fake av，金山云鉴定安全

显示全部楼层 · 发表于 2011-6-12 10:00:42

大蜘蛛鉴定有毒

显示全部楼层 · 发表于 2011-6-12 10:01:12

Kaspersky
Internet Security 2012
ACCESS DENIED
The requested URL cannot be provided

The requested object at the URL:

http://bbs.kafan.cn/forum.php?mod=
attachment&aid=MTI1NzE5OXwyNTcyNTJiNHwxM
zA3ODQ0MDI5fDQ4NjA0OXwxMDA0NzQ2

Threat detected:

object infected Trojan.Win32.FakeAV.dlhr
Message generated: 9:57:43

显示全部楼层 · 发表于 2011-6-12 10:07:07

毒霸报毒啊

显示全部楼层 · 发表于 2011-6-12 10:18:11

云端已经入库

显示全部楼层 · 发表于 2011-6-12 10:51:39

怎么没人用红伞扫扫呀

显示全部楼层 · 发表于 2011-6-12 10:52:15

a256886572008 发表于 2011-6-12 09:49
CAV 殺

2011-06-12 09:45:16 C:\Documents and Settings\Roger\桌面\VIRUS\info\info.exe TrojWare. ...

CAV似乎变得越来越厉害

显示全部楼层 · 发表于 2011-6-12 10:54:21

红伞他说不是毒

显示全部楼层 · 发表于 2011-6-12 11:20:28

绝对不安全
http://camas.comodo.com/cgi-bin/ ... 122074b293878e2abc4

• File Info
Name Value
Size 339968
MD5 f8be3b102d296a82d005744fb369e77b
SHA1 d8a206a885cca8f7acbc7d6f727dc2ede91a1bd2
SHA256 a1c3f269cc70aa26b5c741f298a7661e9ae6c3b9d757e122074b293878e2abc4
Process Exited
• Keys Created
• Keys Changed
• Keys Deleted
Name Last Write Time
LM\System\CurrentControlSet\Services\wuauserv 2009.01.09 10:51:54.765
LM\System\CurrentControlSet\Services\wuauserv\Enum 2009.01.09 10:51:54.765
LM\System\CurrentControlSet\Services\wuauserv\Parameters 2008.08.01 06:16:21.249
LM\System\CurrentControlSet\Services\wuauserv\Security 2008.08.01 06:16:19.765
• Values Created
Name Type Size Value
CU\Software\Microsoft\Windows\Identity REG_DWORD 4 0xbf04df84
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions REG_DWORD 4 0x0
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall REG_DWORD 4 0x0
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions REG_DWORD 4 0x0
• Values Changed
Name Type Size Value
LM\Software\Microsoft\Security Center\FirewallOverride REG_DWORD/REG_DWORD 4/4 0x0/0x1
LM\System\CurrentControlSet\Services\SharedAccess\Epoch\Epoch REG_DWORD/REG_DWORD 4/4 0xd8/0xd9
LM\System\CurrentControlSet\Services\SharedAccess\Start REG_DWORD/REG_DWORD 4/4 0x2/0x4
• Values Deleted
Name Type Size Value
LM\System\CurrentControlSet\Services\wuauserv\Description REG_SZ 374 "Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site."
LM\System\CurrentControlSet\Services\wuauserv\DisplayName REG_SZ 36 "Automatic Updates"
LM\System\CurrentControlSet\Services\wuauserv\Enum\0 REG_SZ 52 "Root\LEGACY_WUAUSERV\0000"
LM\System\CurrentControlSet\Services\wuauserv\Enum\Count REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\wuauserv\Enum\NextInstance REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\wuauserv\ErrorControl REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\wuauserv\ImagePath REG_EXPAND_SZ 90 "%systemroot%\system32\svchost.exe -k netsvcs"
LM\System\CurrentControlSet\Services\wuauserv\ObjectName REG_SZ 24 "LocalSystem"
LM\System\CurrentControlSet\Services\wuauserv\Parameters\ServiceDll REG_EXPAND_SZ 66 "C:\WINDOWS\system32\wuauserv.dll"
LM\System\CurrentControlSet\Services\wuauserv\Security\Security REG_BINARY 168 ?
LM\System\CurrentControlSet\Services\wuauserv\Start REG_DWORD 4 0x2
LM\System\CurrentControlSet\Services\wuauserv\Type REG_DWORD 4 0x20
• Directories Created
• Directories Changed
• Directories Deleted
• Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\Documents and Settings\All Users\Application Data\7415654y2jjj74433d876yo0x3kwu 1466 2009.01.09 10:54:28.093 2009.01.09 10:54:25.000 2009.01.09 10:54:25.000 0x26
C:\Documents and Settings\User\Local Settings\Application Data\7415654y2jjj74433d876yo0x3kwu 1466 2009.01.09 10:54:28.062 2009.01.09 10:54:24.921 2009.01.09 10:54:24.921 0x26
C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 339968 2009.01.09 10:54:23.625 2009.01.09 10:54:23.578 2009.01.09 10:54:23.578 0x26
C:\Documents and Settings\User\Local Settings\Temp\7415654y2jjj74433d876yo0x3kwu 1466 2009.01.09 10:54:28.093 2009.01.09 10:54:25.093 2009.01.09 10:54:25.093 0x26
C:\Documents and Settings\User\Templates\7415654y2jjj74433d876yo0x3kwu 1466 2009.01.09 10:54:28.093 2009.01.09 10:54:25.406 2009.01.09 10:54:25.406 0x26
• Files Changed
Name Size Last Write Time Creation Time Last Access Time Attr
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG 1024/8192 2009.01.09 10:52:25.765/2009.01.09 10:54:27.765 2008.08.01 09:32:42.734/2008.08.01 09:32:42.734 2008.08.08 09:57:17.093/2008.08.08 09:57:17.093 0x22/0x22
• Files Deleted
Name Size Last Write Time Creation Time Last Access Time Attr
C:\TEST\sample.exe 339968 2009.01.09 10:54:20.828 2009.01.09 10:53:58.578 2009.01.09 10:53:58.578 0x20
