收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 svchost.exe
12下一页
返回列表 发新帖
查看: 3116|回复: 16
收起左侧

[病毒样本] svchost.exe

[复制链接]
sam.to
发表于 2009-6-18 20:50:16 | 显示全部楼层 |阅读模式
DE8291414F4FA71C5FBB5DF5D071A4C2
to kl


Trojan-Dropper.Win32.Mudrop.arh

[ 本帖最后由 sam.to 于 2009-6-18 22:34 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

lingbo110120
发表于 2009-6-18 20:58:32 | 显示全部楼层
svchost.rar > RAR > svchost.e2xe - Win32/AutoRun.Agent.OS 蠕虫 的变种

NOD KILL
回复

举报

BING126
头像被屏蔽
发表于 2009-6-18 20:59:55 | 显示全部楼层
McAfee StartPage-HR
回复

举报

Sebastian
发表于 2009-6-18 21:01:43 | 显示全部楼层
TR/Crypt.FKM.Gen
回复

举报

tracydk
发表于 2009-6-18 21:17:19 | 显示全部楼层
"D:\病毒\svchost.rar:\svchost.e2xe";"Runtime packed nspack";""
回复

举报

眼镜王蛇
头像被屏蔽
发表于 2009-6-18 21:19:12 | 显示全部楼层
江民KILL
回复

举报

HC303
发表于 2009-6-18 21:19:24 | 显示全部楼层
G:\virus\svchost.rar/svchost.e2xe         detected: Trojan-Dropper.Agent!IK
回复

举报

jochelliu
发表于 2009-6-18 21:54:55 | 显示全部楼层
很恶劣的病毒,行为如下:
1、在Windows系统目录创建文件
2、创建系统服务或驱动程序
3、注入代码到其他进程
4、读取的系统驱动程序
5、修改系统文件

• Keys Created
Name Last Write Time
LM\System\CurrentControlSet\Services\UPDATEDATA 2009.01.12 15:12:48.828
LM\System\CurrentControlSet\Services\UPDATEDATA\Enum 2009.01.12 15:12:48.828
LM\System\CurrentControlSet\Services\UPDATEDATA\Security 2009.01.12 15:12:48.140

• Values Created
Name Type Size Value
LM\System\CurrentControlSet\Services\UPDATEDATA\DisplayName REG_SZ 22 "UPDATEDATA"
LM\System\CurrentControlSet\Services\UPDATEDATA\Enum\0 REG_SZ 56 "Root\LEGACY_UPDATEDATA\0000"
LM\System\CurrentControlSet\Services\UPDATEDATA\Enum\Count REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\UPDATEDATA\Enum\NextInstance REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\UPDATEDATA\ErrorControl REG_DWORD 4 0x0
LM\System\CurrentControlSet\Services\UPDATEDATA\ImagePath REG_EXPAND_SZ 86 "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
LM\System\CurrentControlSet\Services\UPDATEDATA\Security\Security REG_BINARY 168 ?
LM\System\CurrentControlSet\Services\UPDATEDATA\Start REG_DWORD 4 0x3
LM\System\CurrentControlSet\Services\UPDATEDATA\Type REG_DWORD 4 0x1

• Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\WINDOWS\system32\func.dll 36864 2009.01.12 15:12:47.000 2009.01.12 15:12:46.921 2009.01.12 15:12:46.921 0x20

• Files Changed
Name Size Last Write Time Creation Time Last Access Time Attr
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 3153920/3153920 2008.08.28 08:17:35.968/2009.01.12 15:12:50.046 2008.07.31 16:57:39.468/2008.07.31 16:57:39.468 2008.08.01 05:33:30.703/2008.08.01 05:33:30.703 0x20/0x20
C:\WINDOWS\system32\drivers\acpiec.sys 11648/12928 2007.07.27 12:00:00.000/2009.01.12 15:12:47.843 2007.07.27 12:00:00.000/2007.07.27 12:00:00.000 2008.08.01 04:46:06.655/2008.08.01 04:46:06.655 0x20/0x20

• Drivers Loaded
Base Size Flags Image Name
0xf8a46000 0x4000 0x9104000 \??\C:\WINDOWS\system32\drivers\acpiec.sys

• Drivers Unloaded
• Processes Created
PId Process Name Image Name
0x154 rundll32.exe C:\WINDOWS\system32\rundll32.exe
0x5d8 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe

