How this malware triggers services.exe to install a rootkit driver

Here is a malware that bypassed Sandboxie.

http://sandboxie.com/phpbb/viewtopic.php?t=6123&postdays=0&postorder=asc&start=0

I tried this malware with Comdo. I am failed to understand how this malware triggers services.exe to load a malicious driver?

Any one pls? Thanks

i got that malware from this post.

However it refuses to attempt to install any drivers on my system: after allowing its execution one warning is displayed by D+ : “malware.exe tries to modify malware.exe” - if allowed malware.exe shut itself down.

i missed/confused something? i’d like to run it and trigger these alerts :slight_smile:

Its a advanced malware, it doesnt always install the same malware so you cant get the same results always.

It also doesnt install the rootkit in a virtual machine.

And i belive you need to be running it in sandbox for it to get out and install rootkit. (not sure)

i see, thanks.

ok, deleted it (cause it refuses to run), but still interested…

@aigle
did you get any alerts from Defense+ prior first one shown on page you provided (“services.exe is trying to execute spoolsv.exe”) except “explorer.exe is trying to execute malware.exe”?
I have never seen thing like this before and i probably would allow that alert if i wouldn’t know for sure i deal with malware (“services.exe is trying to execute spoolsv.exe”) - besides it reads “you can safely allow this request”.

SS26, Please do not link to live malware. This is security forum :wink:

There were many alerts indeed.

Malware wil not load this driver always, sometimes it loads and sometimes not. I tried so many times n it only did so twice. Also it has problems with VM etc.