questions with regard to malware effects through partially limited sandbox

Learn about Computer Security Virus/Malware Removal Assistance
#1

hello

I just ran a file that seemed harmless(I checked it for viruses with Comodo before executing it) but when it loaded itself into memory it tried to mutate itself and execute some malicious code, Comodo captured it when it tried to use Microsoft word and access COM interface and sandboxed it automatically as partially limited, Comodo asked me if to allow or block its trial to access a Com interface I said block and that was it, and then I removed and deleted the malware file from the computer but then I went to comodo and viewed the logging of the “Defense+ Events” I noticed that the malicious file did manage to act on a few things on my computer, I want to know please if it acted on them for real or just virtually as the file\malware was sandboxed and the option to enable the file system and registry virtualization was ticked under Sandbox options in Comodo…

here is the logging from Comodo:

 	Records count	:	9

Date Application Action Target
2010-11-05 06:32:54 C:\Users\user\Desktop\DHL_ID.document.exe Sandboxed As Partially Limited
2010-11-05 06:32:58 C:\Users\user\Desktop\DHL_ID.document.exe Access COM Interface C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
2010-11-05 06:33:02 C:\Users\user\Desktop\DHL_ID.document.exe Access COM Interface C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
2010-11-05 06:33:07 C:\Users\user\Desktop\DHL_ID.document.exe Access COM Interface C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
2010-11-05 06:33:12 C:\Users\user\Desktop\DHL_ID.document.exe Modify File C:\Windows\system32\thxi.ixo
2010-11-05 06:33:12 C:\Users\user\Desktop\DHL_ID.document.exe Modify File C:\Windows\system32\thxi.ixo
2010-11-05 06:33:17 C:\Users\user\Desktop\DHL_ID.document.exe Modify File C:\Windows\system32\thxi.ixo
2010-11-05 06:33:27 C:\Users\user\Desktop\DHL_ID.document.exe Modify File C:\Windows\system32\thxi.ixo
2010-11-05 06:33:34 C:\Users\user\Desktop\DHL_ID.document.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

I want to add that I couldnt find the file thxi.ixo under the system32 folder and neither this specific registry key “shell” under the winlogon registry key, which lead me to believe that it was all virtual and not real changes, can you help me out to be sure?
and if it is just virtual affects, is there way to tell between them and real ones under the logging?

thanks a lot
Finn

#2

Did you manually sandbox it or was it sandboxed automatically? Only files that were manually sandboxed are virtualized.

However, and someone can correct me if I’m wrong, I believe these are the actions the file tried to do. For example I have SetPoint from Logitech on my computer and I have Events for Access Memory of Comodo files. I know it can’t do this because they’re protected but I still have the event. I believe that is what’s going on here.

#3

unfortunately it was the automatic sandboxing…
is there a way for me to tell if these actions logged happened for real?
I want to add that I couldnt find the malicious file thxi.ixo that was supposed to be created under the system32 folder and neither this specific registry key “shell” under the winlogon registry key, which lead me to believe that it was all virtual and not real changes, can you help me to figure it out to be sure?
thanks again…

#4

The log entries mean these actions were prevented.

Mouse

#5

thank you, case closed :slight_smile: