VT Detection ratio: 5 / 47 chp.exe OA free 勉强及格

显示全部楼层 · 发表于 2013-5-20 12:25:47

第2个未知

显示全部楼层 · 发表于 2013-5-20 13:55:16

本帖最后由墨家小子于 2013-5-20 13:58 编辑

贴一个OA free的

运行之后虽说被添加启动项，OA没有拦截，但重启之后……

拦截日志（从下往上看，红色部分是重启之后OA的拦截动作，重启之前看不到OA拦截木马添加启动项）：

Type,Date/Time,Action,Description,Misc
Program Guard: kernel event,2013/5/20 13:37:42,None,"OADriver: OB_OPERATION_HANDLE_CREATE, 2672 -> 1228, Mask: 9 - 100000",1228 - oasrv.exe 2672 - XueTr.exe

Program Guard: 1.bat -> scvhost.exe,2013/5/20 13:37:28,Blocked,C:\Users\Firefox3\AppData\Roaming\pejo\1.bat(0) wants to start C:\Users\Firefox3\AppData\Roaming\pejo\scvhost.exe(0)

Program Guard: 1.bat,2013/5/20 13:37:18,Allowed,C:\Users\Firefox3\AppData\Roaming\pejo\chp.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\1.bat

Program Guard: chp.exe,2013/5/20 13:37:15,Allowed,C:\Windows\system32\cmd.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\chp.exe

Program Guard: AdMunch.exe -> AM32-33707.dll,2013/5/20 13:37:10,Allowed,C:\Users\Firefox3\Desktop\soft\Ad Muncher4.93\AdMunch.exe(2568) wants to set global hook to (C:\Users\Firefox3\Desktop\soft\Ad Muncher4.93\AM32-33707.dll)
Autorun detected: vifier.bat,2013/5/20 13:37:05,Blocked,C:\Users\Firefox3\AppData\Roaming\pejo\vifier.bat --- 木马启动项启动前被OA抓住了

Program Guard: kernel event,2013/5/20 13:37:01,None,"OADriver: PostMessage, Msg: 49218/c042 1556 -> 3000, Deny (protected)",1556 - taskhost.exe 3000 - OAhlp.exe
Program Guard: kernel event,2013/5/20 13:36:52,None,"OADriver: PostMessage, Msg: 799/31f 1440 -> 2684, Deny (protected)",1440 - dwm.exe 2684 - oaui.exe
Program Guard: kernel event,2013/5/20 13:36:33,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 512, pid: 1228, Mask: 1FFFFF - 1FF414",1228 - oasrv.exe 512 - services.exe
Program Guard: kernel event,2013/5/20 13:36:33,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 512, pid: 1188, Mask: 1FFFFF - 1FF414",1188 - OAcat.exe 512 - services.exe
Firewall: Automatic decision,2013/5/20 13:36:30,Allowed,"C:\Windows\system32\svchost.exe, Incoming UDP access allowed to: 0.0.0.0:65305"
Service started,2013/5/20 13:36:23,None,C:\Program Files\Online Armor\oasrv.exe
System boot,2013/5/20 13:36:23,None,System boot at: 2013/5/20 13:35:40
Service stopped,2013/5/20 13:35:17,None,C:\Program Files\Online Armor\oasrv.exe
System shutdown,2013/5/20 13:35:15,None,System shutdown at: 2013/5/20 13:35:15

Program Guard: kernel event,2013/5/20 13:35:15,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 512, pid: 1220, Mask: 1FFFFF - 1FF414",1220 - oasrv.exe 512 - services.exe

Program Guard: kernel event,2013/5/20 13:35:15,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 512, pid: 1180, Mask: 1FFFFF - 1FF414",1180 - OAcat.exe 512 - services.exe

Program Guard: kernel event,2013/5/20 13:34:56,None,"OADriver: OB_OPERATION_HANDLE_CREATE, 3032 -> 1220, Mask: 9 - 100000",1220 - oasrv.exe 3032 - XueTr.exe

Program Guard: 1.bat -> scvhost.exe,2013/5/20 13:34:29,Blocked,C:\Users\Firefox3\AppData\Roaming\pejo\1.bat(0) wants to start C:\Users\Firefox3\AppData\Roaming\pejo\scvhost.exe(0)

