3.The FlashPlayer_11_4_update_for_Win.exe was sandboxed as “partially limited”, but the svchost.exe executed by the explorer.exe was not sandboxed.
5.environment:
Windows XP Pro SP3 32bit
explorer.exe → svchost.exe
[attachment deleted by admin]
Hmmm good one. Thanks for the report. Can you quickly send me the sample link?
what does this malware? Is it able to harm the system, i mean any changes or send data? What happen if u setup the sandbox to full virtualize?
I found a copy of this but avast blocks it. i know where to get it. But if your run it you will never really know what was done to your system…
Only “untrusted” and “fully virtualized” can block the malware.
thank u for that info. is it able to run in virtualized sandbox and do not harm the system or does it not run?
It can be run in the virtualized sandbox but the explorer.exe can not execute the svchost.exe.
thank you for that info again. that is a really nice one, interesting! 
That are the examples where i ask myself, is it better to make the software more usability friendly or more protective!?
I would choose the second one … even the virtualized sandbox is not userfriendly at all as the default settings, but it seems u get more protection.
It can not detect the autorun file, skype.dat
2013/1/25 15:50:59 Create new process Permitted Process: c:\windows\explorer.exe Target: c:\virus\flashplayer_11_4_update_for_win\flashplayer_11_4_update_for_win.exe Cmd line: "C:\virus\FlashPlayer_11_4_update_for_Win\FlashPlayer_11_4_update_for_Win.exe" Rule: [App]*2013/1/25 15:51:10 Access memory of another process Denied
Process: c:\virus\flashplayer_11_4_update_for_win\flashplayer_11_4_update_for_win.exe
Target: c:\windows\explorer.exe
Rule: [App]*
DefenseWall log file01.25.2013 20:26:13, module C:\virus\FlashPlayer119\FlashPlayer119.exe, Attempt to open process C:\WINDOWS\explorer.exe (Process)
01.25.2013 20:26:13, module C:\virus\FlashPlayer119\FlashPlayer119.exe, Open process memory allocation error (Memory)
Failed
Failed
A new sample
It was not detected by CAV 15039
It does not request unlimited access to the PC
Valkyrie is offline…again… 
Is it safe file?
CIMA can not analyse PE 64 File (malware).
Good to see Fully Virtual blocks this malware.
New malware
The svchost.exe executed by explorer.exe was not sandboxed.
The situation existed in a very short period.
(Maybe the autorun entry also appear in a very short period.)
The event logs did not indicate the malware accessed memory of the explorer.exe
2013-01-27 00:30:44 C:\virus\xbldnpkeg3g6sesakuzhue\xbldnpkeg3g6sesakuzhue.exe Sandboxed As Partially Limited2013-01-27 00:30:53 C:\virus\xbldnpkeg3g6sesakuzhue\xbldnpkeg3g6sesakuzhue.exe Sandboxed As Partially Limited
4.environment:
Windows XP Pro SP3 32bit
[attachment deleted by admin]
I enabled the HIPS and the safe mode.
In the Monitoring Settings, I checked the Protected Registry Keys only.
Then I added a rule for the svchost.exe.
I double clicked on the malware.
5.event logs:
2013-01-27 18:23:45 C:\virus\mpneeamp66r1acnt037iq7\mpneeamp66r1acnt037iq7.exe Sandboxed As Partially Limited2013-01-27 18:23:54 C:\virus\mpneeamp66r1acnt037iq7\mpneeamp66r1acnt037iq7.exe Sandboxed As Partially Limited
2013-01-27 18:24:06 C:\WINDOWS\system32\svchost.exe Modify Key HKUS\S-1-5-21-448539723-261903793-1801674531-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
[attachment deleted by admin]
