报的不多。。。。[MD5: 72C2AA]

bluenice

Arcavir	1.0.4	200707171526	2007-07-17	Heur.Win32.I	1.163
AVAST	1.0.8	000757-3	2007-07-17	Win32:Agent-GRW	1.539
AVG	7.5.47.442	269.10.8/906	2007-07-17	没有检测到病毒	1.239
BitDefender	7.60825.735046	7.13916	2007-07-17	没有检测到病毒	2.808
ClamAV	N/A	3695	2007-07-18	没有检测到病毒	0.201
F-SECURE	5.51.6100	2007.07.17.07	2007-07-17	没有检测到病毒	2.456
IKARUS	T3.1.1.8	11:07:33	2007-07-17	Trojan-Downloader.Win32.Zlob.a...	1.334
MKS_VIR	2.01	2007.07.17	2007-07-17	Heur.Win32	0.356
NOD32	2.70.7	2404	2007-07-17	没有检测到病毒	2.366
SOPHOS	2.47	4.19	2007-07-18	Mal/Packer	0.29
VBA32	3.12.2	20070717.1938	2007-07-17	没有检测到病毒	2.01
VirusBuster	4.3.19:9	9.089.2/11.0	2007-07-17	Packed/Upack	0.973
冰岛杀毒	3.16.15	2007.07.17	2007-07-17	没有检测到病毒	3.852
卡巴斯基	5.5.10	2007.07.18	2007-07-18	没有检测到病毒	0.187
大蜘蛛	4.33	2007.07.18	2007-07-18	没有检测到病毒	5.528
小红伞	7.4.0.42	6.39.0.161	2007-07-18	没有检测到病毒	2.162
熊猫卫士	9.00.00	2007.07.17	2007-07-17	没有检测到病毒	0.869
诺曼	5.90.37	5.90	2007-07-18	W32/Suspicious_U.gen	2.462
赛门铁克	1.2.0.18	20070716.021	2007-07-16	没有检测到病毒	0.4
趋势	8.500-1001	4.601.00	2007-07-17	没有检测到病毒	2.041
迈克菲	5.1.00	5076	2007-07-17	New Malware.aj	0.603
金山毒霸	2007.4.17.247	2007.7.16	2007-07-16	没有检测到病毒	0.96

[ 本帖最后由 promised 于 2007-7-19 01:35 编辑 ]

wangjay1980

2007-7-18 JAY21:03:43        File: C:\Documents and Settings\Owner\×ÀÃæ\boolan95.zip/boolan95.exe//PE_Patch//UPack//27271476

Hello,

boolan95.exek - Trojan-Downloader.Win32.Agent.bto

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Vladimir Krylov
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.



> Attachment: boolan95.zip

[ 本帖最后由 wangjay1980 于 2007-7-18 21:21 编辑 ]

solcroft

boolan95.exe ISOLATE on start from explorer.exe
boolan95.exe REDIRECT access to C:\Documents and Settings\Virtual Machine\Local Settings\Temporary Internet Files\Content.IE5\index.dat (File)
boolan95.exe REDIRECT access to C:\Documents and Settings\Virtual Machine\Cookies\index.dat (File)
boolan95.exe REDIRECT access to C:\Documents and Settings\Virtual Machine\Local Settings\History\History.IE5\index.dat (File)
boolan95.exe READONLY access to \Device\NamedPipe\lsass (File)
boolan95.exe REDIRECT access to C:\WINDOWS\Debug\UserMode\userenv.log (File)
boolan95.exe REDIRECT access to HKU\S-1-5-21-1409082233-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (Registry)
boolan95.exe REDIRECT access to HKU\S-1-5-21-1409082233-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride (Registry)
boolan95.exe REDIRECT access to HKU\S-1-5-21-1409082233-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL (Registry)
boolan95.exe REDIRECT access to HKU\S-1-5-21-1409082233-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings (Registry)

然后要求联网

奇怪的东西，是下载者么？

promised

C:\ABC\boolan95.rar:\boolan95.exe - 特征码 'Trojan-Downloader.Win32.Zlob.and' 被发现
C:\ABC\boolan95.rar

        2 个文件被扫描
          (1 个压缩档 1 个文件)
        1 个特征码被侦测
        0 个可疑代码段被发现
        耗时: 0:00.031

The EQs

上报给eset了

promised

优先权

solcroft

这个样本除了下载流氓，什么都不干
反正只要拒绝这个，便把它KO了

hj5abc

有底层磁盘操作..

1688388728

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I0GU558Q\boolan95[1].rar\boolan95.exe - infected with Trojan.Resun.origin

Archive contains an infected item

solcroft

在我电脑上没有