网马突破诺顿ips后释放的样本

显示全部楼层 · 发表于 2011-6-20 17:35:45

本帖最后由 wjcharles 于 2011-6-20 20:35 编辑

详见此贴http://bbs.kafan.cn/thread-1010719-3-1.html，访问挂马网站后成功使傲游释放此样本并自动运行，突破nis2011的ips，最后sonar防御
完整路径: 不可用
____________________________
____________________________
在电脑上的创建时间:
2011/6/20 ( 1:56:41 )
上次使用时间:
2011/6/20 ( 1:56:41 )
启动项:
否
已启动:
是
____________________________
____________________________
极少用户信任的文件
诺顿社区中有不到 5 名用户使用了此文件。
____________________________
高
此文件具有高风险。
____________________________
威胁详细信息
SONAR 主动防护监视电脑上的可疑程序活动。
____________________________
来源
下载自 URL 不可用

源文件:
mxinstall.exe
创建的文件:
maxthon.exe
创建的文件:
scvhost.exe
____________________________
文件操作
文件: c:\users\wjch\appdata\local\temp\scvhost.exe
已删除
____________________________
系统设置操作
事件: 进程启动 (Performed by c:\users\wjch\appdata\local\temp\scvhost.exe, PID:9032)
未采取操作
____________________________
文件指纹 - SHA:
不可用
____________________________
文件指纹 - MD5:
不可用
____________________________

被攻击时间为凌晨，现在已有不少杀软能杀了

[size=0.9em]0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
scvhost.exe
Submission date:
2011-06-20 09:08:18 (UTC)
Current status:
finished
Result:
10/ 41 (24.4%)

VT Community

not reviewed
Safety score: -

Compact
Print results

Antivirus	Version	Last Update	Result
AhnLab-V3	2011.06.20.00	2011.06.19	-
AntiVir	7.11.10.18	2011.06.20	TR/Dropper.Gen
Antiy-AVL	2.0.3.7	2011.06.20	-
Avast5	5.0.677.0	2011.06.19	Win32:Rootkit-gen
AVG	10.0.0.1190	2011.06.19	SHeur3.CFHS
BitDefender	7.2	2011.06.20	-
CAT-QuickHeal	11.00	2011.06.20	-
ClamAV	0.97.0.0	2011.06.19	-
Commtouch	5.3.2.6	2011.06.20	-
Comodo	9133	2011.06.20	-
DrWeb	5.0.2.03300	2011.06.20	-
eSafe	7.0.17.0	2011.06.19	-
eTrust-Vet	36.1.8393	2011.06.17	-
F-Prot	4.6.2.117	2011.06.19	-
F-Secure	9.0.16440.0	2011.06.20	-
Fortinet	4.2.257.0	2011.06.20	-
GData	22	2011.06.20	Win32:Rootkit-gen
Ikarus	T3.1.1.104.0	2011.06.20	-
Jiangmin	13.0.900	2011.06.19	-
K7AntiVirus	9.106.4825	2011.06.18	-
Kaspersky	9.0.0.837	2011.06.20	UDS:DangerousObject.Multi.Generic
McAfee	5.400.0.1158	2011.06.20	-
McAfee-GW-Edition	2010.1D	2011.06.19	-
Microsoft	1.6903	2011.06.13	-
NOD32	6221	2011.06.20	-
Norman	6.07.10	2011.06.19	-
nProtect	2011-06-20.01	2011.06.20	Trojan/W32.Agent.64000.KH
Panda	10.0.3.5	2011.06.19	-
PCTools	7.0.3.5	2011.06.20	-
Prevx	3.0	2011.06.20	-
Rising	23.62.03.03	2011.06.17	Suspicious
Sophos	4.66.0	2011.06.20	-
SUPERAntiSpyware	4.40.0.1006	2011.06.19	-
Symantec	20111.1.0.186	2011.06.20	-
TheHacker	6.7.0.1.235	2011.06.20	-
TrendMicro	9.200.0.1012	2011.06.20	PAK_Generic.001
TrendMicro-HouseCall	9.200.0.1012	2011.06.20	PAK_Generic.001
VBA32	3.12.16.2	2011.06.20	AutoRun.Agent.abl
VIPRE	9635	2011.06.20	-
ViRobot	2011.6.20.4522	2011.06.20	-
VirusBuster	14.0.86.0	2011.06.19	-