Program Guard: 1.bat,2013/5/20 13:34:28,Allowed,C:\Users\Firefox3\AppData\Roaming\pejo\chp.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\1.bat

Program Guard: chp.exe,2013/5/20 13:34:18,Allowed,C:\Windows\system32\cmd.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\chp.exe

Program Guard: vifier.bat -> reg.exe,2013/5/20 13:34:06,Allowed,C:\Users\Firefox3\AppData\Roaming\pejo\vifier.bat(0) wants to start C:\Windows\system32\reg.exe(0) --- 实际上就在这里OA已经悲剧了，reg会添加启动项

Program Guard: kernel event,2013/5/20 13:34:05,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 2864, pid: 1040, SP: 2308863120, TP: 2308863120, Mask: 1FFFFF - 1FF414",1040 - cmd.exe 2864 - uz6quskg4dmi0.exe

Program Guard: vifier.bat,2013/5/20 13:34:04,Allowed,C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\vifier.bat

Program Guard: uz6quskg4dmi0.exe -> cmd.exe,2013/5/20 13:34:04,Allowed,C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe(2864) wants to start C:\Windows\system32\cmd.exe(1040)

Program Guard: uz6quskg4dmi0.exe -> libblkmaker_jansson-0.1-0.dll,2013/5/20 13:33:17,Allowed,C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe wants to create executable file C:\Users\Firefox3\AppData\Roaming\pejo\libblkmaker_jansson-0.1-0.dll

Program Guard: uz6quskg4dmi0.exe,2013/5/20 13:33:14,Allowed,C:\Windows\Explorer.EXE -> C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe

Program Guard: uz6quskg4dmi0.exe,2013/5/20 13:32:45,Blocked,C:\Windows\Explorer.EXE -> C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe

显示全部楼层 · 发表于 2013-5-20 13:58:01

2013/5/20 13:57:40 HTTP 过滤器文件 https://att.kafan.cn/forum.php?mo ... DI2NDk0MHwxNTcxMzgw Win32/BitCoinMiner.L 潜在的不安全应用程序的变种连接中断 - 已隔离 Galaxy-Office2\Galaxy 通过应用程序访问 web 时检测到威胁: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe.
2013/5/20 13:57:34 HTTP 过滤器文件 https://att.kafan.cn/forum.php?mo ... DI2NDk0MHwxNTcxMzgw Win32/HideExec.NAF 潜在的不安全应用程序连接中断 - 已隔离 Galaxy-Office2\Galaxy 通过应用程序访问 web 时检测到威胁: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe.
2013/5/20 13:57:27 HTTP 过滤器文件 https://att.kafan.cn/forum.php?mo ... DI2NDk0MHwxNTcxMzgw Win32/Agent.PRC 特洛伊木马的变种连接中断 - 已隔离 Galaxy-Office2\Galaxy 通过应用程序访问 web 时检测到威胁: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe.

显示全部楼层 · 发表于 2013-5-20 14:08:24

liangxy 发表于 2013-5-20 12:12
我很久没有出现了，上来露个脸，微点怎么测试？

微点已完爆东南亚，不需要测试的，你太out啦

显示全部楼层 · 发表于 2013-5-20 18:19:28

本帖最后由消停于 2013-5-20 18:21 编辑

全部过诺顿

显示全部楼层 · 发表于 2013-5-20 18:21:16

消停发表于 2013-5-20 18:19
全部过诺顿

你可以那这个区诺顿社区咆哮一下的

显示全部楼层 · 发表于 2013-5-20 18:21:50

墨家小子发表于 2013-5-20 18:21
你可以那这个区诺顿社区咆哮一下的

一会儿重启下试试！

显示全部楼层 · 发表于 2013-5-20 18:23:47

消停发表于 2013-5-20 18:21
一会儿重启下试试！

你这启动项已经被爆菊花了

显示全部楼层 · 发表于 2013-5-20 18:24:45

墨家小子发表于 2013-5-20 18:23
你这启动项已经被爆菊花了

爆的体无完肤！

显示全部楼层 · 发表于 2013-5-20 18:30:18

消停发表于 2013-5-20 18:24
爆的体无完肤！

这个利用系统程序干坏事，诺顿的弱项啊

[可疑文件] VT Detection ratio: 5 / 47 chp.exe OA free 勉强及格

本帖子中包含更多资源

本帖子中包含更多资源