5个[MD5: 0B2744 1A15DA 6F0B50 F49569 F8C7B4]

显示全部楼层 · 发表于 2007-7-21 15:16:01

Trojan.PSW.QQPass.tix
Trojan.PSW.QQPass.hjy
Worm.Win32.Viking.viv
漏杀的上报。。

显示全部楼层 · 发表于 2007-7-21 15:41:13

===================================================================================================
NVCOD On Demand Scanner 5.80.02

NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/19 17:24:52 (812833 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 833174
Command line: "@C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~OD82.tmp"
===================================================================================================

   Time  Filename                                                    Virus name
---------------------------------------------------------------------------------------------------
- Scanning files matching: F:\v\virus.zip
   1156 ms F:\v\virus.zip : virus/QQ2007.exe
   16 ms F:\v\virus.zip : virus/LoveQQ.exe                         Trojan W32/Delf.AGBQ ()
   47 ms F:\v\virus.zip : virus/Setup.exe                            Trojan Hupigon.gen126 ()
   5094 ms F:\v\virus.zip : virus/21.exe
   1141 ms F:\v\virus.zip : virus/1.exe                               Virus W32/NetworkWorm ( [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* **Locates window "RavMon.exe [class RavMonClass]" on desktop.
* Accesses executable file from resource section.
* File length:       95218 bytes.

[ Changes to filesystem ]
* Creates directory C:\WINDOWS\uninstall.
* Creates file C:\WINDOWS\RichDll.dll.
* Creates file C:\_desktop.ini.
* Creates file N:\sample.exe.

[ Network services ]
* Sends a ping request (ICMP.DLL) to 192.168.0.1.

[ Network ]
* Connection to resource "\\192.168.0.1\ipc$" with username=administrator and password=.

[ Spreading through LAN/WAN ]
* Worm spreading over a network connection.

[ Process/window information ]
* Enumerates running processes.
* Enumerates running processes several parses....
* Modifies other process memory.

)
      0 ms F:\v\virus.zip
   15 ms F:\v\virus.zip:Zone.Identifier
- File F:\v\virus.zip quarantined.
- File F:\v\virus.zip quarantined.
- File F:\v\virus.zip quarantined.

===================================================================================================

The scanning started: 2007/07/21 15:38:09
            ended: 2007/07/21 15:38:16
Logged on as       : Administrator
on hostname       : BE29C0E1C4C9406

Scanning results:
Total number of files found..............................:    7
Number of files scanned..................................:    7
Number of files/directories skipped due to exclude list..:    0
Number of files that could not be opened.................:    0
Number of archive files unpacked.........................:    1
Number of archive files not unpacked.....................:    0
Number of infections.....................................:    3

Copyright (c) 1993-2005 Norman ASA.

显示全部楼层 · 发表于 2007-7-21 16:46:17

運行1.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-21 16:37:14 修改文件    操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\drivers\etc\hosts
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 16:37:14 运行应用程序    操作:阻止
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\windows\system32\net.exe
命令行:stop "Kingsoft AntiVirus Service"
触发规则:所有程序规则->禁止程序->*\net.exe

2007-07-21 16:37:17 创建文件    操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\uninstall\rundl132.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 16:37:18 创建注册表值    操作:阻止
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
注册表路径:HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Run
注册表名称:load
注册表数据:C:\windows\uninstall\rundl132.exe
触发规则:所有程序规则->自動運行_普通模式->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

2007-07-21 16:37:19 创建文件    操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\D\桌面\virus\0B2744virus\virus\1.exe.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 16:37:19 创建文件    操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\Logo1_.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 16:37:20 创建文件    操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\$$a3B6.tmp
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 16:37:20 创建文件    操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\$$a3B6.bat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 16:37:20 运行应用程序    操作:阻止
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c C:\DOCUME~1\HungAndy\LOCALS~1\Temp\$$a3B6.bat
触发规则:所有程序规则->系統程序->%windir%\system32\cmd.exe

