[unisog] New Bot variants making rounds
JAzoff at uamail.albany.edu
Mon Apr 4 20:20:00 GMT 2005
On Mon, 2005-04-04 at 13:57 -0400, Michael Holstein wrote:
> > can you submit them to sandbox.norman.no and share the results?
> Already did that .. they came back with little detail :
> #1 :
> Norman Scanner Engine 5.80. 5
> Sandbox 05.80, dated 31/02-2005
> Your message ID (for later reference): 20050404-309
> srv32.exe : Not detected by sandbox (Signature: NO_VIRUS)
> [ General information ]
> * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS at NORMAN.NO
> - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
> * File length: 47104 bytes.
> [ Changes to filesystem ]
> * Creates file C:\WINDOWS\SYSTEM\srv32.exe.
I saw this once, it was a upx compressed self extracting rar file...
norman extracted the exe, but didn't run it. In that case, I unpacked
it manually and submitted the resulting .exe and got some more useful
-- Justin Azoff
-- Network Performance Analyst
More information about the unisog