Bypass V6 partially limited,limited,restricted and HIPS (New Method)

  1. I double clicked on the malware.

  1. I chose “Run Isolated”

3.The FlashPlayer_11_4_update_for_Win.exe was sandboxed as “partially limited”, but the svchost.exe executed by the explorer.exe was not sandboxed.

  1. I checked the autorun entries.

Windows XP Pro SP3 32bit

  1. process tree:
    malware → nothing

explorer.exe → svchost.exe

[attachment deleted by admin]

Hmmm good one. Thanks for the report. Can you quickly send me the sample link?

what does this malware? Is it able to harm the system, i mean any changes or send data? What happen if u setup the sandbox to full virtualize?

I found a copy of this but avast blocks it. i know where to get it. But if your run it you will never really know what was done to your system…

Only “untrusted” and “fully virtualized” can block the malware.

thank u for that info. is it able to run in virtualized sandbox and do not harm the system or does it not run?

It can be run in the virtualized sandbox but the explorer.exe can not execute the svchost.exe.

thank you for that info again. that is a really nice one, interesting! :slight_smile:

That are the examples where i ask myself, is it better to make the software more usability friendly or more protective!?

I would choose the second one :slight_smile: … even the virtualized sandbox is not userfriendly at all as the default settings, but it seems u get more protection.

  1. There is one problem in COMODO Autorun Analyser.

It can not detect the autorun file, skype.dat

  1. The rating scan can not detect it.

  1. I tested the malware with Malware Defender.
2013/1/25 15:50:59 Create new process Permitted Process: c:\windows\explorer.exe Target: c:\virus\flashplayer_11_4_update_for_win\flashplayer_11_4_update_for_win.exe Cmd line: "C:\virus\FlashPlayer_11_4_update_for_Win\FlashPlayer_11_4_update_for_Win.exe" Rule: [App]*

2013/1/25 15:51:10 Access memory of another process Denied
Process: c:\virus\flashplayer_11_4_update_for_win\flashplayer_11_4_update_for_win.exe
Target: c:\windows\explorer.exe
Rule: [App]*

  1. Defensewall HIPS can block it.
DefenseWall log file

01.25.2013 20:26:13, module C:\virus\FlashPlayer119\FlashPlayer119.exe, Attempt to open process C:\WINDOWS\explorer.exe (Process)

01.25.2013 20:26:13, module C:\virus\FlashPlayer119\FlashPlayer119.exe, Open process memory allocation error (Memory)

  1. Private firewall V7

  1. Online Armor


  1. Outpost Firewall Pro V8


  1. KIS 2013

  1. Maybe the bug is the “interprocess memory accesses”
  1. A new sample

  2. It was not detected by CAV 15039

  3. It does not request unlimited access to the PC

Valkyrie is offline…again… :frowning:
Is it safe file?

CIMA can not analyse PE 64 File (malware).

Good to see Fully Virtual blocks this malware.

  1. New malware

  2. The svchost.exe executed by explorer.exe was not sandboxed.

  3. The situation existed in a very short period.
    (Maybe the autorun entry also appear in a very short period.)

  4. The event logs did not indicate the malware accessed memory of the explorer.exe

2013-01-27 00:30:44 C:\virus\xbldnpkeg3g6sesakuzhue\xbldnpkeg3g6sesakuzhue.exe Sandboxed As Partially Limited

2013-01-27 00:30:53 C:\virus\xbldnpkeg3g6sesakuzhue\xbldnpkeg3g6sesakuzhue.exe Sandboxed As Partially Limited

Windows XP Pro SP3 32bit

[attachment deleted by admin]

  1. I enabled the HIPS and the safe mode.

  2. In the Monitoring Settings, I checked the Protected Registry Keys only.

  3. Then I added a rule for the svchost.exe.

  4. I double clicked on the malware.

5.event logs:

2013-01-27 18:23:45 C:\virus\mpneeamp66r1acnt037iq7\mpneeamp66r1acnt037iq7.exe Sandboxed As Partially Limited

2013-01-27 18:23:54 C:\virus\mpneeamp66r1acnt037iq7\mpneeamp66r1acnt037iq7.exe Sandboxed As Partially Limited

2013-01-27 18:24:06 C:\WINDOWS\system32\svchost.exe Modify Key HKUS\S-1-5-21-448539723-261903793-1801674531-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

[attachment deleted by admin]