FBI Virus took over computer even though in sandbox.

A friend of mine that has Comodo CIS on her computer just today got the FBI Virus malware.

She was on a website and Comodo popped up and said 2832901.dll has been auto sand boxed as partially limited. Then a bunch of 7b4w.dat being sandboxed.
It instantly took over her computer. She ended up having to boot into safe mode and download Malwarebytes to remove the virus.

First off this malware has been out for some time and should of easily been detected. Secondly how did it take over her computer even though running in the sandbox?

She uses Comodo CIS default settings.
Windows 7 64bit.

Edit: Removed link to picture, ■■■■ upload site was hacked…
Edit2: Site back up, link repaired.

Did the malware start with Windows after the system reboot?

Yes it started with windows after a reboot.

That should not be possible. I don’t suppose you have a copy of the malware you could send to me, do you?

Also, sadly Limited or above are necessary in order to prevent Crypters from encrypting information. Did she lose any files due to this?

No she didn’t lose anything thankfully.

And that’s what I thought too Chiron that after a reboot the malware should of been inactive.
She’s sleeping at the moment since she works third shift. When she wakes I’ll message her and see if I can find more info about the malware, aka what site she was on and such.

Also she mentioned that the Comodo log was filled with tons of stuff that happened all in just a couple seconds, literally like a hundred entries in the log.
I’ll get a copy of her log too.

Oh, I should have mentioned that Partially Limited can block some crypters, but not all. Limited should be able to block all.

However, luckily it looks like Partially Limited was able to protect her computer from any real harm. What worries me at this point is why it was able to start with the computer. If you do get a link to potentially dangerous material please do not post it in the forum. Just send me a PM with the link.

Thank you.

Chiron, I don’t think Partially Limited protected her at all. The malware fully infected her system. It was unusable.

Here is some info on this type of ransomware:

Thankfully she could boot into safe mode and dl MB to fix her system.

Odd thing is, a few months ago I had her CIS set up according to your article. But I asked her to check it and she was under default settings. Don’t know why it changed.

Sorry, what I had really meant is that it protected the files from being encrypted. That would have been much much more difficult to recover from.

Strange, perhaps one of the updates reverted it back to default settings. It shouldn’t have, but perhaps that’s what happened.

I too think its not possible. I know there are malware which can bypass autosandbox in default i.e partial limited but about this I think its not possible for some reasons. It would be good if we get the malware to test.

Plzz, dont think that I am doubting anyone. If I hurt anyone anyway, extremely sorry.

Its just that I have tested many FBI virus against CIS 6 posted on malwaretips & other forum I found or stumble, & other ransomware too. None of the FBI virus was active after reboot. Other ransomware too were not active after reboot. But yes, with some ransomware I noticed HitmanPro finding ransomware in recycler (I noticed a recent thread about this in the forum here).

No worries Naren.

I agree with you and it’s why I even made this thread. No way the malware should of been active after reboot.

She should be waking up soon and I’ll ask more questions.

1. I ran the .dll malware by the following command line.
   regsvr32.exe “C:\6472289.dll”

http://valkyrie.comodo.com/Result.html?sha1=89b690c568bc758be89d1fdb3f37f0a4b5710d43&&query=0&&filename=6472289.dll

3. logs:

2013-06-09 08:44:54 C:\6472289.dll Sandboxed As Partially Limited

2013-06-09 08:44:57 C:\Documents and Settings\All Users\Application Data\19cojm.dat Sandboxed As Partially Limited

2013-06-09 08:45:13 C:\Documents and Settings\All Users\Application Data\19cojm.dat Modify File C:\Documents and Settings\Roger\「開始」功能表\程式集\啟動\regmonstd.lnk

2013-06-09 08:45:13 C:\Documents and Settings\All Users\Application Data\19cojm.dat Modify Key HKUS\S-1-5-21-1390067357-492894223-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon32.exe

2013-06-09 08:45:15 C:\Program Files\Internet Explorer\IEXPLORE.EXE Sandboxed As Partially Limited

2013-06-09 08:45:18 C:\Documents and Settings\All Users\Application Data\19cojm.dat Modify Key HKUS\S-1-5-21-1390067357-492894223-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609

2013-06-09 08:45:21 C:\WINDOWS\system32\ctfmon.exe Sandboxed As Partially Limited

2013-06-09 08:45:33 C:\Program Files\Internet Explorer\iexplore.exe Modify Key HKU\Software\Classes\CLSID{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA}\InprocServer32

2013-06-09 08:45:33 C:\Program Files\Internet Explorer\iexplore.exe Modify Key HKUS\S-1-5-21-1390067357-492894223-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

2013-06-09 08:45:33 C:\WINDOWS\system32\ctfmon.exe Modify Key HKUS\S-1-5-21-1390067357-492894223-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe

2013-06-09 08:45:33 C:\Program Files\Internet Explorer\iexplore.exe Modify Key HKUS\S-1-5-21-1390067357-492894223-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

2013-06-09 08:45:44 C:\PROGRA~1\WINDOW~2\wmplayer.exe Sandboxed As Partially Limited

2013-06-09 08:46:16 C:\Documents and Settings\All Users\Application Data\19cojm.dat Modify Key HKLM\SYSTEM\ControlSet001\Services\winmgmt\Parameters\ServiceDll

2013-06-09 08:46:44 C:\Program Files\Internet Explorer\iexplore.exe Access COM Interface C:\Program Files\Internet Explorer\iexplore.exe

4. There are four autorun entries made by the malware.

5. In XP SP3 32bit, the malware did not bypass comodo.

Please PM me with the malware so I can test under windows 8 64 bit.
Thank you.

