Got a suspcious file, submit it here and see what it does

[hevnsnt]

Taken from Edge..
Norman SandBox Information Center SandBox Live

The Norman SandBox information center (NSIC) is based on Norman?s unique SandBox technology which makes it possible to catch viruses and other malicious software before virus signatures have been released. This powerful tool gives you the opportunity to check if there is any malware (i.e. viruses, internet worms, trojans, etc) in the file submitted to the NSIC system.

Norman SandBox protects and serves millions of user daily through the antivirus program Norman Virus Control. The issue is not to monitor and stop possibly harmful actions at runtime, as is the case for many. The issue is to figure out what the program would have done if it had been allowed to run wild on an unprotected machine in an unprotected network.

Now, I know most AV vendors allow you to submit a file, and get a result back to what it is.. But when you submit it to Norman's Sandbox, not only will it try to identify it, but it will email you back exactly what the file does!

For Example, I submitted a zip file (WITH A PASSWORD) and the site was able to crack the zip and then break down each file inside, here were my results.

From: sandbox@eunet.no
To: hevnsnt
Date: Jun 16, 2005 10:08 AM
Subject: [SANDBOX] Uploaded from web [208.10.59.221]

Norman Scanner Engine 5.82. 1
Sandbox 05.82, dated 2/05-2005

Your message ID (for later reference): 2005061X-XXX

dzhxgety.exe : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 74738 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\radmen32.exe.
* Deletes file C:\SAMPLE.EXE.

[ Changes to registry ]
* Creates value ?RadmenDriverKey?=?radmen32.exe? in key ?HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce?.
* Creates value ?RadmenDriverKey?=?radmen32.exe? in key ?HKLM\Software\Microsoft\Windows\CurrentVersion\Run?.

[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 81.

[ Process/window information ]
* Will automatically restart after boot (I?ll be back?).
* Attemps to open C:\WINDOWS\SYSTEM\radmen32.exe mElTC:\SAMPLE.EXE.
* Creates a mutex radacalaoi.

dryttwbf.exe : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 74738 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\radmen32.exe.
* Deletes file C:\SAMPLE.EXE.

[ Changes to registry ]
* Creates value ?RadmenDriverKey?=?radmen32.exe? in key ?HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce?.
* Creates value ?RadmenDriverKey?=?radmen32.exe? in key ?HKLM\Software\Microsoft\Windows\CurrentVersion\Run?.

[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 81.

[ Process/window information ]
* Will automatically restart after boot (I?ll be back?).
* Attemps to open C:\WINDOWS\SYSTEM\radmen32.exe mElTC:\SAMPLE.EXE.
* Creates a mutex radacalaoi.

radmen32.exe : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 74738 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\radmen32.exe.
* Deletes file C:\SAMPLE.EXE.

[ Changes to registry ]
* Creates value ?RadmenDriverKey?=?radmen32.exe? in key ?HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce?.
* Creates value ?RadmenDriverKey?=?radmen32.exe? in key ?HKLM\Software\Microsoft\Windows\CurrentVersion\Run?.

[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 81.

[ Process/window information ]
* Will automatically restart after boot (I?ll be back?).
* Attemps to open C:\WINDOWS\SYSTEM\radmen32.exe mElTC:\SAMPLE.EXE.
* Creates a mutex radacalaoi.

(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by hevnsnt to sandbox.
Received 16.June 2005 at 17.07 - processed 16.June 2005 at 17.08.