weird issue

Discussion in 'malware problems & news' started by HURST, Mar 5, 2008.

Thread Status:
Not open for further replies.
  1. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I got a file named Foto_30.zip over MSN messenger. I was going to cancel it, but I got curious, and thought that it would be fun to test it sandboxed.
    So I accepted it, and copied the .zip from "recieved files" folder to the desktop (since the desktop is not locked to sandboxed programs). After that, I extracted the only file in the zip to a folder in the desktop. The file was named "Foto30.JPEG-www.myspace.com", and the icon was a tipicall executable icon. So I runned it sandboxed. After 1 or 2 seconds, a popup appeared telling that it was unable to load dll or something like that. Nothing else happened. I deleted the sandbox.

    Up to then, everything as expected. I deleted the folder. But when I wanted to delete the .zip on the desktop, an error message appeared, telling that it was impossible to delete the file. I rebooted and the zip was no longer there.

    I went to "received folder" looking for the original file, it was still there. So I thought to upload it to virustotal, but when I tried to open the zip, I got a message saying that the file was corrupt.
    So I got paranoid and runned SAS (quick scan), CureIt (quick scan), and RKU. SAS and CureIt came clean, RKU showed nothing suspicious. HJT came also clean.

    Anyways, I'm confident that sandboxie prevented any infection, but the zip being locked for deletion and the original file being corrupt raised my concerns. Foolishly, in my hurry to se what this file would do and trusting in sandboxie, I didn't went to session lock with returnil (I know, very stupid, shame on me).

    Anyone has any thoughts on this? Are there cases documented where a file infected a machine without it being executed?
     
    HURST, Mar 5, 2008
    #1
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I also found out (although I don't know if it's related with this), that I can't go back to an earlier snapshot with system restore... tried 2 different snapshots and it was impossible. It also warned that it couldn't revert changes on Z: partition (returnil virtaul partition). Anyone had this issue? Is returnil compatible with system restore?
     
    HURST, Mar 5, 2008
    #2
  3. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    582
    Hi HURST. You probably have a Backdoor.Win32.IRCBot.bth (and Vundo) infection. Try scanning with the latest Kaspersky AVP Tool in safe mode.

    thanatos
     
    thanatos_theos, Mar 7, 2008
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...