bypass v5.10 (destroy IE8, .bat file)

I double click on the .bat file.

2.the logs for defense+

2012-06-09 22:33:41 C:\Documents and Settings\Roger\桌面\virus\88\88.bat Sandboxed As Partially Limited 2012-06-09 22:33:42 C:\WINDOWS\system32\conime.exe Sandboxed As Partially Limited 2012-06-09 22:33:42 C:\WINDOWS\system32\cmd.exe Sandboxed As Partially Limited 2012-06-09 22:33:43 C:\WINDOWS\system32\cmd.exe Sandboxed As Partially Limited 2012-06-09 22:33:43 C:\WINDOWS\system32\debug.exe Sandboxed As Partially Limited 2012-06-09 22:33:47 C:\WINDOWS\system32\chcp.com Sandboxed As Partially Limited 2012-06-09 22:33:48 C:\WINDOWS\system32\graftabl.com Sandboxed As Partially Limited 2012-06-09 22:33:49 C:\WINDOWS\system32\regsvr32.exe Sandboxed As Partially Limited 2012-06-09 22:33:49 C:\WINDOWS\system32\advpack.dll Sandboxed As Partially Limited 2012-06-09 22:33:50 C:\WINDOWS\system32\advpack.dll Sandboxed As Partially Limited 2012-06-09 22:33:50 C:\WINDOWS\system32\regsvr32.exe Sandboxed As Partially Limited 2012-06-09 22:33:51 C:\WINDOWS\system32\wininet.dll Sandboxed As Partially Limited 2012-06-09 22:33:52 C:\WINDOWS\system32\comcat.dll Sandboxed As Partially Limited 2012-06-09 22:33:52 C:\WINDOWS\system32\regsvr32.exe Sandboxed As Partially Limited 2012-06-09 22:33:52 C:\WINDOWS\system32\regsvr32.exe Sandboxed As Partially Limited 2012-06-09 22:33:52 C:\WINDOWS\system32\asctrls.ocx Sandboxed As Partially Limited 2012-06-09 22:33:53 C:\WINDOWS\system32\oleaut32.dll Sandboxed As Partially Limited 2012-06-09 22:33:54 C:\WINDOWS\system32\shdocvw.dll Sandboxed As Partially Limited 2012-06-09 22:33:55 C:\WINDOWS\system32\shdocvw.dll Sandboxed As Partially Limited 2012-06-09 22:33:55 C:\WINDOWS\system32\browseui.dll Sandboxed As Partially Limited 2012-06-09 22:33:56 C:\WINDOWS\system32\browseui.dll Sandboxed As Partially Limited 2012-06-09 22:33:56 C:\WINDOWS\system32\msrating.dll Sandboxed As Partially Limited 2012-06-09 22:33:57 C:\WINDOWS\system32\mlang.dll Sandboxed As Partially Limited 2012-06-09 22:33:57 C:\WINDOWS\system32\hlink.dll Sandboxed As Partially Limited 2012-06-09 22:33:58 C:\WINDOWS\system32\mshtml.dll Sandboxed As Partially Limited 2012-06-09 22:33:59 C:\WINDOWS\system32\mshtmled.dll Sandboxed As Partially Limited 2012-06-09 22:34:00 C:\WINDOWS\system32\urlmon.dll Sandboxed As Partially Limited 2012-06-09 22:34:00 C:\WINDOWS\system32\regsvr32.exe Sandboxed As Partially Limited 2012-06-09 22:34:00 C:\WINDOWS\system32\sendmail.dll Sandboxed As Partially Limited 2012-06-09 22:34:01 C:\WINDOWS\system32\comctl32.dll Sandboxed As Partially Limited 2012-06-09 22:34:01 C:\WINDOWS\system32\inetcpl.cpl Sandboxed As Partially Limited 2012-06-09 22:34:03 C:\WINDOWS\system32\mshtml.dll Sandboxed As Partially Limited 2012-06-09 22:34:04 C:\WINDOWS\system32\scrobj.dll Sandboxed As Partially Limited

