4ge[ec9c60][a4527f][2f0bc7][174731]

显示全部楼层 · 发表于 2007-7-21 14:38:22

[ 本帖最后由 wangjay1980 于 2007-7-21 14:47 编辑 ]

显示全部楼层 · 发表于 2007-7-21 14:42:59

1185000264,2007-7-21 14:44:24,Trojan.BAT.KillAV.ec.likf.for,木马,mygood,D:\3\新建文件夹\新建文件夹\123.exe>>emb-0.cab>>avp.exe,Manual scan
1185000264,2007-7-21 14:44:24,Heuri.Possible/Packed,启发式扫描,mygood,D:\3\新建文件夹\新建文件夹\123.exe>>emb-0.cab>>b-mke.exe,Manual scan
1185000264,2007-7-21 14:44:24,Heuri.ERNM,启发式扫描,mygood,D:\3\新建文件夹\新建文件夹\dh.exe,Manual scan
1185000264,2007-7-21 14:44:24,Heuri.ERNM,启发式扫描,mygood,D:\3\新建文件夹\新建文件夹\mh.exe>>emb-1.exe,Manual scan
费尔

显示全部楼层 · 发表于 2007-7-21 14:43:38

微点：
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\MH.EXE
木马程序生成以下文件:
1) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\LYLOADER.EXE
2) C:\WINDOWS.0\SYSTEM32\LYLOADER.EXE
3) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\LYMANGR.DLL
4) C:\WINDOWS.0\SYSTEM32\LYMANGR.DLL
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\DH.EXE
木马程序生成以下文件:
1) C:\WINDOWS.0\SYSTEM32\RAV008C.EXE
2) C:\WINDOWS.0\SYSTEM32\RAV008C.DAT
是否删除木马程序及其衍生物?

木马名称:Trojan.BAT.KillAV.o

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\IXP000.TMP\AVP.EXE
是木马程序!
已成功阻止其运行,是否要删除此文件?
mminstall.exe微点挂！！！

显示全部楼层 · 发表于 2007-7-21 14:45:01

2007/7/21 14:41:55 Scanning Log
2007/7/21 14:41:55 Version of virus signature database: 2410 (20070720)
2007/7/21 14:41:55 Date: 21.7.2007 Time: 14:41:55
2007/7/21 14:41:55 Scanned disks, folders and files: F:\v\
2007/7/21 14:41:58 F:\v\4.zip - multiple threats - deleted - quarantined
2007/7/21 14:41:58 F:\v\4.zip » ZIP » mh.exe - a variant of Win32/PSW.Agent.NEC trojan
2007/7/21 14:41:58 F:\v\4.zip » ZIP » dh.exe - a variant of Win32/PSW.OnLineGames.NCU trojan
2007/7/21 14:41:58 F:\v\4.zip » ZIP » mminstall.exe - a variant of Win32/TrojanDownloader.QQHelper.NDF trojan
2007/7/21 14:41:58 Number of scanned files: 5
2007/7/21 14:41:58 Number of threats found: 3
2007/7/21 14:41:58 Time of completion: 14:41:58 Total scanning time: 3 sec (00:00:03)

显示全部楼层 · 发表于 2007-7-21 14:45:45

3只

显示全部楼层 · 发表于 2007-7-21 14:53:36

咖啡启发2个

显示全部楼层 · 发表于 2007-7-21 14:55:38

運行avp.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-21 14:51:59 创建文件操作:允许
进程路径:D:\桌面\virus\ec9c604\123\avp.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\29937447.bat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 14:52:00 运行应用程序操作:阻止
进程路径:D:\桌面\virus\ec9c604\123\avp.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c C:\DOCUME~1\HungAndy\LOCALS~1\Temp\29937447.bat
触发规则:所有程序规则->系統程序->%windir%\system32\cmd.exe

1.他會在C:\Documents and Settings\HungAndy\Local Settings\Temp\生成
29937447.bat
2.他會運行C:\windows\system32\cmd.exe
/c C:\DOCUME~1\HungAndy\LOCALS~1\Temp\29937447.bat

29937447.bat的結構

Set date=%date%
date 2004-10-09
@Echo Off & setlocl enableextensions
Eco Ws cript.Sleep 1000 >
Set /a i = 5
:Timeout
If %i% == 0 Goto Next
setloal
Set /a i = %i% - 1
cs cript //nologo fyzer.vbs
Goto Timeout
Goto End
:Next
dcte %dae

显示全部楼层 · 发表于 2007-7-21 14:56:07

NOD32报了3个

显示全部楼层 · 发表于 2007-7-21 14:56:27

123.exe过nod

显示全部楼层 · 发表于 2007-7-21 15:01:29

運行b-mke.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-21 14:56:59 创建文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\123\b-mke.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\winllogon.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 14:57:07 运行应用程序    操作:允许
进程路径:D:\桌面\virus\ec9c604\123\b-mke.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\winllogon.exe
触发规则:所有程序规则->*

2007-07-21 14:57:07 创建文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\123\b-mke.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\Deleteme.bat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 14:57:08 修改文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\winllogon.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\Deleteme.bat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

1.他會在C\windows\生成並運行
winllogon.exe
2.他會在C\windows\生成
Deleteme.bat
3.winllogon.exe會修改C\windows\Deleteme.bat

Deleteme.bat的結構

:try
del "C:\windows\winllogon.exe"
if exist "C:\windows\winllogon.exe" goto try
del %0

[病毒样本] 4ge[ec9c60][a4527f][2f0bc7][174731]

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源