This malware can not run in the sandbox

a256886572008 · August 31, 2011, 12:02am

valkyrie report:
http://valkyrie.comodo.com/Result.aspx?sha1=67cc698efd9c361ba4d232c1ed51d60a4cfbb128&&query=1&&filename=xxx.exe

CIMA report:
http://camas.comodo.com/cgi-bin/submit?file=b7dff25a4dd74feab320a9aea29ce4b2668a009fc7d637b3c8a1a0b9b8a57cd3

It can not run in the sandbox

It can run outside the sandbox only

Please check whether it is an anti-sandbox malware.

???

Citizen_K · August 31, 2011, 12:17am

When you try to run in the sandbox what happens? Are you referring to the automatic or manual sandbox or both?

a256886572008 · August 31, 2011, 12:44am

enable sandbox ----------> this malware does nothing

disable sandbox -----------> this malware starts attacking the system

Both sandboxie and comodo sandbox are detected by the malware.

The users of sandboxie may be deceived by this malware, and then run the malware outside the sandbox.

Citizen_K · August 31, 2011, 1:05am

It is one of those smart ones that can detect a virtual environment.They lay low until they can attack.

Does this happen with both the manual and automatic sandbox?

a256886572008 · August 31, 2011, 1:07am

Yes

_0M0D0 · August 31, 2011, 1:16am

Interesting how this little annoying malwares are evolving thanks to their creators, right?
COMODO will know how to defeat them. :-TU

Thanks a256886572008 for posting.

lordraiden · August 31, 2011, 7:55am

Seems that is able to run on CIMA that is a virtual system.
Maybe the malware is not compatible with win7 or an x64 system if you are running it.

egemen · August 31, 2011, 2:13pm

If so, its a good thing:) The malware simply neutrolize itself and avoid attacking the system if its secured. Thats something we want.

This would be problem if a good application behaved like this.

lordraiden · August 31, 2011, 2:27pm

I understand your position for CIS although somebody would try to run it out of the sandbox thinking that is safe and is not working because a sandbox problem but for CAMAS have you found malware able to do the same thing?
If there is any I think that you should try to fix it to cheat the malware allowing to CAMAS to give the proper verdict.

mouse1 · August 31, 2011, 2:30pm

I think Axxxx’s point is that the user may be tempted to make it trusted if no attempts to do anything naughty are logged when it is in the sandbox.

But that’s not how we want users to use the CIS Sandbox, I think. We want them to wait until C pronounces it safe or until they are able to be sufficiently sure by other means (eg provenance, Valkyrie + CIMA, other users etc) that it is safe.

Still it is very useful to know if some malware do this. Ta Axxxxxxxx

Best wishes

Mouse

nunomiguel1975 · August 31, 2011, 3:06pm

I do not understand file sent ???

flash_player_10_3_update_for_win.exe (Rootkit.0Access.XGen)

nunomiguel1975-------2011-08-30 15:23:19