再来个virus scan

文件名称 :	scvhost.exe （本站不提供任何文件的下载服务）
文件大小 :	64000 byte
文件类型 :	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 :	72d8cade08c0009ca195a1a851476f11
SHA1 :	37a823eed4d0307664185b0c2417ddff605b66bf

扫描结果

扫描结果 :	16%的杀软(6/37)报告发现病毒
时间 :	2011/06/20 17:17:48 (CST)

软件名称	引擎版本	病毒库版本	病毒库时间	扫描结果	时间
a-squared	5.1.0.2	20110618050619	2011-06-18	-	6.815
AntiVir	8.2.5.20	7.11.10.17	2011-06-20	TR/Dropper.Gen	0.294
Arcavir	2011	201105080215	2011-05-08	-	0.174
Authentium	5.1.1	201106192014	2011-06-19	-	1.557
AVAST!	4.7.4	110619-1	2011-06-19	Win32:Rootkit-gen [Rtk]	0.009
AVG	8.5.850	271.1.1/3714	2011-06-20	SHeur3.CFHS	0.548
BitDefender	7.90123.7406640	7.37559	2011-05-24	-	0.013
ClamAV	0.96.5	13213	2011-06-19	-	0.051
Comodo	4.0	9130	2011-06-20	-	1.672
CP Secure	1.3.0.5	2011.06.19	2011-06-19	-	0.125
Dr.Web	5.0.2.3300	2011.06.20	2011-06-20	-	13.125
F-Prot	4.4.4.56	20110619	2011-06-19	-	1.633
F-Secure	7.02.73807	2011.06.20.02	2011-06-20	-	0.442
GData	22.676/22.173	20110620	2011-06-20	Win32:Rootkit-gen [Rtk] [Engine:B]	10.049
Ikarus	T3.1.32.20.0	2011.06.20.78634	2011-06-20	-	4.746
Microsoft	1.6903	2011.06.20	2011-06-20	-	18.086
NOD32	3.0.21	6219	2011-06-18	-	0.093
Norman	6.07.10	6.07.00	2011-06-19	-	16.016
nProtect	20110601.01	3460661	2011-06-01	-	6.673
Quick Heal	11.00	2011.06.18	2011-06-18	-	1.825
Sophos	3.20.2	4.66	2011-06-20	-	3.768
Sunbelt	3.9.2495.2	9635	2011-06-19	-	1.129
The Hacker	6.7.0.1	v00176	2011-04-18	-	0.570
VBA32	3.12.16.2	20110620.0621	2011-06-20	AutoRun.Agent.abl	5.994
ViRobot	20110618	2011.06.18	2011-06-18	-	0.380
VirusBuster	5.3.0.4	14.0.86.0/5426032	2011-06-19	-	0.002
卡巴斯基	5.5.10	2011.06.20	2011-06-20	-	0.267
安博士V3	...	..	--	-	7.848
安天	2.0.18	20110205.7694535	2011-02-05	-	0.123
江民杀毒	13.0.900	2011.06.18	2011-06-18	-	1.971
熊猫卫士	9.05.01	2011.06.19	2011-06-19	-	4.863
瑞星	20.0	23.62.03.03	2011-06-16	[Suspicious]	3.291
赛门铁克	1.3.0.24	20110619.002	2011-06-19	-	0.088
趋势科技	9.200-1012	8.236.06	2011-06-20	-	0.088
迈克菲	5400.1158	6382	2011-06-19	-	9.551
金山毒霸	2009.2.5.15	2011.6.20.14	2011-06-20	-	1.042
飞塔	4.2.257	13.345	2011-06-19	-	0.965

■Heuristic/Suspicious ■Exact

Submission Summary:

