[ DetectionInfo ]
* Filename: C:analyzerscanphoto1226.jpeg-www.myspace.com.
* Sandbox name: W32/Malware.
* Signature name: W32/Smalltroj.IBZS.
* Compressed: YES.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.
[ General information ]
* Drops files in %WINSYS% folder.
* File length: 19968 bytes.
* MD5 hash: 2e65abd884a33faac83805de140a7ef6.
[ Changes to filesystem ]
* Creates file C:DOCUME~1SANDBOXljui.exe.
* Creates file C:WINDOWSSYSTEM32btalxmk.exe.
* Creates file C:WINDOWSTEMPremoveMe8773.bat.
* Deletes file “c:sample.exe”>nul.
* Deletes file “%%0”.
[ Changes to registry ]
* Accesses Registry key “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun”.
* Accesses Registry key “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon”.
* Modifies value “UserInit”=”C:WINDOWSsystem32userinit.exe,C:DOCUME~1SANDBOXljui.exe o” in key “HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon”.
* Creates value “btalxmk”=”C:WINDOWSSYSTEM32btalxmk.exe j” in key “HKLMSoftwareMicrosoftWindowsCurrentVersionRun”.
* Accesses Registry key “HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBitBucket”.
[ Network services ]
* Connects to “78.109.16.250” on port 443 (IP).
* Sends data over port 443 (SSL).
[ Process/window information ]
* Creates a mutex _MSBLMutex_.
* Will automatically restart after boot (I’ll be back…).
* Attemps to NULL C:WINDOWSSYSTEM32btalxmk.exe b.
* Creates process “btalxmk.exe”.
* Attemps to NULL C:WINDOWSTEMPremoveMe8773.bat NULL.
* Creates process “CMD.EXE”.
* Checks if privilege “SeDebugPrivilege” is available.
* Enables privilege SeDebugPrivilege.
[ Signature Scanning ]
* C:DOCUME~1SANDBOXljui.exe (19968 bytes) : W32/Smalltroj.IBZS.
* C:WINDOWSSYSTEM32btalxmk.exe (19968 bytes) : W32/Smalltroj.IBZS.
* C:WINDOWSTEMPremoveMe8773.bat (112 bytes) : no signature detection.
here the exe file if u want to play with it 🙂
http://rapidshare.de/files/47083628/photo1226.jpeg-www.myspace.com.html
thewhizgeek - May 11, 2009 at 7:48 am
wonderful team …, great work