专门对付主防的winlock

显示全部楼层 · 发表于 2011-8-17 14:45:22

红伞杀伪装扩展名

显示全部楼层 · 发表于 2011-8-17 14:46:11

毒霸杀掉了

显示全部楼层 · 发表于 2011-8-17 14:47:42

2011-08-17 14:43:51 C:\Documents and Settings\Roger\桌面\virus\videos17.avi\videos17.exe Sandboxed As Partially Limited

2011-08-17 14:43:51 C:\WINDOWS\system32\reg.exe Sandboxed As Partially Limited

2011-08-17 14:43:52 C:\WINDOWS\system32\conime.exe Sandboxed As Partially Limited

2011-08-17 14:43:54 C:\WINDOWS\system32\shutdown.exe Sandboxed As Partially Limited

2011-08-17 14:43:55 C:\WINDOWS\system32\cmd.exe Sandboxed As Partially Limited

2011-08-17 14:44:00 C:\WINDOWS\system32\reg.exe Modify Key HKUS\S-1-5-21-1390067357-1647877149-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\634126934

2011-08-17 14:44:00 C:\WINDOWS\system32\shutdown.exe Access COM Interface LocalSecurityAuthority.Shutdown

2011-08-17 14:44:00 C:\WINDOWS\system32\cmd.exe Modify File C:\Documents and Settings\Roger\桌面\virus\videos17.avi\videos17.exe

這隻，主要是靠快速關機，達到讓殺軟主防來不及彈框，重啟之後即杯具

傷害力比 ransomeware 低一等級。

显示全部楼层 · 发表于 2011-8-17 14:53:55

2011-8-17 14:46:36 创建新进程允许
进程: c:\windows\explorer.exe
目标: e:\downloads\videos17.avi\videos17.avi.exe
命令行: "E:\downloads\videos17.avi\videos17.avi.exe"
规则: [应用程序]*

2011-8-17 14:46:42 创建文件允许
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: C:\Documents and Settings\Administrator\634126934.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2011-8-17 14:47:03 创建新进程允许
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: c:\windows\system32\cmd.exe
命令行: cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 634126934 /t REG_SZ /d "%userprofile%\634126934.exe" /f
规则: [应用程序]*

2011-8-17 14:47:14 创建新进程允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\reg.exe
命令行: REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 634126934 /t REG_SZ /d "C:\Documents and Settings\Administrator\634126934.exe" /f
规则: [应用程序]*

2011-8-17 14:47:19 修改注册表值允许
进程: c:\windows\system32\reg.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\634126934
值: C:\Documents and Settings\Administrator\634126934.exe
规则: [注册表组]自动运行程序所在位置 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\*

2011-8-17 14:47:27 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
值: 0x00000001(1)
规则: [注册表]*

2011-8-17 14:47:29 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
值: 0x00000001(1)
规则: [注册表]*

2011-8-17 14:47:30 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
值: 0x00000001(1)
规则: [注册表]*

2011-8-17 14:47:32 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
值: 0x00000001(1)
规则: [注册表]*

2011-8-17 14:47:33 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
值: 0x00000001(1)
规则: [注册表]*

2011-8-17 14:47:34 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
值: 0x00000001(1)
规则: [注册表]*

2011-8-17 14:47:35 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
值: 0x00000001(1)
规则: [注册表]*

2011-8-17 14:47:37 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
值: 0x00000001(1)
规则: [注册表]*

2011-8-17 14:47:53 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3d148f3d-02ae-11e0-a349-806d6172696f}\BaseClass
值: Drive
规则: [注册表]*

2011-8-17 14:47:54 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f51f49a6-5672-11e0-a072-806d6172696f}\BaseClass
值: Drive
规则: [注册表]*

2011-8-17 14:48:00 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\shutdown.exe
值: Windows Remote Shutdown Tool
规则: [注册表]*

2011-8-17 14:48:08 创建新进程允许
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: c:\windows\system32\shutdown.exe
命令行: "C:\WINDOWS\system32\shutdown.exe" /r /f /t 3
规则: [应用程序]*

2011-8-17 14:48:19 修改注册表值阻止
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
值: C:\Documents and Settings\Administrator\My Documents
规则: [注册表]*

2011-8-17 14:49:04 创建新进程允许
进程: e:\downloads\videos17.avi\videos17.avi.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c del E:\DOWNLO~1\videos17.avi\VIDEOS~1.EXE > nul
规则: [应用程序]*

显示全部楼层 · 发表于 2011-8-17 15:06:37

OP反间谍 KILL

显示全部楼层 · 发表于 2011-8-17 16:17:05

a256886572008 发表于 2011-8-17 14:47
這隻，主要是靠快速關機，達到讓殺軟主防來不及彈框，重啟之後即杯具

傷害力比 ransomeware ...

这种更恶心，如果当前工作档案没保存，被它重启又进不去系统。普通用户真是束手无策

显示全部楼层 · 发表于 2011-8-17 16:23:55

费尔启发报！

显示全部楼层 · 发表于 2011-8-17 17:09:58

大蜘蛛：
videos17.avi.exe infected with Trojan.Winlock.4005

显示全部楼层 · 发表于 2011-8-17 18:02:47

ESET killed

C:\Users\Gateway\Desktop\videos17.avi.rar » RAR » videos17.avi.exe - a variant of Win32/Kryptik.RSN trojan

[病毒样本] 专门对付主防的winlock

本帖子中包含更多资源

本帖子中包含更多资源