So I logged the Sandboxing of an app, thinking sandboxing would tell me what the app did and prevent such actions from being done to the computer. Boy was I wrong!
Now I got the following:
- sets value: “ProxyBypass”=“1” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
- sets value: “IntranetName”=“1” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
- sets value: “UNCAsIntranet”=“1” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
- sets value: “AutoDetect”=“0” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
- sets value: “ProxyBypass”=“1” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
- sets value: “IntranetName”=“1” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
- sets value: “UNCAsIntranet”=“1” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
- sets value: “AutoDetect”=“0” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
- sets value: “%31%de%04%8f%20%40%40%93%1b%08%a6%49%36%8d%a2%a0%dd%7c%b5%09%2d%03%da%70%9a%ca%4a%ff%1d%af%a2%eb”=“10539647961,1389068434” in key “HKCU\Software\Microsoft\Windows\CurrentVersion”
I run windows 8.1 and think these reg files may be the opening of a Trojan flood gate, per: http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojandownloaderwin32beebonebr and http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=22970
May someone with windows 8.1 cross check the values on their computer please?
Why did sandboxing not block these changes?