高質量

显示全部楼层 · 发表于 2011-8-5 22:50:06

VT:http://www.virustotal.com/file-s ... a5bec87b-1312554787
VT上只有2家報毒超高質量

上報給卡巴斯基結果下來了

【gbot-crypted-khan.exe - Trojan.Win32.Jorik.Gbod.ad】

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.

Best Regards, Kaspersky Lab

显示全部楼层 · 发表于 2011-8-5 22:51:36

gbot-crypted-khan.rar>>gbot-crypted-khan.exe Trojan.Injector.RP.hybd.mg 木马!基因

显示全部楼层 · 发表于 2011-8-5 22:55:10

本帖最后由 C.C. 于 2011-8-5 23:20 编辑

本地QVM KILL

生成物

显示全部楼层 · 发表于 2011-8-5 22:55:15

本帖最后由 schumi小粉于 2011-8-5 22:55 编辑

to avast ，to eset and MP

显示全部楼层 · 发表于 2011-8-5 22:55:51

本帖最后由荷韵诗于 2011-8-5 22:58 编辑

显示全部楼层 · 发表于 2011-8-5 23:02:09

=====Behavior Details=====

Create process:
sample.exe --> C:\sample.exe
sample.exe --> C:\WINDOWS\windupdate\svchost.exe

Create remote thread:
sample.exe --> sample.exe
sample.exe --> svchost.exe

Create file:
sample.exe --> C:\WINDOWS\windupdate\
sample.exe --> C:\WINDOWS\windupdate\svchost.exe
svchost.exe --> C:\WINDOWS\windupdate\vistas.dll
svchost.exe --> C:\WINDOWS\windupdate\WinSocks.sw

Delete file:
svchost.exe --> C:\WINDOWS\windupdate\vistas.dll

Create key:
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic\6.0
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
svchost.exe --> \REGISTRY\USER\.DEFAULT\Software
svchost.exe --> \REGISTRY\USER\.DEFAULT\Software\Microsoft
svchost.exe --> \REGISTRY\USER\.DEFAULT\Software\Microsoft\Visual Basic
svchost.exe --> \REGISTRY\USER\.DEFAULT\Software\Microsoft\Visual Basic\6.0
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Classes
svchost.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters

Set value key:
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [B4 4A B0 2A 93 C7 06 DC ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [04 40 6E A0 5E EB 8A 13 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [28 E1 5C A7 A0 54 AE 60 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [69 F3 4D 7F 17 24 37 0A ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [0C 07 7A B6 33 B4 95 16 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [C1 44 F5 29 26 C4 E6 81 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [CD 25 EE A4 79 6B 22 87 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [7C 08 F3 17 D3 3D 34 5B ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [55 E4 34 9D C3 B5 64 5F ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\WinUpdates ["C:\WINDOWS\windupdate\svchost.exe"]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F0 71 19 2B 55 1D 14 8D ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [55 A6 57 29 7A DC 45 7D ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [07 AF DC 98 0B BF 31 E6 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [D7 EE 40 F5 2B 5D 01 B1 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [D2 88 BB 10 F8 41 13 22 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F1 26 27 77 05 2F 41 36 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [7E C1 D1 1E 69 C6 6F 76 ...]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal ["D:\Backup\ ҵ ĵ "]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ["C:\Documents and Settings\All Users\Documents"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop ["C:\Documents and Settings\Administrator\ "]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ["C:\Documents and Settings\All Users\ "]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies ["C:\Documents and Settings\Administrator\Cookies"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\windupdate\svchost.exe ["Pickman Bach Paula Madagascar Goliath"]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [97 8B 8B DA BA B5 04 A2 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [AD F4 B7 6F 16 49 31 37 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [D7 32 C0 40 ED 6C E2 2E ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [B3 4B 55 F8 51 C1 9D 74 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [B4 A9 6A 88 CC 50 32 D4 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [93 AB 63 C5 B7 90 BF D1 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [67 5C A0 07 44 5A C6 9E ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [61 43 57 C7 1A 60 49 FB ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [C8 9A 76 4B F4 9E 23 7E ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [0C 0D B9 29 95 64 1E D0 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F6 A5 18 36 C2 5A C1 8B ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [8A D2 D5 A3 CA F0 ED DB ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [C9 F7 41 46 75 7F 49 EF ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [5F 47 7D 5C 8A 9C 69 B0 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [C0 1D CD E3 D4 0F 12 04 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [3A 68 9B 1F E1 D2 30 46 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [54 D4 7A 15 96 5D F8 CB ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [CB A1 FE CD AC 18 9E 0D ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [32 4C 1E 26 44 3C F1 C3 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [01 F4 47 0E 9E 4D 71 B3 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [B8 CD F7 48 4E 36 DF C1 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [2E 3D C1 81 59 63 1A 40 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [E0 76 DB 8A 13 53 2F 80 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [DE DF 7D 31 6E 8C A1 41 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [50 A7 D5 4E 0D 82 5B 71 ...]

Download file:
Get test-gulf.com
/1213/getcmd.php?id=-797358391&traff=0

Try to connect domain:
test-gulf.com

Tcp Connection:
local:1049 --> 212.117.169.86:80
local:1050 --> 212.117.169.86:80

显示全部楼层 · 发表于 2011-8-5 23:02:57

荷韵诗发表于 2011-8-5 22:55

在sandbox ie里面运行。。。MP竟然没拦截，我晕

显示全部楼层 · 发表于 2011-8-5 23:13:41

过小红伞和NOD 32~虚拟机下运行，无任何反应~

显示全部楼层 · 发表于 2011-8-5 23:23:54

将母体回滚

显示全部楼层 · 发表于 2011-8-5 23:29:59

to eset
http://samples.eset.com.cn/index ... 8171f66e5f9b6e82634

[病毒样本] 高質量

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源