I would prefer you uninstall Avira previously to the test. I don´t want the malware aborts execution because it detects Avira installed.

It´s important to reproduce the leak so tzuk goes for it.

My computer has D.E.P. but I don´t know if it´s properly configured.

Ok, no problem.

Before testing I will make a complete hard disc image, so there is no need to worry.

The GRC utility will tell you if it is configured properly. Here is the link again:
http://www.grc.com/securable.htm

The tool shows for my AMD Athlon 64 X2 Dual Core 4400+

Maximum Bit Length: 64
Hardware D.E.P.: Yes
Hardware Virtualization: No

I will post all the information about the leak here so I don´t have to repeat things by private everytime.

I have done all my tests under a Windows XP SP3 using Sandboxie 3.39.01 and 3.39.07.

Don´t know:

* if previous Sandboxie versions are vulnerable. (Didn´t check)

* if the leak is produced under Windows Vista or Windows 7 (Only have XP installed)

So, if possible, try to reproduce the leak under the same conditions: Windows XP SP3 + Sandboxie 3.39.07.

People that pretend to test the leak under a virtual machine can forget about that. The test must be done in a real system.

Sandboxie becomes vulnerable when spool service is enabled.

I tested the leak in two different computers, one with spool service disabled and Sandboxie is not vulnerable, and other with spool service set to manual and Sandboxie is vulnerable (the malware writes to real disk).

Very important: Spool service must be set to manual (I guess Automatic would be the same, but didn´t test) in order to test the leak.

If someone makes the test having the spool service disabled will be useless.

How to make the test: Run MALWARE.EXE under Sandboxie and follow the setup installation until it finishes.

You can download the malware from here: http://www.megaupload.com/?d=I1QTJX3I

Password: infected

How to remove the malware from the system:

1) Just after infecting the system, reboot.

The driver dropped to Windows folder is temporal. After rebooting it will have the definitive name and then your system is ready for disinfection.

2) After rebooting run RootRepeal.

You can download it from: http://ad13.geekstogo.com/RootRepeal.rar

Source: http://rootrepeal.googlepages.com/

As soon as RootRepeal is running press "Scan" button. Navigate through the list of entries until you see an entry in red. It should point to C:\WINDOWS\system32\drivers\SkyNetxxxxxxx.sys.

Select that entry and right click it. You will see a menu. Select "Wipe file". You will be presented a message asking if you are sure. Press "Yes".

Very important: Just after you press "Yes" you must reboot the system. If you wait too much the rootkit is reinstalled. That´s why it´s important you reboot fastly.

3) After system is rebooted you run GMer.

You can download it from here: http://www.gmer.net/

Run GMer and remove the entry that references to SkyNet rootkit. It will be in red.

4) Look for additional SkyNet*.* files at Windows folder. You should find 3 or 4 files (.DAT and .DLL) and remove them.

Your system is clean.

Whoa - I thought you couldn't run Sandboxie on a 64-bit machine?

Sure you can. But not on a 64bit OS.

64bit capable hardware does not mean 64bit OS.

Gotcha! I suspect this malware will not be able to infect your machine. I hope all the testers here run the "securable" utility as well.

Could not see any problems on Vista SP 2, 32bit, UAC enabled.
"spooler" service is running in its default setting ("Automatic").

Could you test under Windows XP SP3?

Sorry, I do not use XP anymore.

tzuk confirmed an exploit to the spoolsv.exe is involved. Probably this exploit works under XP but not under Vista. That would explain why you can not reproduce the leak.

Thanks anyway for testing, Ruhe!

Buster, I made a post about this on the Comodo forums:
http://forums.comodo.com/leak_testingattacksvulnerability_research/whos_up_for_some_malware_testing-t44250.0.html

You should have some more volunteers soon.

Thanks for spreading the word!