Government Security
Network Security Resources

Jump to content

Novi.exe

windows scanning server network anonymous malware virus trojan botnet antivirus
  • Please log in to reply
6 replies to this topic

#1 Guest_FLX_*

Guest_FLX_*
  • Guests

Posted 23 December 2005 - 10:31 AM

I found this while i was bit browsing.

-------------------------------------------------
AntiVir
Found Trojan/Pakes.A.274
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Generic.MFC
BitDefender
Found Trojan.Pakes.FN
ClamAV
Found nothing
Dr.Web
Found Win32.HLLW.MyBot
F-Prot Antivirus
Found nothing
Fortinet
Found W32/NewThreat!Morphine
Kaspersky Anti-Virus
Found Trojan.Win32.Pakes
NOD32
Found Win32/Rbot
Norman Virus Control
Found Sandbox: W32/Spybot.gen6; [ General information ]

* File length: 73728 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\chkdisk32.exe.

[ Process/window information ]
* Creates a mutex id_id_id_bbx_v1.0r1.
UNA
Found nothing
VBA32
Found Trojan.Win32.Pakes
-------------------------------------------------

i was reading http://sandbox.norma...?logfile=472980
saw it had a weird irc server in its name and i connected to it.
since i didnt knew what chan or what kind of server it was i googled: http://www.google.nl...nG=Zoeken&meta=
i ended up with another log with the same server: http://sandbox.norma...?logfile=456345
in this log it gave me a irc channel:

* Looks for an Internet connection.
* Connects to "irc.debelizombi.com" on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname |80340024.
* IRC: Uses username htpserldoo.
* IRC: Joins channel #!!mice!!.
* IRC: Sets the usermode for user |80340024 to +n+B.

so i joined #!!mice!! and found a url as announcement text, i guess they moved their botnet.
the url is: http://69.60.116.88/novi.exe

uploading novi.exe as attachment, maybe we can trace it :)

Regards,

FLX

p.s novi.exe norman sandbox results:


Automatic Sandbox analysis of unknown malware (W32/Spybot.gen6)
[ General information ]
* **Locates window "windows session [class service]" on desktop.
* File length: 73728 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\chkdisk32.exe.
* Deletes file 1.

[ Changes to registry ]
* Creates value "Disk check"="chkdisk32.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "Disk check"="chkdisk32.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates value "Disk check"="chkdisk32.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Sets value "restrictanonymous"="" in key "HKLM\System\CurrentControlSet\Control\Lsa".

[ Network services ]
* Looks for an Internet connection.
* Connects to "irc.debelizombi.com" on port 8080 (TCP).
* Connects to IRC Server.

[ Process/window information ]
* Creates a mutex id_id_id_bbx_v1.0r1.
* Will automatically restart after boot (I'll be back...).

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\chkdisk32.exe (73728 bytes) : no signature detection.

Attached Files

  • Attached File  novi.rar   70.69KB   80 downloads


#2 withdraw

withdraw

    Private First Class

  • Members
  • 72 posts

Posted 23 December 2005 - 10:58 AM

Is there an easy way to scan a file with all those AVs at once?

#3 DarkJester

DarkJester

    Corporal

  • Members
  • 151 posts

Posted 23 December 2005 - 12:05 PM

ive seen a file in the download section "mscan" doesnt scan with those exat AV's but scans with 3 others kav f-prot and mcaffee if i rember correctly also there is a web site jolti.org or simmiler (search the fourm) that scans with a large selection of av's
<Jesta> MJC u back me up init
<Jesta> i r a good boy yes
<MrjohnnyCochran> depends...
<Jesta> thats an open ended statment
<MrjohnnyCochran> are there girls? :P
<Jesta> mjc yes
<Jesta> lots
<MrjohnnyCochran> then ur not a good boy
* Jesta resembles that remark

^--<3s kitty aka erica

#4 hm1ch

hm1ch

    Corporal

  • Members
  • 176 posts

Posted 23 December 2005 - 01:36 PM

The URL of the website which DarkJester refer to is :
http://virusscan.jotti.org/

Friendly.
"Member of #rainbowcrack @ irc.plain-text.info"
Best online MD5/LM/NTLM webcracker - http://www.plain-text.info

#5 Skate_Punk_21

Skate_Punk_21

    Private

  • Members
  • 4 posts

Posted 26 December 2005 - 08:12 PM

jotti has 15 scanners.
VirusTotal uses 22 scanners.
Both are excellent.