• Processes Terminated
• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x154 rundll32.exe 0x570 0x7c810867 MEM_IMAGE 0x1001bdc MEM_IMAGE
0x154 rundll32.exe 0x6b8 0x7c810856 MEM_IMAGE 0x92146b MEM_IMAGE
0x25c csrss.exe 0x2d0 0x75b44616 MEM_IMAGE 0x0 MEM_PRIVATE
0x25c csrss.exe 0x5d4 0x75b44616 MEM_IMAGE 0x4b63 MEM_PRIVATE
0x274 winlogon.exe 0x638 0x7c810856 MEM_IMAGE 0x76c74a65 MEM_IMAGE
0x274 winlogon.exe 0x65c 0x7c810856 MEM_IMAGE 0x77a8964a MEM_IMAGE
0x2ac lsass.exe 0x57c 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x348 svchost.exe 0xf8 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x3a0 svchost.exe 0x5a0 0x7c810856 MEM_IMAGE 0x4b22 MEM_FREE
0x3f4 svchost.exe 0x594 0x7c810856 MEM_IMAGE 0x4a8f MEM_FREE
0x3f4 svchost.exe 0x5b4 0x7c810856 MEM_IMAGE 0x762cf010 MEM_IMAGE
0x3f4 svchost.exe 0x5c0 0x7c810856 MEM_IMAGE 0x762cf010 MEM_IMAGE
0x3f4 svchost.exe 0x5c4 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3f4 svchost.exe 0x5c8 0x7c810856 MEM_IMAGE 0x762cf010 MEM_IMAGE
0x3f4 svchost.exe 0x5f8 0x7c810856 MEM_IMAGE 0x4b27 MEM_FREE
0x3f4 svchost.exe 0x650 0x7c810856 MEM_IMAGE 0x7c929fae MEM_IMAGE
0x3f4 svchost.exe 0x670 0x7c810856 MEM_IMAGE 0x606b73ae MEM_IMAGE
0x3f4 svchost.exe 0x674 0x7c810856 MEM_IMAGE 0x606b73ae MEM_IMAGE
0x3f4 svchost.exe 0x68c 0x7c810856 MEM_IMAGE 0x606b73ae MEM_IMAGE
0x3f4 svchost.exe 0x6a0 0x7c810856 MEM_IMAGE 0x606b73ae MEM_IMAGE
0x3f4 svchost.exe 0x6b4 0x7c810856 MEM_IMAGE 0x7529edb3 MEM_IMAGE
0x3f4 svchost.exe 0x6bc 0x7c810856 MEM_IMAGE 0x7529e44b MEM_IMAGE
0x5d8 wmiprvse.exe 0x5a8 0x7c810856 MEM_IMAGE 0x716df2be MEM_IMAGE
0x5d8 wmiprvse.exe 0x5dc 0x7c810867 MEM_IMAGE 0x1024636 MEM_IMAGE
0x5d8 wmiprvse.exe 0x5e0 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x5d8 wmiprvse.exe 0x5e8 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x5d8 wmiprvse.exe 0x5ec 0x7c810856 MEM_IMAGE 0x5f771c49 MEM_IMAGE
0x5d8 wmiprvse.exe 0x5f0 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x5d8 wmiprvse.exe 0x5f4 0x7c810856 MEM_IMAGE 0x774f319a MEM_IMAGE
0x5d8 wmiprvse.exe 0x608 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x5d8 wmiprvse.exe 0x60c 0x7c810856 MEM_IMAGE 0x100ce42 MEM_IMAGE

• Modules Loaded
PId Process Name Base Size Flags Image Name
0x348 svchost.exe 0x76fd0000 0x7f000 0x800c4004 C:\WINDOWS\system32\CLBCATQ.DLL
0x348 svchost.exe 0x77050000 0xc5000 0x800c4006 C:\WINDOWS\system32\COMRes.dll
0x348 svchost.exe 0x77b40000 0x22000 0x800c4004 C:\WINDOWS\system32\Apphelp.dll
0x3f4 svchost.exe 0x73d30000 0x17000 0x800c4004 C:\WINDOWS\system32\wbem\wbemcons.dll
0x3f4 svchost.exe 0x74ed0000 0xe000 0x80084004 C:\WINDOWS\system32\wbem\wbemsvc.dll

• Windows Api Calls
PId Image Name Address Function ( Parameters ) | Return Value
0x154 C:\WINDOWS\system32\rundll32.exe 0x923e2e CreateServiceA(hSCManager: 0x98e08, lpServiceName: "UPDATEDATA", lpDisplayName: "UPDATEDATA", dwDesiredAccess: 0x10, dwServiceType: 0x1, dwStartType: 0x3, dwErrorControl: 0x0, lpBinaryPathName: "C:\WINDOWS\system32\drivers\acpiec.sys", lpLoadOrderGroup: "(null)", lpdwTagId: 0x0, lpDependencies: 0x0, lpServiceStartName: "(null)", lpPassword: 0x0)|0x9b0b8

• Verdict
Auto Analysis Verdict
Rated as Suspicious

• Description
Suspicious Actions Detected
Creates files in windows system directory
Creates system services or drivers
Injects code into other processes
Load system drivers
Patches system files
回复

举报

欠妳緈諨
发表于 2009-6-18 22:16:47 | 显示全部楼层
IKARUS - T3SCAN V1.32.10.0 (WIN32)
         T3 V1.01.59
         Copyright (c) 2006 - 2009 by Ikarus Software.
         All rights reserved.

Signature-database from 16.6.2009 08:21:51 (Build: 72874)

D:\virustest\svchost.rar:svchost.e2xe - 特征码 'Trojan-Dropper.Agent' 被发现
D:\virustest\svchost.rar - 特征码 'Trojan-Dropper.Agent' 被发现

        2 文件被扫描
          (1 压缩档 1 文件)
        2 特征码被侦测
        0 可疑代码段被发现
        耗时: 0:00.063
回复

举报

黑衣~魂
发表于 2009-6-18 22:18:57 | 显示全部楼层
TO DW
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-1 05:39 , Processed in 0.129046 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表