2007-07-21 16:37:20 运行应用程序    操作:阻止
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\windows\system32\net.exe
命令行:stop "Kingsoft AntiVirus Service"
触发规则:所有程序规则->禁止程序->*\net.exe

2007-07-21 16:37:20 创建文件    操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\RichDll.dll
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 16:37:20 修改文件    操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\drivers\etc\hosts
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

1.他會修改C\windows\system32\drivers\etc\hosts
2.他會運行C:\windows\system32\net.exe
stop "Kingsoft AntiVirus Service"
3.他會在C\windows\uninstall\生成
rundl132.exe
4.他會创建注册表值
HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Run
load
C:\windows\uninstall\rundl132.exe
5.他會在他旁邊生成1.exe.exe
6.他會在C\windows\生成
Logo1_.exe
7.他會在C:\Documents and Settings\HungAndy\Local Settings\Temp\生成
$$a3B6.tmp
$$a3B6.bat
8.他會運行C:\windows\system32\cmd.exe
/c C:\DOCUME~1\HungAndy\LOCALS~1\Temp\$$a3B6.bat
9.他會運行C:\windows\system32\net.exe
stop "Kingsoft AntiVirus Service"
10.他會在C\windows\生成
RichDll.dll
11.他會修改C\windows\system32\drivers\etc\hosts

显示全部楼层 · 发表于 2007-7-21 16:49:18

運行21.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-21 16:47:14 创建文件操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\21.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\WINDOWS\Loveqq.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 16:47:15 创建注册表值操作:阻止
进程路径:D:\桌面\virus\0B2744virus\virus\21.exe
注册表路径:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表名称:SysDeskqqfx
注册表数据:C:\WINDOWS\Loveqq.exe
触发规则:所有程序规则->自動運行_普通模式->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

1.他會在C\WINDOWS\生成
Loveqq.exe
2.他會创建注册表值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysDeskqqfx
C:\WINDOWS\Loveqq.exe

显示全部楼层 · 发表于 2007-7-21 16:51:40

運行LoveQQ.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-21 16:49:55 创建文件操作:允许
进程路径:D:\桌面\virus\0B2744virus\virus\LoveQQ.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\WINDOWS\Loveqq.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 16:49:55 创建注册表值操作:阻止
进程路径:D:\桌面\virus\0B2744virus\virus\LoveQQ.exe
注册表路径:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表名称:SysDeskqqfx
注册表数据:C:\WINDOWS\Loveqq.exe
触发规则:所有程序规则->自動運行_普通模式->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

1.他會在C\WINDOWS\生成
Loveqq.exe
2.他會创建注册表值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysDeskqqfx
C:\WINDOWS\Loveqq.exe

显示全部楼层 · 发表于 2007-7-21 17:06:04

那个21.EXE运行后自动推出了.

显示全部楼层 · 发表于 2007-7-21 17:06:50

SETUP.EXE

显示全部楼层 · 发表于 2007-7-21 17:32:41

F:\virus\virus\QQ2007.exe : infected Trojan-PSW.Win32.QQPass.hn
F:\virus\virus\LoveQQ.exe : infected Trojan-PSW.Win32.Delf.je
F:\virus\virus\1.exe : infected MalwareScope.Worm.Viking.5

显示全部楼层 · 发表于 2007-7-21 18:53:13

诶，，，，在网吧，没杀毒软件，又被禁止下载，没办法试试，真是郁闷~

显示全部楼层 · 发表于 2007-7-21 20:39:01

已检测: 木马程序 Trojan-PSW.Win32.Delf.je URL: http://bbs.kafan.cn/attachment.php?aid=103362/virus/LoveQQ.exe

[病毒样本] 5个[MD5: 0B2744 1A15DA 6F0B50 F49569 F8C7B4]

本帖子中包含更多资源