#6 EViDENCE

EViDENCE

    Private

  • Members
  • 3 posts

Posted 16 June 2009 - 08:27 PM

Scanners
[ArcaVir]
2009-06-16 Trojan.Pakes
[F-Secure Anti-Virus]
2009-06-17 Trojan.Win32.Pakes.aqj
[Emsisoft A-squared]
2009-06-17 Found nothing
[Ikarus]
2009-06-16 Trojan.Win32.Pakes
[Avast! antivirus]
2009-06-16 Win32:Pakes-IH
[Kaspersky Anti-Virus]
2009-06-17 Trojan.Win32.Pakes.aqj
[Grisoft AVG Anti-Virus]
2009-06-16 Generic.MFC
[ESET NOD32]
2009-06-16 Win32/Rbot
[Avira AntiVir]
2009-06-16 TR/Crypt.Morphine.Gen
[Norman Virus Control]
2009-06-16 W32/Spybot.ABQF
[Softwin BitDefender]
2009-06-17 Trojan.Pakes.FN
[Panda Antivirus]
2009-06-16 Trj/Pakes.BS
[ClamAV]
2009-06-16 Trojan.Packed-86
[Quick Heal]
2009-06-17 Trojan.Pakes
[CPsecure]
2009-06-17 BackDoor.W32.Rbot.gen
[Sophos]
2009-06-17 Troj/DownLdr-IM
[Dr.Web]
2009-06-16 Win32.HLLW.MyBot.based
[VirusBlokAda VBA32]
2009-06-16 Trojan.Win32.Pakes
[Frisk F-Prot Antivirus]
2009-06-16 W32/Malware!cc54
[VirusBuster]
2009-06-16 Worm.SdBot.BQT

#7 GhostShell

GhostShell

    Staff Sergeant

  • Members
  • 345 posts

Posted 18 June 2009 - 05:10 PM

Scanners
[ArcaVir]
2009-06-16 Trojan.Pakes
[F-Secure Anti-Virus]
2009-06-17 Trojan.Win32.Pakes.aqj
[Emsisoft A-squared]
2009-06-17 Found nothing
[Ikarus]
2009-06-16 Trojan.Win32.Pakes
[Avast! antivirus]
2009-06-16 Win32:Pakes-IH
[Kaspersky Anti-Virus]
2009-06-17 Trojan.Win32.Pakes.aqj
[Grisoft AVG Anti-Virus]
2009-06-16 Generic.MFC
[ESET NOD32]
2009-06-16 Win32/Rbot
[Avira AntiVir]
2009-06-16 TR/Crypt.Morphine.Gen
[Norman Virus Control]
2009-06-16 W32/Spybot.ABQF
[Softwin BitDefender]
2009-06-17 Trojan.Pakes.FN
[Panda Antivirus]
2009-06-16 Trj/Pakes.BS
[ClamAV]
2009-06-16 Trojan.Packed-86
[Quick Heal]
2009-06-17 Trojan.Pakes
[CPsecure]
2009-06-17 BackDoor.W32.Rbot.gen
[Sophos]
2009-06-17 Troj/DownLdr-IM
[Dr.Web]
2009-06-16 Win32.HLLW.MyBot.based
[VirusBlokAda VBA32]
2009-06-16 Trojan.Win32.Pakes
[Frisk F-Prot Antivirus]
2009-06-16 W32/Malware!cc54
[VirusBuster]
2009-06-16 Worm.SdBot.BQT


Dude this is way to old to be bumping up! Especially with a online virus scan of something 4years old?! Seriously what was the point???
http://pcsubject.com/ <- My new Blog

"As a young boy, I was taught in high school that hacking was cool." -Kevin Mitnick

"It's easy to point and click programs, but thats not real hacking." -illwill





Also tagged with one or more of these keywords: windows, scanning, server, network, anonymous, malware, virus, trojan, botnet, antivirus