Submission details:
- Submission received: 20 June 2011, 05:32:58
- Processing time: 9 min 31 sec
- Submitted sample:
  - File MD5: 0x72D8CADE08C0009CA195A1A851476F11
  - File SHA-1: 0x37A823EED4D0307664185B0C2417DDFF605B66BF
  - Filesize: 64,000 bytes
  - Packer info: packed with: UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\cac1.tmp %Temp%\fuc2.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%Temp%\cac1.tmp.exe %System%\Common.exe	86,016 bytes	MD5: 0x65BE1F0C690A069B0B91B9F26C37D59C SHA-1: 0x0A5864D67C1539C46B8D24C681BBA64BE52ECC7D	Trojan.Win32.Agent2.dorv [Kaspersky Lab]
3	%System%\Audio.sys	12,928 bytes	MD5: 0x29DF9CCD945FCC72052DB09D9BDBFAA0 SHA-1: 0x6FF2627C100EFEA97400F3D91012647CFD0BC129	(not available)
4	%System%\del09.bat	114 bytes	MD5: 0xE4CDD69056111A58401484F4A2BE6C75 SHA-1: 0x23B7D6B2BD5A4B5FFE4592BC609C919BF70CF0AD	(not available)
5	[file and pathname of the sample #1]	64,000 bytes	MD5: 0x72D8CADE08C0009CA195A1A851476F11 SHA-1: 0x37A823EED4D0307664185B0C2417DDFF605B66BF	packed with UPX [Kaspersky Lab]

Notes:
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
cac1.tmp.exe	%Temp%\cac1.tmp.exe	90,112 bytes

Registry Modifications

The following Registry Keys were created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIO_CONTROL
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIO_CONTROL\0000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIO_CONTROL\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Audio Control
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Audio Control\Security
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Audio Control\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIO_CONTROL
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIO_CONTROL\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIO_CONTROL\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Audio Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Audio Control\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Audio Control\Enum

The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG]
  - Trace Level = ""
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIO_CONTROL\0000\Control]
  - *NewlyCreated* = 0x00000000
  - ActiveService = "Audio Control"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIO_CONTROL\0000]
  - Service = "Audio Control"
  - Legacy = 0x00000001
  - ConfigFlags = 0x00000000
  - Class = "LegacyDriver"
  - ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  - DeviceDesc = "Audio Control"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIO_CONTROL]
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Audio Control\Enum]
  - 0 = "Root\LEGACY_AUDIO_CONTROL\0000"
  - Count = 0x00000001
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Audio Control\Security]
  - Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Audio Control]
  - Type = 0x00000001
  - Start = 0x00000001
  - ErrorControl = 0x00000001
  - ImagePath = "%System%\Audio.sys"
  - DisplayName = "Audio Control"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIO_CONTROL\0000\Control]
  - *NewlyCreated* = 0x00000000
  - ActiveService = "Audio Control"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIO_CONTROL\0000]
  - Service = "Audio Control"
  - Legacy = 0x00000001
  - ConfigFlags = 0x00000000
  - Class = "LegacyDriver"
  - ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  - DeviceDesc = "Audio Control"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIO_CONTROL]
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Audio Control\Enum]
  - 0 = "Root\LEGACY_AUDIO_CONTROL\0000"
  - Count = 0x00000001
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Audio Control\Security]
  - Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Audio Control]
  - Type = 0x00000001
  - Start = 0x00000001
  - ErrorControl = 0x00000001
  - ImagePath = "%System%\Audio.sys"
  - DisplayName = "Audio Control"

The following Registry Value was modified:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  - load =

显示全部楼层 · 发表于 2011-6-20 17:37:53

显示全部楼层 · 发表于 2011-6-20 17:42:33

文件加了殼，大蜘蛛clean：
scvhost.exe packed by UPX
已上報！

显示全部楼层 · 发表于 2011-6-20 17:43:56

to eset

http://samples.nod32.com.hk/inde ... 09ca195a1a851476f11

显示全部楼层 · 发表于 2011-6-20 17:44:53

小A报毒了

显示全部楼层 · 发表于 2011-6-20 17:49:50

to 卡巴

显示全部楼层 · 发表于 2011-6-20 18:25:47

过熊猫云。

显示全部楼层 · 发表于 2011-6-20 18:59:13

衍生Trj/CI.A

显示全部楼层 · 发表于 2011-6-20 20:49:45

金山，360SD ALL KILL

显示全部楼层 · 发表于 2011-6-20 21:45:36

jayavira 发表于 2011-6-20 17:43
to eset

http://samples.nod32.com.hk/index.php?a=query&lang=2&md5=72d8cade08c0009ca195a1a851476f11

Dear 微亿毫,

Thank you for your submission.
The detection for this threat will be included in our next signature update.

scvhost.exe - Win32/AutoRun.Agent.ACW worm

Regards,

Dalibor Drzik
Malware Researcher
ESET spol. s r.o.

[病毒样本] 网马突破诺顿ips后释放的样本

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源

浏览过的版块