I got a file named Foto_30.zip over MSN messenger. I was going to cancel it, but I got curious, and thought that it would be fun to test it sandboxed. So I accepted it, and copied the .zip from "recieved files" folder to the desktop (since the desktop is not locked to sandboxed programs). After that, I extracted the only file in the zip to a folder in the desktop. The file was named "Foto30.JPEG-www.myspace.com", and the icon was a tipicall executable icon. So I runned it sandboxed. After 1 or 2 seconds, a popup appeared telling that it was unable to load dll or something like that. Nothing else happened. I deleted the sandbox. Up to then, everything as expected. I deleted the folder. But when I wanted to delete the .zip on the desktop, an error message appeared, telling that it was impossible to delete the file. I rebooted and the zip was no longer there. I went to "received folder" looking for the original file, it was still there. So I thought to upload it to virustotal, but when I tried to open the zip, I got a message saying that the file was corrupt. So I got paranoid and runned SAS (quick scan), CureIt (quick scan), and RKU. SAS and CureIt came clean, RKU showed nothing suspicious. HJT came also clean. Anyways, I'm confident that sandboxie prevented any infection, but the zip being locked for deletion and the original file being corrupt raised my concerns. Foolishly, in my hurry to se what this file would do and trusting in sandboxie, I didn't went to session lock with returnil (I know, very stupid, shame on me). Anyone has any thoughts on this? Are there cases documented where a file infected a machine without it being executed?
I also found out (although I don't know if it's related with this), that I can't go back to an earlier snapshot with system restore... tried 2 different snapshots and it was impossible. It also warned that it couldn't revert changes on Z: partition (returnil virtaul partition). Anyone had this issue? Is returnil compatible with system restore?
Hi HURST. You probably have a Backdoor.Win32.IRCBot.bth (and Vundo) infection. Try scanning with the latest Kaspersky AVP Tool in safe mode. thanatos