10

woai_jolin

===================================================================================================
NVCOD On Demand Scanner 5.80.02

NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/13 18:54:26 (807131 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 827472
Command line: "@C:\Users\Jason\AppData\Local\Temp\~OD5D0.tmp"
===================================================================================================

       Time  Filename                                                     Virus name
---------------------------------------------------------------------------------------------------
- Scanning files in the directory: D:\v\
     2953 ms D:\v\1.exe                                                   Virus W32/Hupigon.gen67 ( [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * Decompressing UPX.
    * Accesses executable file from resource section.
    * Creating several executable files on hard-drive.
    * **Locates window "NULL [class Q360SafeMonClass]" on desktop.
    * File length:        78990 bytes.

[ Changes to filesystem ]
    * Creates directory C:.
    * Creates directory C:\WINDOWS.
    * Creates directory C:\WINDOWS\TEMP.
    * Creates file C:\WINDOWS\TEMP\OPE8999.tmp.
    * Deletes file C:\WINDOWS\TEMP\OPE8999.tmp.
    * Creates file C:\WINDOWS\TEMP\qjgame.Exe.
    * Creates file C:\WINDOWS\TEMP\wulin9527.exe.
    * Creates file C:\WINDOWS\TEMP\dat8099.tmp.
    * Creates file C:\WINDOWS\TEMP\_re8999.tmp.
    * Deletes file C:\WINDOWS\TEMP\_re8999.tmp.
    * Creates file C:\WINDOWS\TEMP\OPE8999.bat.

[ Process/window information ]
    * Attemps to OPEN C:\WINDOWS\TEMP\qjgame.Exe C:\WINDOWS\TEMP\.
    * Attemps to OPEN C:\WINDOWS\TEMP\wulin9527.exe C:\WINDOWS\TEMP\.
    * Attemps to OPEN C:\WINDOWS\TEMP\OPE8999.bat C:\WINDOWS\TEMP\.

)
        0 ms D:\v\12.exe                                                  Worm W32/SDBot.LVQ ()
       15 ms D:\v\4.exe                                                   Virus W32/Viking.GY ()
        0 ms D:\v\8-1a.exe                                                Trojan W32/Lmir.FIL ()
     6078 ms D:\v\cmi.exe                                                
        0 ms D:\v\fy.exe                                                  Security Risk W32/Suspicious_U.gen ()
       16 ms D:\v\mh.exe                                                  Trojan Hupigon.gen66 ()
     7640 ms D:\v\SACH0ST.exe                                            
     1407 ms D:\v\wl.exe                                                  Virus W32/Suspicious_U.gen.dropper ( [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * Accesses executable file from resource section.
    * Creating several executable files on hard-drive.
    * File length:        16384 bytes.

[ Changes to filesystem ]
    * Creates file C:\WINDOWS\TEMP\LYLOADER.EXE.
    * Deletes file c:\sample.exe.
    * Creates file C:\Privilege.dat.
    * Creates file C:\WINDOWS\SYSTEM32\LYLOADER.EXE.
    * Deletes file C:\Privilege.dat.
    * Creates file C:\WINDOWS\TEMP\LYMANGR.DLL.
    * Creates file C:\WINDOWS\SYSTEM32\LYMANGR.DLL.
    * Creates file C:\WINDOWS\TEMP\MSDEG32.DLL.
    * Creates file C:\WINDOWS\SYSTEM32\MSDEG32.DLL.
    * Creates file C:\WINDOWS\SYSTEM32\REGKEY.hiv.

[ Signature Scanning ]
    * C:\WINDOWS\TEMP\LYLOADER.EXE (12984 bytes) : W32/Suspicious_U.gen.

)
        0 ms D:\v\wmgj.exe                                                Trojan W32/Malware.XZR ()
- File D:\v\1.exe quarantined.
- File D:\v\1.exe deleted.
- File D:\v\12.exe quarantined.
- File D:\v\12.exe deleted.
- File D:\v\4.exe quarantined.
- Virus W32/Viking.GY () removed.
- File D:\v\8-1a.exe quarantined.
- File D:\v\8-1a.exe deleted.
- File D:\v\fy.exe quarantined.
- File D:\v\fy.exe deleted.
- File D:\v\mh.exe quarantined.
- File D:\v\mh.exe deleted.
- File D:\v\wl.exe quarantined.
- File D:\v\wl.exe deleted.
- File D:\v\wmgj.exe quarantined.
- File D:\v\wmgj.exe deleted.

===================================================================================================

The scanning started: 2007/07/16 13:39:14
               ended: 2007/07/16 13:39:33
Logged on as        : Jason
on hostname         : JASON-PC

Scanning results:
   Total number of files found..............................:      10
   Number of files scanned..................................:      10
   Number of files/directories skipped due to exclude list..:       0
   Number of files that could not be opened.................:       0
   Number of archive files unpacked.........................:       0
   Number of archive files not unpacked.....................:       0
   Number of infections.....................................:       8

Copyright (c) 1993-2005 Norman ASA.

promised

C:\ABC\SACH0ST\1.exe - 特征码 'Trojan-Dropper.Microjoin.WA' 被发现
C:\ABC\SACH0ST\12.exe - 特征码 'Trojan-Downloader.7059' 被发现
C:\ABC\SACH0ST\4.exe - 特征码 'Worm.Win32.Viking.lj' 被发现
C:\ABC\SACH0ST\8-1a.exe - 特征码 'Trojan-PWS.Win32.Small.br' 被发现
C:\ABC\SACH0ST\cmi.exe - 特征码 'Trojan-PWS.Win32.OnLineGames.es' 被发现
C:\ABC\SACH0ST\fy.exe - 特征码 'Trojan-Dropper.Win32.Agent.ane' 被发现
C:\ABC\SACH0ST\mh.exe - 特征码 'Trojan-PWS.Win32.Nilage.lp' 被发现
C:\ABC\SACH0ST\SACH0ST.exe - 特征码 'not-a-virus:Monitor.Win32.007SpySoft.308' 被发现
C:\ABC\SACH0ST\wl.exe - 特征码 'Trojan-PWS.OnlineGames.AVH' 被发现
C:\ABC\SACH0ST\wmgj.exe - 特征码 'Trojan-Spy.Win32.Delf.ps' 被发现

        10 个文件被扫描
          (0 个压缩档 0 个文件)
        10 个特征码被侦测
        0 个可疑代码段被发现
        耗时: 0:00.656

蓝色牛仔裤

8


[Scan path] C:\Documents and Settings\Administrator\桌面\SACH0ST.rar
>>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\wmgj.exe infected with Trojan.PWS.Qqpass.873
>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\1.exe infected with Trojan.MulDrop.6156
>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\4.exe infected with Win32.HLLW.Gavir.72
>>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\8-1a.exe infected with Trojan.MulDrop.4289
>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\12.exe infected with Trojan.DownLoader.7059
>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\cmi.exe - Ok
>>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\fy.exe - Ok
>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\mh.exe infected with Trojan.MulDrop.5969
>>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\SACH0ST.exe probably infected with DLOADER.Trojan
>C:\Documents and Settings\Administrator\桌面\SACH0ST.rar\wl.exe infected with Trojan.Goner.40
C:\Documents and Settings\Administrator\桌面\SACH0ST.rar - archive contains infected objects

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 12
Infected objects found: 7
Objects with modifications found: 0
Suspicious objects found: 1
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 623 Kb/s
Scan time: 00:00:02