TH
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The file which has been copied over all of the program files you listed above is 163,840 bytes and was first seen + blocked by Prevx today. It appears to be a new Koobface variant which has an impressive dossier of behaviors in our database (had to scroll down multiple pages to get the full list of information on it :))

    I suspect we may have missed an ancillary file from the infection - could you possibly create a scan log and send it to report@prevxresearch.com to see if I can find any missed detection there?

    Thanks, and good luck! Let me know if I can help in any other way as well.
     
  15. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    aye, i know.

    Nod32 was the only engine to pick 2 games up in the HMP engines, apart from what prevx detected on my machine, but im sure these were community/age/heuristic type detections as Prevx in HMP didnt detect these, unless the signatures were only just created because of a first detection on my machine (this has happened with prevx before and the samples i play around with), either way - detection of the culprit avoided everyone!! (well, enough that i could be bothered to try) & Never really seen that before.
     
  16. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,262
    Location:
    Ontario, Canada
    Also I only play with nasties within my VM's in Shadow Mode just in case!;)

    TH
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I actually suspect it is the cached detection in HMP. Prevx first saw the infection at 10:31am today and added detection automatically at 12:01 (90 minutes later) after seeing the second user hit by it. According to our database, we have not issued any Age/Popularity detections on this particular infection as it was caught automatically before it would have been classified as such.
     
  18. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    lol, not the first time ive added new samples to your cloud Joe & it wasn't the only new Koobface sample i was playing around with ;)

    and your right - what a beast the little git is. o_O

    all the more fun i say. ;)

    sure, i'll do ya a log if you like - may be quite long, i'll email it you after i do a full scan.

    ---

    scan completed:

    Untitled.jpg

    lol, i can tell you this is load.exe and was one of the un-detected samples i was playing around with, not the main culprit of the infections, just a un-detected one that is now detected it seems. :thumb:


    edit: Log Sent to report@prevxresearch.com - although it will be a shortened one as ive reverted back to my C:/ config since the infections, but do let me know if you see anything out of the ordinary, i think all is clear - hopefully.
     
    Last edited: Apr 10, 2010
  19. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    PC__Gamer,
    I hope your system is back to 100% now.
    Do you have any idea of how this would slip through your sandbox?
    Thanks.
    Hugger
     
  20. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    no idea no, but im waiting for Joe to tell me if anything still remains on my system. :)

    hopefully, all clear, but doubt it.

    I cant see anything myself, but he's the expert. :)

    Just tried to go on Dirt2 and prevx popped up with an infection for it.
     
    Last edited: Apr 11, 2010
  21. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    prevx is detecting loads on my D:/ now,

    so im going to format it and restore that drive from a backup i have.