2012-06-09 22:34:09 C:\WINDOWS\system32\asctrls.ocx Modify Key HKLM\SOFTWARE\Classes\CLSID{6E449683-C509-11CF-AAFA-00AA00B6015C}\Control
2012-06-09 22:34:09 C:\WINDOWS\system32\shdocvw.dll Modify Key HKLM\SOFTWARE\Classes\CLSID{0E5CBF21-D15F-11d0-8301-00AA005B4383}\Implemented Categories{00021492-0000-0000-C000-000000000046}
2012-06-09 22:34:09 C:\WINDOWS\system32\browseui.dll Modify Key HKLM\SOFTWARE\Classes\CLSID{30D02401-6A81-11d0-8274-00C04FD5AE38}\Implemented Categories{00021493-0000-0000-C000-000000000046}
2012-06-09 22:34:09 C:\WINDOWS\system32\mlang.dll Modify Key HKLM\SOFTWARE\Classes\CLSID{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
2012-06-09 22:34:09 C:\WINDOWS\system32\hlink.dll Modify Key HKLM\SOFTWARE\Classes\CLSID{79eac9d1-baf9-11ce-8c82-00aa004ba90b}\InprocServer32
2012-06-09 22:34:09 C:\WINDOWS\system32\mshtmled.dll Modify Key HKLM\SOFTWARE\Classes\CLSID{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}\ProgID
2012-06-09 22:34:09 C:\WINDOWS\system32\urlmon.dll Modify Key HKLM\SOFTWARE\Classes\CLSID{c733e4af-576e-11d0-b28c-00c04fd7cd22}\InprocServer32
2012-06-09 22:34:09 C:\WINDOWS\system32\sendmail.dll Modify Key HKLM\SOFTWARE\Classes\CLSID{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}\shellex\DropHandler
2012-06-09 22:34:09 C:\WINDOWS\system32\sendmail.dll Modify File C:\Documents and Settings\Roger\SendTo\郵件收件者.MAPIMail
2012-06-09 22:34:09 C:\WINDOWS\system32\sendmail.dll Modify Key HKLM\SOFTWARE\Classes\CLSID{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\shellex\DropHandler
2012-06-09 22:34:09 C:\WINDOWS\system32\sendmail.dll Modify File C:\Documents and Settings\Roger\SendTo\桌面當作捷徑.DeskLink
2012-06-09 22:34:09 C:\WINDOWS\system32\scrobj.dll Modify Key HKLM\SOFTWARE\Classes\CLSID{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

https://valkyrie.comodo.com/Result.html?sha1=a1be7d68dce5d8a589f44a84555cece9b1d4df03&&query=0&&filename=88.bat

4.environment:
Windows XP SP3 32bit

IE8

5.Problems:
(1)My IE8 is broken.

(2)comodo does not protect the files by default.

?:\Documents and Settings\user\SendTo*

No response from COMODO for a256886572008 's bypass series ???

IE8 can be protected after the user manually sandbox the .bat file.

try increasing the sandbox to limited test, then restricted and test again and let us know if any of that works. I bet it has to do with the partially limited setting.

  1. auto sandbox:
    partially limited → fail
    limited → pass
    restricted → pass
    untrusted → pass

2.manually sandbox:
all levels → pass

there you go, basically not a true bypass, just a issue with a low restriction sandbox. Which is technically not an issue.

The default setting for the auto sandbox is partially limited right ?

yup, I recommend cranking it up at least to limited.

Enabling the two functions for auto sandboxed processes would be better.

Erm, this is enabled by default… why did you have it disabled?

He is saying those functions should work for the auto sandbox. Currently they apply to only the manual sandbox.

For the latter we’ll have to wait for v6.

I’m hoping that V6 will fix nearly all of these problems. I guess we’ll just have to wait and see.