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes Created
PId Process Name Image Name
0x7e4 tor.exe C:\Documents and Settings\User\Local Settings\Application Data\tor.exe
• Processes Terminated
PId Process Name Image Name
0x450 wuauclt.exe C:\WINDOWS\system32\wuauclt.exe
• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x348 svchost.exe 0x784 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x3e8 svchost.exe 0xb8 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3e8 svchost.exe 0xdc 0x7c810856 MEM_IMAGE 0x7529edb3 MEM_IMAGE
0x3e8 svchost.exe 0xec 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3e8 svchost.exe 0xf0 0x7c810856 MEM_IMAGE 0x762cf010 MEM_IMAGE
0x3e8 svchost.exe 0xf4 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3e8 svchost.exe 0xf8 0x7c810856 MEM_IMAGE 0x7529e44b MEM_IMAGE
0x3e8 svchost.exe 0x24c 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x420 svchost.exe 0x204 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x420 svchost.exe 0x208 0x7c810856 MEM_IMAGE 0x77df9981 MEM_IMAGE
0x420 svchost.exe 0x20c 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x420 svchost.exe 0x210 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x420 svchost.exe 0x240 0x7c810856 MEM_IMAGE 0x6988 MEM_FREE
0x420 svchost.exe 0x254 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x444 svchost.exe 0xfc 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x7e4 tor.exe 0x94 0x7c810867 MEM_IMAGE 0x4070c3 MEM_IMAGE
0x7e4 tor.exe 0x168 0x7c810856 MEM_IMAGE 0x4ec957ed MEM_IMAGE
0x7e4 tor.exe 0x16c 0x7c810856 MEM_IMAGE 0x5c6d4b MEM_IMAGE
0x7e4 tor.exe 0x170 0x7c810856 MEM_IMAGE 0x5c6c75 MEM_IMAGE
0x7e4 tor.exe 0x214 0x7c810856 MEM_IMAGE 0x71a5d5af MEM_IMAGE
• Modules Loaded
PId Process Name Base Size Flags Image Name
0x3e8 svchost.exe 0x506a0000 0x6b000 0x80084004 C:\WINDOWS\system32\wuapi.dll
0x3e8 svchost.exe 0x74ed0000 0xe000 0x80084004 C:\WINDOWS\system32\wbem\wbemsvc.dll
0x3e8 svchost.exe 0x74ef0000 0x8000 0x800c4004 C:\WINDOWS\system32\wbem\wbemprox.dll
• Windows Api Calls
• DNS Queries
DNS Query Text
wekabamysugamy.com IN A +
vakatesumuhor.com IN A +
pejexagyb.com IN A +
pecocojuhep.com IN A +
monamakib.com IN A +
nivemalybyhi.com IN A +
kaxygakiduw.com IN A +
sapucuwumaser.com IN A +
xikicyxew.com IN A +
fynaguzyjer.com IN A +
lapimiheqowok.com IN A +
lajogitytudaxo.com IN A +
tekefihamib.com IN A +
rivymyzudu.com IN A +
badodybeqyk.com IN A +
hamobamaduro.com IN A +
xipagymofi.com IN A +
vuvamewakoq.com IN A +
herovidacege.com IN A +
vusysogirebymy.com IN A +
divinemeb.com IN A +
lawujocot.com IN A +
jitemeboza.com IN A +
laxigypopetaju.com IN A +
resufewanepexu.com IN A +
pivysegocide.com IN A +
mehyqibugyluf.com IN A +
nefopuhix.com IN A +
mujinibugemiju.com IN A +
pukukadajex.com IN A +
boxiganuw.com IN A +
zyxecipidi.com IN A +
• HTTP Queries
HTTP Query Text
boxiganuw.com GET /1006000112 HTTP/1.0
• Verdict
Auto Analysis Verdict
Suspicious++
• Description
Suspicious Actions Detected
Deletes self
Disables windows firewall
• Mutexes Created or Opened
PId Image Name Address Mutex Name
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x5c6494 ir4cnxm3oi333
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x5c6494 {C9A34C77-4D69-45EC-A07D-83242376045D}D68DDC3A-831F-4FAE-9E44-DA132C1ACF46
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x771ba3ae _!MSFTHISTORY!_
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x771bc21c WininetConnectionMutex
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x771bc23d WininetProxyRegistryMutex
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x771bc2dd WininetStartupMutex
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x771d9710 c:!documents and settings!user!cookies!
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x771d9710 c:!documents and settings!user!local settings!history!history.ie5!
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x771d9710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0xd8 C:\TEST\sample.exe 0x5c6494 ir4cnxm3oi333
• Events Created or Opened
PId Image Name Address Event Name
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x769c4ec2 Global\userenv: User Profile setup event
0x7e4 C:\Documents and Settings\User\Local Settings\Application Data\tor.exe 0x77a89422 Global\crypt32LogoffEvent
0xd8 C:\TEST\sample.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX

ESET KILL

显示全部楼层 · 发表于 2011-6-12 11:21:48

aiping 发表于 2011-6-12 10:00
大蜘蛛鉴定有毒

兔子用上大蜘蛛了？

显示全部楼层 · 发表于 2011-6-12 11:22:39

Hacker29cn 发表于 2011-6-12 11:21
兔子用上大蜘蛛了？

是的，小花^_^套装的，带防火墙的^_^

[病毒样本] fake av，金山云鉴定安全

本帖子中包含更多资源

本帖子中包含更多资源