查看: 5741|回复: 21
收起左侧

[病毒样本] 在某网站抓的,尚未分析

[复制链接]
htm123
发表于 2011-4-8 13:50:32 | 显示全部楼层 |阅读模式
本帖最后由 htm123 于 2011-4-8 13:55 编辑

在某网站抓的,尚未分析,请大家看一下都有哪些安软报。
例如:
测试时间:2011年4月8日13:48:02
xx杀毒,报x个


注意,因为尚未分析,不保证都是完整文件


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
htm123
 楼主| 发表于 2011-4-8 13:51:58 | 显示全部楼层
占楼备用
Hacker29cn
发表于 2011-4-8 13:54:04 | 显示全部楼层
金山干掉其中的两个

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
Hacker29cn
发表于 2011-4-8 13:57:42 | 显示全部楼层
这是云鉴定结果

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
F-secure2009
发表于 2011-4-8 14:00:51 | 显示全部楼层
斗牛犬干掉4个,剩下一个ml2.exe
Hacker29cn
发表于 2011-4-8 14:04:22 | 显示全部楼层
本帖最后由 Hacker29cn 于 2011-4-8 14:05 编辑

这是关于那个smarttool的
File Info
Name Value
Size 267464
MD5 1b5040830890a0d15527e94a3ab6b038
SHA1 b57fbc0b426823ff91c124b6a71309d23c273106
SHA256 5fd4a0e9ceede16bd6903aff48c7f33ded2785ef50a1d495a14c7ad207b97c34
Process Exited

• Keys Created
Name Last Write Time
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1} 2009.01.09 10:37:30.078
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32 2009.01.09 10:37:30.078
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\ProgID 2009.01.09 10:37:30.078
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\Programmable 2009.01.09 10:37:30.078
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib 2009.01.09 10:37:30.078
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID 2009.01.09 10:37:30.078
LM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 2009.01.09 10:37:30.078
LM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D891923-34B7-4186-9B47-752624535DC1} 2009.01.09 10:37:30.078
LM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SmartTool 2009.01.09 10:37:29.250

• Keys Changed
• Keys Deleted
• Values Created
Name Type Size Value
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\ REG_SZ 38 "SmartToolCtl Class"
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32\ REG_SZ 82 "C:\Program Files\SmartTool\SmartTool.dll"
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32\ThreadingModel REG_SZ 20 "Apartment"
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\ProgID\ REG_SZ 50 "SmartTool.SmartToolCtl.1"
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib\ REG_SZ 78 "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"
LM\Software\Classes\ClsId\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID\ REG_SZ 46 "SmartTool.SmartToolCtl"
LM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SmartTool\DisplayName REG_SZ 30 "SmartTool Б¦°Е"
LM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SmartTool\NoModify REG_DWORD 4 0x1
LM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SmartTool\NoRepair REG_DWORD 4 0x1
LM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SmartTool\UninstallString REG_SZ 82 "C:\Program Files\SmartTool\Uninstall.exe"

• Values Changed
Name Type Size Value
CU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings REG_BINARY/REG_BINARY 56/56 ?/?

• Values Deleted
• Directories Created
Name Last Write Time Creation Time Last Access Time Attr
C:\Program Files\SmartTool 2009.01.09 10:37:32.078 2009.01.09 10:37:29.156 2009.01.09 10:37:32.078 0x10

• Directories Changed
• Directories Deleted
• Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\Program Files\SmartTool\adc.acc 28768 2011.04.04 02:25:06.000 2011.04.04 02:25:06.000 2009.01.09 10:37:29.234 0x20
C:\Program Files\SmartTool\SmartTool.dll 104544 2011.04.04 02:25:04.000 2011.04.04 02:25:04.000 2009.01.09 10:37:29.187 0x20
C:\Program Files\SmartTool\SmartTool.exe 43104 2011.04.04 02:25:04.000 2011.04.04 02:25:04.000 2009.01.09 10:37:29.187 0x20
C:\Program Files\SmartTool\Uninstall.exe 109314 2009.01.09 10:37:29.343 2009.01.09 10:37:29.250 2009.01.09 10:37:29.250 0x20

• Files Changed
Name Size Last Write Time Creation Time Last Access Time Attr
C:\WINDOWS\system32\config\software 8912896/8912896 2009.01.09 10:22:48.828/2009.01.09 10:37:30.093 2008.08.01 07:59:59.062/2008.08.01 07:59:59.062 2009.01.09 10:22:48.828/2009.01.09 10:22:48.828 0x20/0x20

• Files Deleted
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes Created
PId Process Name Image Name
0x378 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
0x6ac SmartTool.exe C:\Program Files\SmartTool\SmartTool.exe

