本帖最后由 aboringman 于 2017-6-12 12:15 编辑
ESET killed,Win32/Packed.VMProtect.E trojan
[mw_shl_code=css,true]行为描述: 下载文件
详情信息:
C:\Documents and Settings\Administrator\Application Data\DBC~WIN_XP\DBCUp.TMP
行为描述: 连接指定站点
详情信息:
InternetConnectA: ServerName = ww****om(澳大利亚), PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = db****om(澳大利亚), PORT = 80, UserName = , Password = , hSession = 0x00cc000c, hConnect = 0x00cc0010, Flags = 0x00000000
InternetConnectA: ServerName = ww****om(澳大利亚), PORT = 80, UserName = , Password = , hSession = 0x00cc000c, hConnect = 0x00cc0018, Flags = 0x00000000
InternetConnectA: ServerName = db****om(澳大利亚), PORT = 80, UserName = , Password = , hSession = 0x00cc000c, hConnect = 0x00cc0020, Flags = 0x00000000
InternetConnectA: ServerName = ww****om(澳大利亚), PORT = 80, UserName = , Password = , hSession = 0x00cc000c, hConnect = 0x00cc0028, Flags = 0x00000000
行为描述: 打开HTTP连接
详情信息:
InternetOpenA: UserAgent: AutoIt, hSession = 0x00cc0004
InternetOpenA: UserAgent: AutoIt, hSession = 0x00cc000c
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc000c
行为描述: 建立到一个指定的套接字连接
详情信息:
URL: ww****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x000002d8
URL: db****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x000002f0
URL: db****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x000003c0
URL: db****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x000004c0
URL: ww****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x0000051c
URL: ww****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x00000480
URL: db****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x000004e0
URL: db****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x00000594
URL: ww****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x0000049c
URL: ww****om(澳大利亚), IP: **.133.40.**:80, SOCKET = 0x000005d0
行为描述: 读取网络文件
详情信息:
hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00cc0014, BytesToRead =4096, BytesRead = 4096.
hFile = 0x00cc001c, BytesToRead =4096, BytesRead = 4096.
hFile = 0x00cc0024, BytesToRead =4096, BytesRead = 4096.
hFile = 0x00cc002c, BytesToRead =4096, BytesRead = 4096.
行为描述: 发送HTTP包
详情信息:
GET /jc/DBCUpdate.txt HTTP/1.1 User-Agent: AutoIt Host: ww****om(澳大利亚) Cache-Control: no-cache
GET /pe5.1.html HTTP/1.1 User-Agent: AutoIt Host: db****om(澳大利亚) Cache-Control: no-cache
GET /pe5.1.html HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: db****om(澳大利亚) Connection: Keep-Alive
GET /4.6iso.html HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om(澳大利亚) Connection: Keep-Alive
GET /Software.html HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: db****om(澳大利亚) Connection: Keep-Alive
GET /4.6help.html HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om(澳大利亚) Connection: Keep-Alive
行为描述: 打开HTTP请求
详情信息:
HttpOpenRequestA: ww****om(澳大利亚):80/jc/dbcupdate.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80000000
HttpOpenRequestA: db****om(澳大利亚):80/pe5.1.html, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: GET, Referer: , Flags = 0x80000000
HttpOpenRequestA: db****om(澳大利亚):80/pe5.1.html, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: db****om(澳大利亚):80/pe5.1.html, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: ww****om(澳大利亚):80/4.6iso.html, hConnect = 0x00cc0018, hRequest = 0x00cc001c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: ww****om(澳大利亚):80/4.6iso.html, hConnect = 0x00cc0018, hRequest = 0x00cc001c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: db****om(澳大利亚):80/software.html, hConnect = 0x00cc0020, hRequest = 0x00cc0024, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: db****om(澳大利亚):80/software.html, hConnect = 0x00cc0020, hRequest = 0x00cc0024, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: ww****om(澳大利亚):80/4.6help.html, hConnect = 0x00cc0028, hRequest = 0x00cc002c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: ww****om(澳大利亚):80/4.6help.html, hConnect = 0x00cc0028, hRequest = 0x00cc002c, Verb: GET, Referer: , Flags = 0x00400010
行为描述: 按名称获取主机地址
详情信息:
GetAddrInfoW: ww****om(澳大利亚)
GetAddrInfoW: db****om(澳大利亚)[/mw_shl_code]
澳大利亚。。。。。。
|