ikarus和红伞都挂了[MD5: 7BD550]

tracydk

这就是DR.WEB说的脱壳能力??

scottxzt

运行后红伞还是能够报的.

scottxzt

原帖由 tracydk 于 2007-7-12 11:45 发表
这就是DR.WEB说的脱壳能力??

4.44版本报的

dy.zip\dy.exe;D:\Documents and Settings\dell\桌面\dy.zip;Trojan.PWS.Bonque;;

a256886572008

運行dy.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-12 11:35:42    创建文件      操作:允许
进程路径:D:\桌面\virus\dy\dy.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wanpacket.dll
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:35:42    创建文件      操作:允许
进程路径:D:\桌面\virus\dy\dy.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\packet.dll
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:35:42    创建文件      操作:允许
进程路径:D:\桌面\virus\dy\dy.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\npf.sys
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:35:42    创建文件      操作:允许
进程路径:D:\桌面\virus\dy\dy.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:35:42    运行应用程序      操作:允许
进程路径:D:\桌面\virus\dy\dy.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
触发规则:黑名单->2.1组：禁止从Temp文件夹运行程序->*\*temp*\*


2007-07-12 11:35:43    创建文件      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\4.dll
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:35:43    加载库文件      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\4.dll
触发规则:黑名单->2.1组：禁止从Temp文件夹运行程序->*\*temp*\*


2007-07-12 11:35:43    创建文件      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\t31t.sys
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:35:43    加载驱动程序      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
驱动名称:t31t.sys
触发规则:所有程序规则->*


2007-07-12 11:35:43    修改其它进程内存      操作:阻止
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
目标进程:C:\Program Files\Internet Explorer\IEXPLORE.EXE
触发规则:所有程序规则->系統程序->%ProgramFiles%\Internet Explorer\IEXPLORE.EXE


2007-07-12 11:35:43    创建文件      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\_wpcap_.bat
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:35:44    创建文件      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\_wpcap_.inf
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:35:46    运行应用程序      操作:阻止
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c _wpcap_.bat
触发规则:黑名单->防卸规则->*\cmd.exe


2007-07-12 11:35:55    加载库文件      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\packet.dll
触发规则:黑名单->2.1组：禁止从Temp文件夹运行程序->*\*temp*\*


2007-07-12 11:35:56    加载库文件      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wmcony.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wanpacket.dll
触发规则:黑名单->2.1组：禁止从Temp文件夹运行程序->*\*temp*\*

2007-07-12 11:38:34    创建文件      操作:允许
进程路径:D:\桌面\virus\dy\dy.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wincabb.exe
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:38:39    运行应用程序      操作:允许
进程路径:D:\桌面\virus\dy\dy.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wincabb.exe
触发规则:黑名单->2.1组：禁止从Temp文件夹运行程序->*\*temp*\*


2007-07-12 11:38:40    创建文件      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wincabb.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\tru22F.tmp
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:38:40    修改文件      操作:允许
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wincabb.exe
文件路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wincabb.exe
触发规则:所有程序规则->保護安全軟體->C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-12 11:38:40    修改其它进程内存      操作:阻止
进程路径:C:\Documents and Settings\Hung  Jui Hung\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\wincabb.exe
目标进程:C:\Program Files\Internet Explorer\IEXPLORE.EXE
触发规则:所有程序规则->系統程序->%ProgramFiles%\Internet Explorer\IEXPLORE.EXE

1.他會在C:\Documents and Settings\Hung  Jui Hung\Local Settings\Temp\生成
   wanpacket.dll
   packet.dll
   npf.sys
   wmcony.exe
2.他會運行wmcony.exe
3.wmcony.exe會在C:\Documents and Settings\Hung  Jui Hung\Local Settings\Temp\生成並加载库文件
   4.dll
4.wmcony.exe會在C:\Documents and Settings\Hung  Jui Hung\Local Settings\Temp\生成
   t31t.sys
5.wmcony.exe會加载驱动程序
   t31t.sys
6.wmcony.exe會修改IEXPLORE.EXE的进程内存
7.wmcony.exe會在C:\Documents and Settings\Hung  Jui Hung\Local Settings\Temp\生成
   _wpcap_.bat
   _wpcap_.inf
8.wmcony.exe會運行C:\windows\system32\cmd.exe
   /c _wpcap_.bat
9.wmcony.exe會在C:\Documents and Settings\Hung  Jui Hung\Local Settings\Temp\加载库文件
   packet.dll
   wanpacket.dll
10.他會在C:\Documents and Settings\Hung  Jui Hung\Local Settings\Temp\生成並運行
   wincabb.exe
11.wincabb.exe會在C:\Documents and Settings\Hung  Jui Hung\Local Settings\Temp\生成
   tru22F.tmp
12.wincabb.exe會修改自己
13.wincabb.exe會修改IEXPLORE.EXE的进程内存

tracydk

原帖由 scottxzt 于 2007-7-12 11:50 发表


4.44版本报的

dy.zip\dy.exe;D:\Documents and Settings\dell\桌面\dy.zip;Trojan.PWS.Bonque;;

看来新的版本脱壳又强了啊...

scottxzt

你那个生成物倒是没报

红心王子

C:\Documents and Settings\Administrator\桌面\dy.z
ip>>dy.exe>>Aspack212r>>mian007     Packer.Mian007
貌似发过的东东

jimmyleo

4。44提升的厉害~

欠妳緈諨

基本都是在报壳

scottxzt

原帖由 yurius 于 2007-7-12 11:40 发表
生成物

谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪姆
?            VirusBlokAda (Console scanner)             ?
?Vba32 Windows/CL 3.12.0.2 / 2007.07.11 20:57 (Vba32.W) ?
?       ...

We received the following archive files:

File ID	Filename	Size (Byte)	Result
1102015	Temp.rar	65.83 KB	OK

A listing of files contained inside archives alongside their results can be found below:

File ID	Filename	Size (Byte)	Result
207448	npf.sys	31.75 KB	KNOWN CLEAN
206398	packet.dll	80 KB	KNOWN CLEAN
206396	wanpacket.dll	60 KB	KNOWN CLEAN