收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 [凝逸反毒]的[黑洞]引擎 www.666535.cn/ad.jpg的处理
返回列表 发新帖
查看: 1740|回复: 3
收起左侧

[病毒样本] [凝逸反毒]的[黑洞]引擎 www.666535.cn/ad.jpg的处理

[复制链接]
qqq000@qq.com
头像被屏蔽
发表于 2007-7-20 10:24:55 | 显示全部楼层 |阅读模式
[凝逸反毒]的[黑洞]引擎 www.666535.cn/ad.jpg的处理


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <SoundMan><SOUNDMAN.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <KVMON><"C:\Program Files\JiangMin\AntiVirus\KVMonXP_1.kxp">  [Jiangmin Co.Ltd]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\Userinit.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    <WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <KernelFaultCheck><; %systemroot%\system32\dumprep 0 -k>  [N/A]
    <StatusClient><; C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto>  [Hewlett-Packard]
    <TkBellExe><; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
    <TomcatStartup><; C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe>  [Hewlett-Packard]


==================================
服务
[Application Management / AppMgmt][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[KVSrvXP / KVSrvXP][Running/Auto Start]
  <C:\Program Files\JiangMin\AntiVirus\kvsrvxp.exe /Service><Jiangmin Co., Ltd.>
[KVWSC / KVWSC][Running/Auto Start]
  <"C:\Program Files\JiangMin\AntiVirus\KVWSC.exe"><Jiangmin Co.,Ltd>
[MSSQL$NJSITE / MSSQL$NJSITE][Running/Auto Start]
  <C:\XJGLMSSQL$NJSITE\Binn\sqlservr.exe -sNJSITE><Microsoft Corporation>
[MSSQLServerADHelper / MSSQLServerADHelper][Stopped/Manual Start]
  <C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe><Microsoft Corporation>
[P4P Service / P4P Service][Running/Auto Start]
  <C:\Program Files\Common Files\Sogou PXP\p2psvr.exe><Sohu.com Inc.>
[Pml Driver HPZ12 / Pml Driver HPZ12][Stopped/Disabled]
  <C:\WINDOWS\system32\HPZipm12.exe><HP>
[SQLAgent$NJSITE / SQLAgent$NJSITE][Stopped/Manual Start]
  <C:\XJGLMSSQL$NJSITE\Binn\sqlagent.EXE -i NJSITE><Microsoft Corporation>



    (把木马与注册表值加入【自定吞噬】,就能删除)
========木马============

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
advpack.dll
C:\Program Files\Outlook Express\setup50.exe
%SystemRoot%\system32\themeui.dll
%systemroot%\system32\shmgrate.exe
WgaLogon.dl
SOUNDMAN.EXE
C:\XJGLMSSQL$NJSITE\Binn\sqlagent.EXE
C:\WINDOWS\system32\HPZipm12.exe
%SystemRoot%\System32\hidserv.dll
%SystemRoot%\System32\appmgmts.dll
===注册表===
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
SOFTWARE(Pml Driver HPZ12)
SOFTWARE(SQLAgent$NJSITE)
SOFTWARE(HidServ)
SOFTWARE(AppMgmt)





试下:[凝逸反毒]的[黑洞]引擎,
    (把木马与注册表值加入【自定吞噬】,就能删除)
    1.黑洞吞噬一切启动型病毒
    2.吞噬:av终结者.帕虫.随机7/8位病毒,U盘病毒,QQ尾巴,
    3.锁定时间.显示文件
方法:  1.点【黑洞】
       2.强行关机后,重开机在点次【黑洞】
       3.在用杀软扫除病毒
【自定吞噬】
      删除难清除木马的文件与注册表目录

【凝逸实验室】-[凝逸反毒]
QQ:503165656
主页:http://hi.baidu.com/503165656
下载:http://groups.google.com/group/503165656/web/nyfd.zip

杀不了,样本发到:503165656@qq.com
[黑洞]引擎的【自定吞噬】说明
http://hi.baidu.com/503165656/blog/item/1420ebfc5637acfffd037f4a.html
回复

举报

xxwpk007
头像被屏蔽
发表于 2007-7-20 10:29:03 | 显示全部楼层
卡巴斯基反病毒 7.0 测试版The requested URL http://www.666535.cn/ad.jpg is infected with Exploit.Win32.IMG-ANI.gen virus

[ 本帖最后由 xxwpk007 于 2007-7-20 10:30 编辑 ]
回复

举报

woai_jolin
发表于 2007-7-20 10:30:44 | 显示全部楼层
2007/7/20 10:29:36 eAmon file C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2NNIVZ1H\ad[1].jpg a variant of Win32/TrojanDownloader.Ani.Gen trojan cleaned by deleting - quarantined  Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.

[ 本帖最后由 woai_jolin 于 2007-7-20 10:31 编辑 ]
回复

举报

yurius
发表于 2007-7-20 11:07:33 | 显示全部楼层
Infiltration details:

   Web page:
   hxxp://www.666535.cn/ad.jpg

   Infiltration:
   a variant of Win32/TrojanDownloader.Ani.Gen trojan

   Description:
   Access to the web page was blocked by IMON.
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-5-17 11:18 , Processed in 0.141859 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表