    -----
    d:\programs\newsdemon\nb553-64.exe [PX5: A63A6ECB8C7C31C50AFA3E6826426D0035C2A132] Malware Group: High Risk Cloaked Malware
    d:\programs\hitman pro x64\hitmanpro35_x64.exe [PX5: A63A6ECB407C31C593FA5C6826426D00448F580F] Malware Group: High Risk Cloaked Malware
    (ACTIVE) d:\programs\registry mechanic 9 2010\rminstall.exe [PX5: A63A6ECB707C31C502FA976826426D0085A83CCB] Malware Group: High Risk Cloaked Malware
    [H] c:\program files\7-zip\7zg.exe [64] [PX5: DD2EAC780003EAC88C090559F81C4C003DA3A422] Malware Group: Community.Heuristic
    c:\users\168957\appdata\roaming\system\svchost.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    (ACTIVE) d:\games\steam games\steamapps\common\just cause 2\vcredist\vcredist_x86.exe [PX5: A63A6ECBC07C31C50DFA2C6826426D00CBBF435A] Malware Group: High Risk Cloaked Malware
    (ACTIVE) d:\games\steam games\steamapps\common\just cause 2\directx\dxsetup.exe [PX5: A63A6ECB587C31C585FA0A6826426D002EBD3E50] Malware Group: High Risk Cloaked Malware
    (ACTIVE) d:\games\steam games\steamapps\common\just cause 2\justcause2.exe [PX5: A63A6ECB207C31C561FAE06826426D00AC4D5F55] Malware Group: High Risk Cloaked Malware
    c:\programdata\prevxcsi\qc.csi [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
    d:\games\dirt 2\dirt2.exe [PX5: A63A6ECB587C31C5E5FA5E6826426D00F1C465A8] Malware Group: High Risk Cloaked Malware
    d:\games\steam games\steamapps\common\fear2\support\directx9\dxsetup.exe [PX5: A63A6ECB507C31C587FA0A6826426D00DB507B43] Malware Group: High Risk Cloaked Malware
    d:\games\steam games\steamapps\common\fear2\support\vcredist_x86.exe [PX5: A63A6ECBA87C31C563FA2C6826426D00FF8B8E8F] Malware Group: High Risk Cloaked Malware
    d:\games\steam games\steamapps\common\fear2\support\wmfadist.exe [PX5: A63A6ECB907C31C5A7FA216826426D0058BA9281] Malware Group: High Risk Cloaked Malware
    d:\games\steam games\steamapps\common\fear2\fear2.exe [PX5: A63A6ECB287C31C599FA3A6826426D009AF9157D] Malware Group: High Risk Cloaked Malware
    d:\games\steam games\steamapps\common\call of duty modern warfare 2\iw4sp.exe [PX5: A63A6ECB587C31C5EEFA376826426D002414CA7E] Malware Group: High Risk Cloaked Malware
    d:\programs\sandboxie\sandboxieinstall.exe [PX5: A63A6ECBF17C31C5EFFA096826426D004F0B5669] Malware Group: High Risk Cloaked Malware
    d:\games\steam games\steamapps\common\left 4 dead\left4dead.exe [PX5: A63A6ECB007C31C500FA046826426D0043F778EE] Malware Group: High Risk Cloaked Malware
    d:\games\steam games\steamapps\common\left 4 dead\bin\addoninstaller.exe [PX5: A63A6ECB387C31C565FA046826426D00E7102076] Malware Group: High Risk Cloaked Malware
    d:\programs\intelburntest\intelburntestv2.exe [PX5: A63A6ECB007C31C5BEFA036826426D003B59B51F] Malware Group: High Risk Cloaked Malware
    d:\programs\newsdemon\new_rover.exe [PX5: A63A6ECBBD7C31C565FA5D6826426D00EBC94FE7] Malware Group: High Risk Cloaked Malware
    d:\games\steam games\steamapps\common\call of duty modern warfare 2\redist\vcredist_x86.exe [PX5: A63A6ECBC07C31C50DFA2C6826426D00CBBF435A] Malware Group: High Risk Cloaked Malware
    [B] d:\games\steam games\steamapps\common\left 4 dead\bin\vpk.exe [PX5: A63A6ECB007C31C545FA056826426D00BD1D6B78] Malware Group: High Risk Cloaked Malware
    [B] d:\programs\cyberlink powerdvd 9.1719\activation\keygen.exe [PX5: A63A6ECB007C31C5ACFA046826426D00D07B7A97] Malware Group: High Risk Cloaked Malware
    [B] d:\games\steam games\steamapps\common\call of duty modern warfare 2\redist\directx\dxsetup.exe [PX5: A63A6ECB587C31C585FA0A6826426D002EBD3E50] Malware Group: High Risk Cloaked Malware
    [B] d:\programs\ashampoo burning studio 9\ashampoo_burning_studio_9_910_sm.exe [PX5: A63A6ECB607C31C5A6FA326826426D03424D7E98] Malware Group: High Risk Cloaked Malware
    ----------

    I think we just need to admit that all security tools are not up-to-the-task of this particular infection, ive tried MBAM, HMP, Prevx, Drweb, A-Squared and Panda Cloud Antivirus, all failed.

    Prevx did keep telling me about 'new infections' & then deleting them, but then some other files would pop up infected, so the file infector itself is not being detected.

    Never in 10+ years have i seen an infection avade so many security apps, its worrying to see, even to me who likes to see things on the wild side regarding malware, but at least i have alot of backups.[/B][/B][/B][/B]
     
    Last edited: Apr 11, 2010
  22. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,262
    Location:
    Ontario, Canada
    That's the problem with file infecters most times you will have to Format & Reinstall the OS to make sure that it is gone! :doubt: Sorry I don't have better news for you!

    TH
     
  23. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    yep, prevx could go all day and detect new files infected, something i dont have the time for.

    just disappointing that sooo many engines failed to detect this file infector.
     
  24. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,262
    Location:
    Ontario, Canada
    One other thing if I can suggest that if you are going to Play with nasties is to do it in a Virtual Environment of some kind to add to your security such as Virtual-box or VMware Player as they are free! Then add Shadow Defender so if any problems occur all you have to do is reboot and it's all gone! Just a suggestion! ;)

    TH
     
  25. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    PC_Gamer, just to be 100% clear, are you saying that you ran this malware under Sandboxie and that it escaped? You keep mentioning the generic term 'Sandbox' but it's not clear to me whether your Sandbox software is Sandboxie or something else. Could you clarify please. Thx
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.