• Processes Terminated
• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x2b0 lsass.exe 0x2fc 0x7c810856 MEM_IMAGE 0x75738e06 MEM_IMAGE
0x2b0 lsass.exe 0x4c0 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x378 wmiprvse.exe 0x148 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x378 wmiprvse.exe 0x30c 0x7c810856 MEM_IMAGE 0x5f771c49 MEM_IMAGE
0x378 wmiprvse.exe 0x310 0x7c810856 MEM_IMAGE 0x716df2be MEM_IMAGE
0x378 wmiprvse.exe 0x3bc 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x378 wmiprvse.exe 0x448 0x7c810856 MEM_IMAGE 0x100ce42 MEM_IMAGE
0x378 wmiprvse.exe 0x464 0x7c810856 MEM_IMAGE 0x774f319a MEM_IMAGE
0x378 wmiprvse.exe 0x568 0x7c810867 MEM_IMAGE 0x1024636 MEM_IMAGE
0x3f4 svchost.exe 0xdc 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3f4 svchost.exe 0x414 0x7c810856 MEM_IMAGE 0x75219a1e MEM_IMAGE
0x3f4 svchost.exe 0x418 0x7c810856 MEM_IMAGE 0x762cf010 MEM_IMAGE
0x3f4 svchost.exe 0x560 0x7c810856 MEM_IMAGE 0x7c929fae MEM_IMAGE
0x3f4 svchost.exe 0x5f8 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3f4 svchost.exe 0x658 0x7c810856 MEM_IMAGE 0xbc01 MEM_FREE
0x3f4 svchost.exe 0x6a0 0x7c810856 MEM_IMAGE 0x774f319a MEM_IMAGE
0x424 svchost.exe 0x6d0 0x7c810856 MEM_IMAGE 0x77df9981 MEM_IMAGE
0x6ac SmartTool.exe 0x6ec 0x7c810867 MEM_IMAGE 0x403a8c MEM_IMAGE
0x6ac SmartTool.exe 0x7a8 0x7c810856 MEM_IMAGE 0x401840 MEM_IMAGE

• Modules Loaded
PId Process Name Base Size Flags Image Name
0x350 svchost.exe 0x76fd0000 0x7f000 0x800c4004 C:\WINDOWS\system32\CLBCATQ.DLL
0x350 svchost.exe 0x77050000 0xc5000 0x800c4006 C:\WINDOWS\system32\COMRes.dll
0x350 svchost.exe 0x77b40000 0x22000 0x800c4004 C:\WINDOWS\system32\Apphelp.dll
0x3f4 svchost.exe 0x74ed0000 0xe000 0x80084004 C:\WINDOWS\system32\wbem\wbemsvc.dll
0x3f4 svchost.exe 0x755f0000 0x9a000 0x800c4004 C:\WINDOWS\system32\netcfgx.dll

• Windows Api Calls
• DNS Queries
DNS Query Text
sm.plustab.co.kr IN A +

• HTTP Queries
HTTP Query Text
sm.plustab.co.kr GET /install.asp?version=1.0.0.1&id=SM31&mac=000C29279619 HTTP/1.0

Verdict
Auto Analysis Verdict
Suspicious+

• Description
Suspicious Actions Detected
Creates files in program files directory
Injects code into other processes
Registers dynamic link libraries

• Mutexes Created or Opened
PId Image Name Address Mutex Name
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x4010e0 SmartTool
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x76ee3a34 RasPbFile
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x771ba3ae _!MSFTHISTORY!_
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x771bc21c WininetConnectionMutex
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x771bc23d WininetProxyRegistryMutex
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x771bc2dd WininetStartupMutex
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x771d9710 c:!documents and settings!user!cookies!
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x771d9710 c:!documents and settings!user!local settings!history!history.ie5!
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x771d9710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!

• Events Created or Opened
PId Image Name Address Event Name
0x5d0 C:\WINDOWS\system32\regsvr32.exe 0x77a89422 Global\crypt32LogoffEvent
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x4015a5 SmartTool_QuitEvent
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x769c4ec2 Global\userenv: User Profile setup event
0x6ac C:\Program Files\SmartTool\SmartTool.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX
Hacker29cn
发表于 2011-4-8 14:06:39 | 显示全部楼层
jayavira
发表于 2011-4-8 14:21:00 | 显示全部楼层
ess kill3个,to2个

2011-4-8 14:24:48        文件系统实时防护        文件        D:\下载文件夹\12.exe        Win32/TrojanDownloader.Agent.QMB 特洛伊木马 的变种        通过删除清除 - 已隔离        WWW-738C9D7CF42\Administrator        在应用程序新建的文件上发生事件: D:\Program Files\WinRAR\WinRAR.exe.

2011-4-8 14:24:51        文件系统实时防护        文件        D:\下载文件夹\aa.exe        Win32/PSW.OnLineGames.PHU 特洛伊木马 的变种        通过删除清除 - 已隔离        WWW-738C9D7CF42\Administrator        在应用程序新建的文件上发生事件: D:\Program Files\WinRAR\WinRAR.exe.

2011-4-8 14:25:01        文件系统实时防护        文件        D:\下载文件夹\SmartTool_SM31.exe        Win32/Adware.Kraddare.AF 应用程序 的变种        已删除 - 已隔离        WWW-738C9D7CF42\Administrator        在应用程序新建的文件上发生事件: D:\Program Files\WinRAR\WinRAR.exe.

http://samples.nod32.com.hk/inde ... fa91c0b72bdf98f8a8c

http://samples.nod32.com.hk/inde ... 548d1a19d946e623283

评分

参与人数 1人气 +1 收起 理由
瓜皮猫 + 1 辛苦

查看全部评分

Hacker29cn
发表于 2011-4-8 14:22:16 | 显示全部楼层
木山
发表于 2011-4-8 14:24:56 | 显示全部楼层
江民扫描干掉2个,运行拦截2个,剩下ml2
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-17 04:55 , Processed in 0.137941 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表