VT Detection ratio: 1 / 47 5844673.dll

墨家小子

https://www.virustotal.com/en/fi ... nalysis/1369013996/

墨家小子

样本运行过程（从下往上看）：

Firewall: User decision,2013/5/20 14:22:55,Allowed,"C:\ProgramData\q1be.dat, Outgoing

TCP access allowed to: 37.139.53.220:443"

Program Guard: q1be.dat,2013/5/20 14:22:52,Allowed,C:\Windows\system32\rundll32.exe

-> C:\ProgramData\q1be.dat

Program Guard: q1be.dat -> rundll32.exe,2013/5/20 14:22:47,Allowed,C:\ProgramData

\q1be.dat(0) wants to start C:\ProgramData\rundll32.exe(3908)
Firewall: User decision,2013/5/20 14:22:45,Allowed,"C:\ProgramData\q1be.dat, Outgoing

TCP access allowed to: 37.139.53.220:443"

Program Guard: q1be.dat -> rundll32.exe,2013/5/20 14:22:09,Allowed,C:\ProgramData

\q1be.dat(0) wants to start C:\Windows\system32\rundll32.exe(3968)

Program Guard: q1be.dat,2013/5/20 14:21:56,Allowed,C:\Program Files\Windows Media

Player\wmplayer.exe -> C:\ProgramData\q1be.dat

Program Guard: q1be.dat -> wmplayer.exe,2013/5/20 14:21:47,Allowed,C:\ProgramData

\q1be.dat(0) wants to write memory in C:\Program Files\Windows Media Player

\wmplayer.exe(2424)

Firewall: User decision,2013/5/20 14:21:44,Allowed,"C:\ProgramData\q1be.dat, Outgoing

TCP access allowed to: 37.139.53.220:80"

Program Guard: q1be.dat -> wmplayer.exe,2013/5/20 14:21:40,Allowed,C:\ProgramData

\q1be.dat(0) wants to change memory access protection in C:\Program Files\Windows

Media Player\wmplayer.exe(2424)

Firewall: User decision,2013/5/20 14:21:37,Allowed,"C:\ProgramData\q1be.dat, Outgoing

TCP access allowed to: 37.139.53.220:80"

Program Guard: q1be.dat -> wmplayer.exe,2013/5/20 14:21:14,Allowed,C:\ProgramData

\q1be.dat(0) wants to open C:\Program Files\Windows Media Player\wmplayer.exe(2424)
Firewall: Automatic decision,2013/5/20 14:21:12,Allowed,"C:\Program Files\Windows Media

Player\wmplayer.exe, Outgoing UDP access allowed to: 127.0.0.1:63813"

Program Guard: q1be.dat -> iexplore.exe,2013/5/20 14:20:38,Allowed,C:\ProgramData

\q1be.dat(0) wants to open C:\Program Files\Internet Explorer\iexplore.exe(2604)
Firewall: Automatic decision,2013/5/20 14:20:35,Allowed,"C:\Program Files\Internet

Explorer\iexplore.exe, Outgoing UDP access allowed to: 127.0.0.1:49542"

Program Guard: q1be.dat,2013/5/20 14:20:34,Allowed,C:\ProgramData\q1be.dat wants to

get a list of the files C:\ProgramData\*

Program Guard: q1be.dat -> iexplore.exe,2013/5/20 14:20:32,Allowed,C:\ProgramData

\q1be.dat(0) wants to start C:\Program Files\Internet Explorer\iexplore.exe(2604)

Program Guard: q1be.dat,2013/5/20 14:20:28,Allowed,C:\ProgramData\q1be.dat wants to

get a list of the files C:\ProgramData\*

Program Guard: q1be.dat -> rundll32.exe,2013/5/20 14:20:28,Allowed,C:\ProgramData

\q1be.dat(0) wants to start C:\ProgramData\rundll32.exe(2804)

Program Guard: q1be.dat,2013/5/20 14:20:22,Allowed,C:\ProgramData\rundll32.exe -> C:

\ProgramData\q1be.dat

Program Guard: q1be.dat -> rundll32.exe,2013/5/20 14:20:10,Allowed,C:\ProgramData

\q1be.dat(0) wants to start C:\ProgramData\rundll32.exe(2476)

Program Guard: 5844673.dll,2013/5/20 14:19:59,Allowed,C:\Users\Firefox3\Desktop

\5844673.dll wants to get a list of the files C:\ProgramData\*

Program Guard: 5844673.dll -> q1be.dat,2013/5/20 14:19:48,Allowed,C:\Users

\Firefox3\Desktop\5844673.dll(0) wants to load C:\ProgramData\q1be.dat(0)

