虐主防，winlocker 又來了(關閉下載保護，下載完立刻實機雙擊測毒)

显示全部楼层 · 发表于 2011-8-5 22:04:46

本帖最后由 a256886572008 于 2011-8-6 00:01 编辑

Heur.Dual.Extensions@-1 C:\Documents and Settings\Roger\桌面\virus\123\porno-rolik11.avi.exe

Heur.Dual.Extensions@-1 C:\Documents and Settings\Roger\桌面\virus\123\porno-rolik17.avi.exe

Heur.Dual.Extensions@-1 C:\Documents and Settings\Roger\桌面\virus\123\porno-rolik12.avi.exe

comodo 直接看名字通殺

樣本下載：
http://www.vdisk.cn/down/index/8660308A5166

显示全部楼层 · 发表于 2011-8-5 22:05:52

天天虐主防，没有主防的情何以堪

显示全部楼层 · 发表于 2011-8-5 22:11:14

jsbxsolo 发表于 2011-8-5 22:05
天天虐主防，没有主防的情何以堪

很多人老喜歡拿老毒來測試主防，還不如用最近流行的 winlocker 來測主防

显示全部楼层 · 发表于 2011-8-5 22:14:04

大蜘蛛clean，文件加了壳：
porno\porno-rolik11.avi.exe 已打包，方式： UPX
porno\porno-rolik12.avi.exe 已打包，方式： UPX
porno\porno-rolik17.avi.exe 已打包，方式： UPX
已上报！

显示全部楼层 · 发表于 2011-8-5 22:20:39

LZ发下行为

显示全部楼层 · 发表于 2011-8-5 22:22:50

qq351100394 发表于 2011-8-5 22:20
LZ发下行为

你實機雙擊，不就知道了

显示全部楼层 · 发表于 2011-8-5 22:25:25

=====Sample Summary=====
File name: sample.exe
MD5: B5118AEE96EA5535909B37EA65C8BD94
SHA1: B44C9A17DFCBFD0D1FE64829844A1769F4595486
SHA256: FC56059A8E405A1CDF8AB5F00969492E2A6AF91EFA21F7FC0F0E6AF7316C1930

=====Major Threats=====

=====Behavior Details=====

Create process:
sample.exe --> C:\sample.exe
sample.exe --> C:\WINDOWS\system32\cmd.exe
cmd.exe --> C:\WINDOWS\system32\reg.exe
sample.exe --> C:\WINDOWS\system32\shutdown.exe

Create remote thread:
sample.exe --> sample.exe
sample.exe --> cmd.exe
cmd.exe --> reg.exe
sample.exe --> shutdown.exe

Create file:
sample.exe --> C:\Documents and Settings\Administrator\8068330.exe

Delete file:
cmd.exe --> C:\sample.exe

Create key:
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic\6.0
cmd.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio
cmd.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager
cmd.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM
cmd.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Run
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\000000000003ad67
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Set value key:
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [2D 52 81 21 F6 DA 63 FD ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [66 9D 4B 80 C6 DF 1A 6E ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [09 ED 4F DB AB 58 F8 46 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [89 A4 78 F3 70 E3 05 F2 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [A8 15 0F B6 87 70 36 C0 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [E1 06 20 4B 42 E7 BB FE ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [1F 0E A8 67 45 C9 47 33 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [AE 2F EB AF 08 93 36 24 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [02 2C 91 2C AC DF ED 82 ...]
cmd.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [6A 8B 85 76 18 64 D6 86 ...]
reg.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [10 02 53 F9 D9 AD 39 3E ...]
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Run\8068330 ["C:\Documents and Settings\Administrator\8068330.exe"]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [BE 61 43 EB 57 E6 F2 52 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F6 F8 A0 04 D5 FD BA 56 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [B3 C2 9A 8B E9 C9 99 5A ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [1E 98 FE 18 C9 9D 82 A1 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F6 2E F8 48 19 71 17 57 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [7E AD 96 9A 9B 0F E7 DE ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [71 AA B9 F1 68 3C 43 65 ...]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies ["C:\Documents and Settings\Administrator\Cookies"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\shutdown.exe ["Windows Remote Shutdown Tool"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal ["D:\Backup\ ҵ ĵ "]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ["C:\Documents and Settings\All Users\Documents"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop ["C:\Documents and Settings\Administrator\ "]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ["C:\Documents and Settings\All Users\ "]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\cmd.exe ["Windows Command Processor"]
shutdown.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [60 B3 D5 26 3F 94 2E B6 ...]
cmd.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [FD B0 65 46 4A B0 1B 55 ...]

传说中的自动关机命令

显示全部楼层 · 发表于 2011-8-5 23:26:24

执行后错误

显示全部楼层 · 发表于 2011-8-5 23:30:05

没法测

显示全部楼层 · 发表于 2011-8-5 23:50:15

本帖最后由 hx1997 于 2011-8-5 23:54 编辑

Trojan.Ransom... To ESET.
http://samples.nod32.com.hk/inde ... 80bb4dd12dffaefd47b
http://samples.nod32.com.hk/inde ... 2eea5636b4fe73c0088
http://samples.nod32.com.hk/inde ... 535909b37ea65c8bd94

The file 'C:\Documents and Settings\Administrator\桌面\porno\porno-rolik17.avi.exe'
contained a virus or unwanted program 'HIDDENEXT/Crypted' [heuristic]

The file 'C:\Documents and Settings\Administrator\桌面\porno\porno-rolik12.avi.exe'
contained a virus or unwanted program 'HIDDENEXT/Crypted' [heuristic]

The file 'C:\Documents and Settings\Administrator\桌面\porno\porno-rolik11.avi.exe'
contained a virus or unwanted program 'HIDDENEXT/Crypted' [heuristic]

[病毒样本] 虐主防，winlocker 又來了(關閉下載保護，下載完立刻實機雙擊測毒)

本帖子中包含更多资源

评分