一个downloader，请找出他的下载列表

a256886572008

如题。

绅博周幸

金山转人工

思齐鼠

风暴微塔引擎漏

bluelily

上报大蜘蛛

samtogo

卡巴2012 MISS

wjcharles

samtogo 发表于 2011-6-7 01:42
卡巴2012 MISS

nis2011下运行后ips报警，无其他反应：

类别：入侵防护
日期和时间,风险,活动,状态,推荐的操作,IPS 警报名称,默认操作,采取的操作,攻击电脑,攻击者网址,目标地址,源地址,通信说明,类别

2011/6/7 2:10,中,阻止了 turnthelightsoutgotobed.com 的入侵企图,已阻止,不需要操作,HTTP Trojan Bayrob Activity 2,不需要操作,不需要操作,"turnthelightsoutgotobed.com (66.172.58.18, 80)",turnthelightsoutgotobed.com/m2/isup.php?email=philipp.ossmann88@gmx.de&lici=rm01ply&ver=my222c,"-PC (210.32.., 54727)",66.172.58.18 (66.172.58.18),"TCP, www-http",

2011/6/7 2:10,中,阻止了 maxximslowexpect.com 的入侵企图,已阻止,不需要操作,HTTP Trojan Bayrob Activity 2,不需要操作,不需要操作,"maxximslowexpect.com (66.96.147.113, 80)",maxximslowexpect.com/m2/isup.php?email=philipp.ossmann88@gmx.de&lici=rm01ply&ver=my222c,"-PC (210.32.., 54724)",66.96.147.113 (66.96.147.113),"TCP, www-http",

2011/6/7 2:04,中,阻止了 shannonlawn.com 的入侵企图,已阻止,不需要操作,HTTP Trojan Bayrob Activity 2,不需要操作,不需要操作,"shannonlawn.com (76.74.128.20, 80)",shannonlawn.com/m2/isup.php?email=philipp.ossmann88@gmx.de&lici=rm01ply&ver=my222c,"-PC (210.32.., 54710)",76.74.128.20 (76.74.128.20),"TCP, www-http",

a256886572008

2011-06-07 08:02:24   C:\Documents and Settings\Roger\桌面\VIRUS\dhvwwtos\dhvwwtos.exe   Sandboxed As   Partially Limited   

2011-06-07 08:02:29   C:\Documents and Settings\Roger\Local Settings\Application Data\quijjgbf.exe   Sandboxed As   Partially Limited   

2011-06-07 08:02:35   C:\Documents and Settings\Roger\桌面\VIRUS\dhvwwtos\dhvwwtos.exe   Modify File   C:\WINDOWS\system32\30921202\tst   

2011-06-07 08:02:35   C:\Documents and Settings\Roger\Local Settings\Application Data\quijjgbf.exe   Modify File   C:\WINDOWS\system32\30921202\tst   

2011-06-07 08:06:09   C:\Documents and Settings\Roger\桌面\VIRUS\dhvwwtos\dhvwwtos.exe   Modify File   C:\Documents and Settings\Roger\Local Settings\Temp\SGJO11D2QA.EXE   

2011-06-07 08:06:09   C:\DOCUME~1\ROGER\LOCALS~1\TEMP\SGJO11D2QA.EXE   Sandboxed As   Partially Limited   
2011-06-07 08:06:13   C:\DOCUME~1\ROGER\LOCALS~1\TEMP\SGJO11GCDN.EXE   Sandboxed As   Partially Limited   
2011-06-07 08:06:14   C:\DOCUME~1\ROGER\LOCALS~1\TEMP\SGJO11GPTC.EXE   Sandboxed As   Partially Limited   
2011-06-07 08:06:15   C:\DOCUME~1\ROGER\LOCALS~1\TEMP\SGJO11H6BA.EXE   Sandboxed As   Partially Limited   
2011-06-07 08:06:17   c:\docume~1\roger\locals~1\temp\sgjo11d731.exe   Sandboxed As   Partially Limited   

2011-06-07 08:06:19   C:\Documents and Settings\Roger\Local Settings\Temp\SGJO11D2QA.EXE   Modify File   C:\WINDOWS\system32\30921202\tst   

2011-06-07 08:06:19   C:\Documents and Settings\Roger\Local Settings\Temp\SGJO11D2QA.EXE   Modify File   C:\Documents and Settings\Roger\Local Settings\Temp\sgjo11d731.exe   

2011-06-07 08:06:21   C:\Documents and Settings\Roger\Local Settings\Temp\sgjo11d731.exe   Install Hook   C:\Documents and Settings\roger\Local Settings\temp\sgjo11d731.dll   

2011-06-07 08:06:25   C:\Documents and Settings\Roger\Local Settings\Temp\sgjo11d731.exe   Modify File   C:\WINDOWS\system32\30921202\tst   

2011-06-07 08:09:09   C:\Documents and Settings\Roger\桌面\VIRUS\dhvwwtos\dhvwwtos.exe   Modify File   C:\Documents and Settings\Roger\Local Settings\Temp\sgjo11d731.exe   

访问网路



开启 ebay 网站骗人。



不断连网，还有一直下载文件运行。

wuyongliang

金山安全 360未知  小A 没报

samtogo

wjcharles 发表于 2011-6-7 02:19
nis2011下运行后ips报警，无其他反应：

类别：入侵防护

Hello,

dhvwwtos.exe_ - Trojan-Dropper.Win32.Agent.exrg

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

-----------------
Regards, Artem Ushkov
Virus Analyst, Kaspersky Lab.

jayavira

母体
to eset

http://samples.nod32.com.hk/inde ... 2e524ea297b3ea20529

生成物
ess kill2个.to3个

D:\下载文件夹\dhvwwtos_download.rar > RAR > sgjozxjr81.dll - Win32/Spy.Agent.NUP 特洛伊木马 的变种
D:\下载文件夹\dhvwwtos_download.rar > RAR > sgjozxjr82.dll - Win32/Spy.Agent.NUP 特洛伊木马 的变种

http://samples.nod32.com.hk/inde ... 8b799e1ed90cf007e95

http://samples.nod32.com.hk/inde ... bb50fd733f29b64a53e

http://samples.nod32.com.hk/inde ... 5dc0baed7a590cfb7ce