168.0.2" on port 3127 (TCP).
* Connects to "192.168.0.3" on port 3127 (TCP).
* Connects to "192.168.0.4" on port 3127 (TCP).
* Connects to "230.90.214.20" on port 3127 (TCP).
* Connects to "230.90.214.21" on port 3127 (TCP).
* Connects to "230.90.214.22" on port 3127 (TCP).
* Connects to "230.90.214.23" on port 3127 (TCP).
[ Process/window information ]
* Creates a mutex sync-Z-mtx_133.
* Will automatically restart after boot (I'll be back...).
[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\intrenat.exe (36864 bytes) : Doomjuice.A.
(C) 2004-2006 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source
only.
Wow, this report has quite useful information, confirms all of our findings, and indicates
that we have captured a variant of the Doomjuice.A worm (which exploits existing
MyDoom victims). We can see the basic steps the worm performs. In fact, in many cases,
the sandbox report will suffice and save us from having to manually analyze the malware.
NOTE You might have noticed the Nepenthes configuration files also send a
copy of the malware to the Nepenthes sandbox at luigi.informatik.unimannheim.
de. You may remove that destination from the submit-norman.
Pages:
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899