I’ve posted an article about Sandboxie which lets you safely run suspicious or untrusted programs in a virtual space without affecting your computer. Let’s say when you run a trojan in sandbox, you’re temporarily infected and the attacker can still connect to your computer. But once you terminate the sandboxed trojan process, it kills of the attacker’s connections and your system is still safe from infection. Even if you’ve forgotten to terminate the sandboxed process, it’ll automatically be removed once you restart your computer.

Question is, how can you identify whether the suspicious file is a threat or not? If you don’t know how, I will teach you how to use Sandboxie to check if the sandboxed file is a rogue software.

I’ll do a test with an Optix Pro trojan. Optix Pro is a configurable remote access tool or trojan that gives an attacker unauthorized access to an infected computer, similar to SubSeven or BO2K. It is no longer in development and it is detected by all anti-virus program.

I ran Optix Pro trojan with Sandboxie by using my mouse to right click on the file and select “Run Sandboxed“.
Run Virus in Sandbox

On Sandboxie program’s interface, I can see that msiexec16.exe being loaded in the process name.
Using sandboxie to investigate suspicious file
Did you notice anything suspicious here? The original executable file was virus.exe and now it has turned into msiexec16.exe. If the process name changes, it is suspicious.

Next, let’s check out the contents of sandbox. On the menu bar, click Function -> Contents of Sandbox -> Explore Contents.
View contents of sandbox

I see a folder “drive” and also 2 files, RegHive and RegHive.LOG.
Sandboxie folder and RegHive
From the “drive” folder, I found out that the trojan renames itself to msiexec16.exe and copies to C:\windows\system32.
Virus copies to Windows System32 folder

As for the RegHive file you see, it is what is mounted in the registry as a subkey. To see the RegHive file, you must load it in your Windows Registry Editor. Before you load the RegHive to your registry, you must terminate the current sandbox first, otherwise you’ll get the error message “Cannot Load RegHive: The process cannot access the file because it is being used by another process.” To terminate the the current sandbox, click Function on the menu bar, select Terminate Sandboxed Process -> In Current Sandbox.

After terminating the current sandbox, you can load the RegHive in Registry Editor by going to Start -> Run and type regedit. Select HKEY_USERS, go to File -> Load Hive and browse for the RegHive file.
How to load Sandboxie RegHive

Enter any key name for the RegHive. I use sandboxie for easy identification. Once the RegHive is loaded, a new Key “sandboxie” will appear.
Load Live Key Name

I checked the registry and found that there’s an entry of msiexec16.exe at one of Windows autorun location. Meaning whenever Windows is booted up, it will auto run msiexec16.exe.
Registry Autorun

As you can see, there are so many reasons that makes this file looks like a malware. You can upload it to VirusTotal to scan with 32 antivirus. If it doesn’t detect any virus, you can submit to to anti-virus company for them to check. Here are a list of websites that you can submit a suspicious file to:
1. Nicta Software Anti-Virus Technologies
2. Norman Sandbox Information
3. Computer Associates (CA)
4. ClamAV
5. Trend Micro
6. Sophos
7. VigorPro
8. Authentium Thread Matrix
9. Hauri
10. Alladin
11. F-Secure
12. Symantec
13. Kaspersky (Email to newvirus@kaspersky.com)

There are undetectable private versions of trojans being sold by trojan writers and you won’t even know that you’re being infected and monitored. So use Sandboxie whenever you can when you want to run any email attachments, files downloaded from the Internet or even from a files received from a friend.


Related posts:
  • No More Worries When Running Untrusted Programs
  • Easily Scan Suspicious File with 20 Malware Scanner
  • Easily Upload Suspicious File to VirusTotal
  • Scan Suspicious Files for FREE using Several Antivirus Engines