測主防，winlocker

显示全部楼层 · 发表于 2011-8-23 10:56:59

2011-08-23 10:45:30 C:\Documents and Settings\Roger\桌面\virus\file\file.exe Sandboxed As Partially Limited

2011-08-23 10:45:33 C:\Documents and Settings\Roger\Application Data\jashla.exe Sandboxed As Partially Limited

2011-08-23 10:45:34 C:\WINDOWS\system32\cmd.exe Sandboxed As Partially Limited

2011-08-23 10:45:35 C:\WINDOWS\system32\conime.exe Sandboxed As Partially Limited

2011-08-23 10:45:39 C:\WINDOWS\system32\cmd.exe Modify File C:\Documents and Settings\Roger\桌面\virus\file\file.exe

2011-08-23 10:45:47 C:\Documents and Settings\Roger\桌面\virus\file\file.exe Scanned Online and Found Malicious

2011-08-23 10:45:59 C:\Documents and Settings\Roger\Application Data\jashla.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

2011-08-23 10:46:05 C:\Documents and Settings\Roger\Application Data\jashla.exe Access Memory C:\WINDOWS\explorer.exe

2011-08-23 10:46:25 C:\Documents and Settings\Roger\Application Data\jashla.exe Access Memory C:\WINDOWS\system32\taskmgr.exe

雲查殺

中毒畫面

显示全部楼层 · 发表于 2011-8-23 10:58:09

file.exe 行为和木马比较相似的程序

显示全部楼层 · 发表于 2011-8-23 11:01:10

还想着要试主防的。。。原来被QVM秒了

显示全部楼层 · 发表于 2011-8-23 11:01:38

本帖最后由 85464 于 2011-8-23 11:30 编辑

用星星测一下
rising
先是提示联网

勾选采用相同处理方式不再询问
之后发现未知木马

点击“删除”
无压力
2个进程全部消失
系统正常

显示全部楼层 · 发表于 2011-8-23 11:03:15

本帖最后由 rasis 于 2011-8-23 11:06 编辑

金山鉴定安全

金山沙盘运行有风险

显示全部楼层 · 发表于 2011-8-23 11:04:44

rasis 发表于 2011-8-23 11:03
金山鉴定安全

那就實機雙擊運行，看看K+是否真能保護你的電腦

显示全部楼层 · 发表于 2011-8-23 11:05:16

idp kill

显示全部楼层 · 发表于 2011-8-23 11:08:09

本帖最后由无垠穹宇于 2011-8-23 11:20 编辑

to eset
http://samples.nod32.com.sg/inde ... 35a0e5b1c955c3aca18
测一下MD，因为规则是阻止+询问，所以行为不会太多

程序运行后，MD狂弹窗，最后我阻止了程序，程序可能是通过调用命令行来实现其行为的，运行后还会在用户目录下创建程序

2011-8-23 11:10:20 读文件允许
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: C:\WINDOWS\system32\mdhook.dll
规则: [应用程序]* -> [文件组]运行请求

2011-8-23 11:10:21 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
值: C:\Documents and Settings\Administrator\Application Data
规则: [注册表组]◆注册表保护（阻止） -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-8-23 11:10:21 创建文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: C:\Documents and Settings\Administrator\Application Data\jashla.exe
规则: [文件组]☆所有执行文件（严格阻止） -> [文件]*; *.exe

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\wkssvc
规则: [文件]*

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\wkssvc
规则: [文件]*

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\wkssvc
规则: [文件]*

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\wkssvc
规则: [文件]*

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\lsarpc
规则: [文件]*

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\lsarpc
规则: [文件]*

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\lsarpc
规则: [文件]*

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\lsarpc
规则: [文件]*

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\lsarpc
规则: [文件]*

2011-8-23 11:10:22 修改文件阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: \Device\NamedPipe\lsarpc
规则: [文件]*

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48aed646-46f2-11e0-840f-806d6172696f}\BaseClass
值: Drive
规则: [注册表]*

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48aed644-46f2-11e0-840f-806d6172696f}\BaseClass
值: Drive
规则: [注册表]*

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48aed645-46f2-11e0-840f-806d6172696f}\BaseClass
值: Drive
规则: [注册表]*

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48aed647-46f2-11e0-840f-806d6172696f}\BaseClass
值: Drive
规则: [注册表]*

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48aed648-46f2-11e0-840f-806d6172696f}\BaseClass
值: Drive
规则: [注册表]*

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
值: D:\My Documents
规则: [注册表组]◆注册表保护（阻止） -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
值: C:\Documents and Settings\All Users\Documents
规则: [注册表组]◆注册表保护（阻止） -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
值: C:\Documents and Settings\Administrator\桌面
规则: [注册表组]◆注册表保护（阻止） -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop
值: C:\Documents and Settings\All Users\桌面
规则: [注册表组]◆注册表保护（阻止） -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-8-23 11:10:22 访问COM接口阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: {7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Security Manager
文件路径: C:\WINDOWS\system32\urlmon.dll
规则: [应用程序]* -> [COM接口]{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\cmd.exe
值: Windows Command Processor
规则: [注册表]*

2011-8-23 11:10:22 创建新进程阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c "for /L %i in (0,1,100000000) do (del "C:\Documents and Settings\Administrator\桌面\file\file.exe"  && if not exist "C:\Documents and Settings\Administrator\桌面\file\file.exe" exit 1)"
规则: [应用程序组]■完全阻止程序

2011-8-23 11:10:22 访问COM接口阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: {7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Security Manager
文件路径: C:\WINDOWS\system32\urlmon.dll
规则: [应用程序]* -> [COM接口]{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\cmd.exe
值: Windows Command Processor
规则: [注册表]*

2011-8-23 11:10:22 创建新进程阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c "for /L %i in (0,1,100000000) do (del "C:\Documents and Settings\Administrator\桌面\file\file.exe"  && if not exist "C:\Documents and Settings\Administrator\桌面\file\file.exe" exit 1)"
规则: [应用程序组]■完全阻止程序

2011-8-23 11:10:22 访问COM接口阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: {7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Security Manager
文件路径: C:\WINDOWS\system32\urlmon.dll
规则: [应用程序]* -> [COM接口]{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}

2011-8-23 11:10:22 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\cmd.exe
值: Windows Command Processor
规则: [注册表]*

2011-8-23 11:10:23 创建新进程阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c "for /L %i in (0,1,100000000) do (del "C:\Documents and Settings\Administrator\桌面\file\file.exe"  && if not exist "C:\Documents and Settings\Administrator\桌面\file\file.exe" exit 1)"
规则: [应用程序组]■完全阻止程序

2011-8-23 11:10:29 访问COM接口阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: {7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Security Manager
文件路径: C:\WINDOWS\system32\urlmon.dll
规则: [应用程序]* -> [COM接口]{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}

2011-8-23 11:10:29 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\cmd.exe
值: Windows Command Processor
规则: [注册表]*

2011-8-23 11:10:29 创建新进程阻止
进程: c:\documents and settings\administrator\桌面\file\file.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c "for /L %i in (0,1,100000000) do (del "C:\Documents and Settings\Administrator\桌面\file\file.exe"  && if not exist "C:\Documents and Settings\Administrator\桌面\file\file.exe" exit 1)"
规则: [应用程序组]■完全阻止程序

显示全部楼层 · 发表于 2011-8-23 11:12:38

avira miss

显示全部楼层 · 发表于 2011-8-23 11:13:47

金山K+防不住

[病毒样本] 測主防，winlocker

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源