Program Guard: 5844673.dll -> rundll32.exe,2013/5/20 14:19:39,Allowed,C:\Users

\Firefox3\Desktop\5844673.dll wants to create executable file C:\PROGRA~2\rundll32.exe

Program Guard: 5844673.dll,2013/5/20 14:19:32,Allowed,C:\Windows\explorer.exe -> C:

\Users\Firefox3\Desktop\5844673.dll

重启后有惊喜

详见：关于 OA free 的启动项防御 ，OA 大战 锁屏DLL

fireold

G Data
1.

*** Process ***

Process: 1536
File name: rundll32.exe
Path: c:\windows\system32\rundll32.exe

Publisher: Microsoft Windows
Creation date: 07/14/09 03:21:29
Modification date: 07/14/09 01:14:31

Started by: explorer.exe
Publisher: Microsoft Windows


*** Actions ***

The program is trying to create a startup item to launch a program automatically at system startup.
The program has created or manipulated an executable file.
The program created a copy of itself.
An executable file was stored in a suspicious location.

sHJyKyYmJ7fAcpJiYnKS0HJyJycqJw0uJ5gpJ6dygvdwKnSCQicndHJwKycoJycnB6hygnJycnKAKycnJycmBuhycmJicnKQKxaoKofKkC0nCOlygmhywnKCp6AnJ3cnJiYndweacnLWcsJycnagKycHynKC93LCcoKXoC0nKyYmJwvqcrJiYnKysCsnJyYmJwescoJiYnKCwC8nJycnJgaNcuJywnKC0C0nJyYmJwf9YuGC4CwnKCYmJwiPcnJiYnJy8CwnJycnJgZ3KicHhyonLCcqJwiHKycrJiYnC4ctJygmJicIhy4nKCcoJgaXLycqJiYnCqcrGeY1ZissGro1ZionGeY1ZisLpy0nLSYmJw2nLieYDscvJ5guJ5hygrcAAA
Rules version: 4.1.0
OS: Windows 6.1 Service Pack 1.0 Build: 7601 - Workstation 32bit OS
dll version: 30732

"C:\Windows\system32\rundll32.exe" "C:\5844673.dll",exp
C:\Windows\Explorer.EXE

2.

*** Process ***

Process: 3892
File name: rundll32.exe
Path: c:\progra~2\rundll32.exe

Publisher: Microsoft Windows
Creation date: 05/20/13 04:04:13
Modification date: 05/20/13 04:04:13

Started by: rundll32.exe
Publisher: Microsoft Windows


*** Actions ***

The program has executed actions in the name of another program.
The program is trying to create a startup item to launch a program automatically at system startup.
An executable file was stored in a suspicious location.

YGKhz8LrsHJyKyYmJ7fAcpJiYnKS0HLScoJysuBygqlyci8neAunQicnJiZ0cnArJycmJicHqHJyYmJycoAuJycmJicHuWKhz9LekC0nCOlygvhycioneAt6cnJ3YmJycnegKSdnJyencuINynKCl3JyKif3D9pysmJicrKgLicrJiYnC7tycmJicnLAKicoJiYnCI1ygmJicoLQLSfHYmJycgz9YtGSCM5ygmJicoLwKCcnJiYnB3cqJweHKicoJygmBocrJysmJicLhy0nKCYmJwiXLycqJiYnCqcrGeY1ZisrGro1ZionGeY1ZisKpy0nLSYmJw2nLieYBscvJ5gmJ6dygscAAA
Rules version: 4.1.0
OS: Windows 6.1 Service Pack 1.0 Build: 7601 - Workstation 32bit OS
dll version: 30732

C:\PROGRA~2\rundll32.exe C:\PROGRA~2\1tozdl.dat,FG00
"C:\Windows\system32\rundll32.exe" "C:\5844673.dll",exp

dreams521

QVM27

傻猪猪米走鸡

2013/5/20 14:08:11        ESET 内核        文件 'E:\virus\5844673.zip' 已发送到 ESET 进行分析。       

我是UD

无法访问该网页

请求对象位于网址：

https://att.kafan.cn/forum.php?mod=
attachment&aid=mje0nzu3oxxhnwy3odllnnwxm
zy5mdm1otk2fdm5nzkxmhwxntcxmzu4

已检测到的威胁:

对象感染源 Trojan-Ransom.Win32.Foreign.cnoa

a445441