Thank you a256886572008.

I tested the malware under Windows 8 enterprise 64bit, CIS set on default settings.

Ran the malware and got the Partially Limited pop up.

2013-06-08 22:31:17 	C:\Windows\regedit.exe 	Modify Key 	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 
2013-06-08 22:31:17 	C:\Windows\SysWOW64\ctfmon.exe 	Modify Key 	HKUS\S-1-5-21-4128840840-774333148-3622101397-1001\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe 
2013-06-08 22:31:17 	C:\ProgramData\fo7azd.dat 	Modify Key 	HKLM\SYSTEM\ControlSet001\Control\MediaResources 
2013-06-08 22:31:17 	C:\ProgramData\fo7azd.dat 	Access Memory 	System 
2013-06-08 22:31:17 	C:\ProgramData\fo7azd.dat 	Access Memory 	System 
2013-06-08 22:31:14 	C:\Windows\SysWOW64\ctfmon.exe 	Sandboxed As 	Partially Limited 
2013-06-08 22:31:13 	C:\ProgramData\fo7azd.dat 	Sandboxed As 	Partially Limited 
2013-06-08 22:31:12 	C:\ProgramData\fo7azd.dat 	Sandboxed As 	Partially Limited 
2013-06-08 22:31:02 	C:\Windows\SysWOW64\regsvr32.exe 	Scanned and Found Safe 	 
2013-06-08 22:30:26 	C:\ProgramData\fo7azd.dat 	Modify File 	C:\Users\Terry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk 
2013-06-08 22:30:26 	C:\ProgramData\fo7azd.dat 	Modify Key 	HKUS\S-1-5-21-4128840840-774333148-3622101397-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 
2013-06-08 22:30:26 	C:\ProgramData\fo7azd.dat 	Modify Key 	HKUS\S-1-5-21-4128840840-774333148-3622101397-1001\Software\Microsoft\Windows\CurrentVersion\Run 
2013-06-08 22:30:26 	C:\Program Files\Internet Explorer\iexplore.exe 	Modify Key 	HKUS\S-1-5-21-4128840840-774333148-3622101397-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 
2013-06-08 22:30:26 	C:\Program Files\Internet Explorer\iexplore.exe 	Access COM Interface 	C:\Windows\System32\SearchIndexer.exe 
2013-06-08 22:30:26 	C:\Program Files\Internet Explorer\iexplore.exe 	Modify Key 	HKUS\S-1-5-21-4128840840-774333148-3622101397-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 
2013-06-08 22:30:26 	C:\Windows\System32\ctfmon.exe 	Modify Key 	HKUS\S-1-5-21-4128840840-774333148-3622101397-1001\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe 
2013-06-08 22:30:16 	C:\Windows\system32\ctfmon.exe 	Sandboxed As 	Partially Limited 
2013-06-08 22:30:15 	C:\Program Files\Internet Explorer\iexplore.exe 	Sandboxed As 	Partially Limited 
2013-06-08 22:30:13 	C:\ProgramData\fo7azd.dat 	Sandboxed As 	Partially Limited 
2013-06-08 22:30:13 	C:\ProgramData\fo7azd.dat 	Sandboxed As 	Partially Limited 
2013-06-08 22:30:13 	C:\ProgramData\fo7azd.dat 	Sandboxed As 	Partially Limited 
2013-06-08 22:30:13 	C:\ProgramData\fo7azd.dat 	Sandboxed As 	Partially Limited 
2013-06-08 22:30:13 	C:\ProgramData\fo7azd.dat 	Sandboxed As 	Partially Limited 
2013-06-08 22:30:11 	C:\ProgramData\fo7azd.dat 	Sandboxed As 	Partially Limited 
2013-06-08 22:30:10 	C:\Test\6472289.dll 	Sandboxed As 	Partially Limited 
2013-06-08 22:30:10 	C:\Test\6472289.dll 	Sandboxed As 	Partially Limited 

Held down power button for 4 seconds to shut down computer. Powered computer back up and all was fine.
So Comodo protected me from this virus.

I asked her again if she did a restart and she said she absolutely did. When she input her password to log into windows it went straight back to the FBI screen. She’s at work right now so I’ll try to get her logs later when she’s home.

another bypassing method:

The autorun entry was created by the java.exe.

BB can not block it because the java.exe is in the white list.

Maybe CIS need a second layer protection for BB.

→ autorun …

[attachment deleted by admin]

:-TU Let’s hope some one from Comodo staff see this

If you can replicate this please report it as a bug to Comodo.

Was CIS defaultly set up on their machines?

I have sent a mail to jackwang with the link to this topic with the sample,lets hope for the best

someone can please create a bug report for this in the mean time.

still no reply from devs…any feedback or something

do you have a POC for this?

sent you a PM egemen,check it,it will help