[unisog] New Bot variants making rounds

Justin Azoff JAzoff at uamail.albany.edu
Mon Apr 4 20:20:00 GMT 2005


On Mon, 2005-04-04 at 13:57 -0400, Michael Holstein wrote:
> > can you submit them to sandbox.norman.no and share the results?
> 
> Already did that .. they came back with little detail :
> 
> ~Mike.
> 
> #1 :
> 
> Norman Scanner Engine 5.80.  5
> Sandbox 05.80, dated 31/02-2005
> 
> Your message ID (for later reference): 20050404-309
> 
> srv32.exe : Not detected by sandbox (Signature: NO_VIRUS)
>   [ General information ]
>      * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS at NORMAN.NO 
> - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
>      * File length:        47104 bytes.
> 
>   [ Changes to filesystem ]
>      * Creates file C:\WINDOWS\SYSTEM\srv32.exe.
[snip]

I saw this once, it was a upx compressed self extracting rar file...
norman extracted the exe, but didn't run it.  In that case, I unpacked
it manually and submitted the resulting .exe and got some more useful
info.

 

-- 
-- Justin Azoff
-- Network Performance Analyst



More information about the unisog mailing list