应该是新的后门程序，两个，MD5略了

显示全部楼层 · 发表于 2007-7-15 22:05:26

micropoint

显示全部楼层 · 发表于 2007-7-15 22:07:29

偶最爱的AVAST!报壳

显示全部楼层 · 发表于 2007-7-16 06:16:01

还问7，6都报了。

Kaspersky Anti-Virus 6.0

The requested URL http://bbs.kafan.cn/attachment.php?aid=101299 is infected with Trojan-Clicker.Win32.BHO.n virus

显示全部楼层 · 发表于 2007-7-16 10:42:20

Starting the file scan:

Begin scan in 'F:\病毒样本\virus.rar'
F:\病毒样本\virus.rar
  [0] Archive type: RAR
  --> 1.exe
   [DETECTION] Is the Trojan horse TR/Click.BHO.N.55
  --> 2.exe
   [DETECTION] Is the Trojan horse TR/Click.BHO.N.56
   [INFO]    The file was deleted!

显示全部楼层 · 发表于 2007-7-16 12:00:33

卡巴6.0：
已删除: 木马程序 Trojan-Clicker.Win32.BHO.n 文件: C:\Documents and Settings\Administrator\桌面\virus.rar/1.exe//PE_Patch.PECompact//PecBundle//PECompact
已删除: 木马程序 Trojan-Clicker.Win32.BHO.n 文件: C:\Documents and Settings\Administrator\桌面\virus.rar/2.exe//PE_Patch.PECompact//PecBundle//PECompact

显示全部楼层 · 发表于 2007-7-16 12:01:22

这个东东加这么多的壳，还是没能逃过卡巴……晕……

显示全部楼层 · 发表于 2007-7-16 14:16:04

norman一个
还是sandbox报的
===================================================================================================
NVCOD On Demand Scanner 5.80.02

NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/13 18:54:26 (807131 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 827472
Command line: "@C:\Users\Jason\AppData\Local\Temp\~OD2C3E.tmp"
===================================================================================================

   Time  Filename                                                    Virus name
---------------------------------------------------------------------------------------------------
- Scanning files in the directory: D:\v\
   7922 ms D:\v\1.exe
   8850 ms D:\v\2.exe                                                 Virus W32/Malware ( [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Decompressing PEC2.
* File might be compressed.
* Decompressing ASPack.
* Creating several executable files on hard-drive.
* Accesses executable file from resource section.
* File length:    228896 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\TEMP\xet.exe.
* Creates file C:\WINDOWS\xet.dll.
* Creates file C:\WINDOWS\SYSTEM32\RpcS.exe.
* Creates file C:\WINDOWS\TEMP\delmeexe.bat.
* Creates file C:\WINDOWS\SYSTEM32\RpcS.dll.

[ Changes to registry ]
* Creates key "HKLM\System\CurrentControlSet\Services\RpcS".
* Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\RpcS.exe" in key "HKLM\System\CurrentControlSet\Services\RpcS".
* Sets value "DisplayName"="Remote Procedure Call System(RPCS)" in key "HKLM\System\CurrentControlSet\Services\RpcS".
* Sets value "Description"="管理并控制RPC服务数据库。" in key "HKLM\System\CurrentControlSet\Services\RpcS".

[ Network services ]
* Connects to "98032.com.cn" on port 80 (IP).
* Opens URL: 98032.com.cn/count/data_add.aspx?filename=xet.exe.

[ Process/window information ]
* Creates an event called .
* Attemps to open C:\WINDOWS\TEMP\xet.exe .
* Creates service "RpcS (Remote Procedure Call System(RPCS))" as "C:\WINDOWS\SYSTEM32\RpcS.exe".
* Modifies other process memory.
* Creates a remote thread.

)
- File D:\v\2.exe quarantined.
- File D:\v\2.exe deleted.

===================================================================================================

The scanning started: 2007/07/16 14:04:10
            ended: 2007/07/16 14:04:27
Logged on as       : Jason
on hostname       : JASON-PC

Scanning results:
Total number of files found..............................:    2
Number of files scanned..................................:    2
Number of files/directories skipped due to exclude list..:    0
Number of files that could not be opened.................:    0
Number of archive files unpacked.........................:    0
Number of archive files not unpacked.....................:    0
Number of infections.....................................:    1

Copyright (c) 1993-2005 Norman ASA.

[病毒样本] 应该是新的后门程序，两个，MD5略了

本帖子中包含更多资源

上报后,红伞报了