f78cc带壳入库者可以哭了2

显示全部楼层 · 发表于 2007-7-24 10:18:29

原帖由 Nblock 于 2007-7-24 10:13 发表
给你的杀毒软件加壳然后自己扫描自己看看会不会报病毒

我倒

显示全部楼层 · 发表于 2007-7-24 10:34:21

用HIPS不就一清二楚了吗？

显示全部楼层 · 发表于 2007-7-24 10:46:13

看下沙盘吧
Analysis Summary:

Analysis Date 7/23/2007 10:44:36 PM
Sandbox Version 2.0.6
Filename f78cc1736f4bfef5f55f15b4c79c2f73.exe

Technical Details:

Analysis Number 1
Parent ID 0
Process ID 1156
Filename c:\f78cc1736f4bfef5f55f15b4c79c2f73.exe
Filesize 80384 bytes
MD5 f78cc1736f4bfef5f55f15b4c79c2f73
Start Reason AnalysisTarget
Termination Reason NormalTermination
Start Time 00:00.141
Stop Time 00:01.453
Detection Trojan (Authentium Command Antivirus)
(BitDefender Antivirus)
(CounterSpy)
(Microsoft Malware Protection)
(Norton AntiVirus)

DLL-Handling Loaded DLLs
C:\WINDOWS\system32\ntdll.dll
\ C:\WINDOWS\system32\kernel32.dll
\ C:\WINDOWS\system32\user32.dll
\ C:\WINDOWS\system32\GDI32.dll
\ C:\WINDOWS\system32\advapi32.dll
\ C:\WINDOWS\system32\RPCRT4.dll
\ C:\WINDOWS\system32\oleaut32.dll
\ C:\WINDOWS\system32\msvcrt.dll
\ C:\WINDOWS\system32\ole32.dll
\ C:\WINDOWS\system32\comctl32.dll
\ C:\WINDOWS\system32\wsock32.dll
\ C:\WINDOWS\system32\WS2_32.dll
\ C:\WINDOWS\system32\WS2HELP.dll
\ C:\WINDOWS\system32\pstorec.dll
\ C:\WINDOWS\system32\ATL.DLL
\ C:\WINDOWS\system32\Wship6.dll
\ C:\WINDOWS\system32\Secur32.dll
\ ntdll.dll
\

Process Management Creates Process - Filename () CommandLine: (c:\f78cc1736f4bfef5f55f15b4c79c2f73.exe) As User: () Creation Flags: (CREATE_SUSPENDED)
Kill Process - Filename () CommandLine: () Target PID: (1156) As User: () Creation Flags: ()

Threads
Virtual Memory VM Allocate - Target: (1280) Address: ($01000000) Size: (126976) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT,MEM_RESERVE)
VM Protect - Target: (1280) Address: ($7FFD4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1280) Address: ($7FFD4000) Size: (4096) Protect: (PAGE_READWRITE)
VM Protect - Target: (1280) Address: ($01000000) Size: (126976) Protect: (PAGE_EXECUTE_READWRITE)
VM Read - Target: (1280) Address: ($7FFD4008) Size: (4)
VM Write - Target: (1280) Address: ($7FFD4008) Size: (4)
VM Write - Target: (1280) Address: ($01000000) Size: (126976)

The following process was started by process: 1
Analysis Number 2
Parent ID 1
Process ID 1280
Filename c:\f78cc1736f4bfef5f55f15b4c79c2f73.exe
Filesize 80384 bytes
MD5 f78cc1736f4bfef5f55f15b4c79c2f73
Start Reason CreateProcess
Termination Reason Timeout
Start Time 00:01.203
Stop Time 01:00.719
Detection Trojan (Authentium Command Antivirus)
(BitDefender Antivirus)
(CounterSpy)
(Microsoft Malware Protection)
(Norton AntiVirus)

DLL-Handling Loaded DLLs
C:\WINDOWS\system32\ntdll.dll
\ C:\WINDOWS\system32\kernel32.dll
\ C:\WINDOWS\system32\SHELL32.dll
\ C:\WINDOWS\system32\ADVAPI32.dll
\ C:\WINDOWS\system32\RPCRT4.dll
\ C:\WINDOWS\system32\GDI32.dll
\ C:\WINDOWS\system32\USER32.dll
\ C:\WINDOWS\system32\msvcrt.dll
\ C:\WINDOWS\system32\SHLWAPI.dll
\ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\
\ C:\WINDOWS\system32\comctl32.dll
\ C:\WINDOWS\system32\oleaut32.dll
\ C:\WINDOWS\system32\ole32.dll
\ C:\WINDOWS\system32\wsock32.dll
\ C:\WINDOWS\system32\WS2_32.dll
\ C:\WINDOWS\system32\WS2HELP.dll
\ C:\WINDOWS\system32\pstorec.dll
\ C:\WINDOWS\system32\ATL.DLL
\ C:\WINDOWS\system32\Wship6.dll
\ C:\WINDOWS\system32\Secur32.dll
\

INI Files Read INI File
WIN.INI [SciCalc] layout =
WIN.INI [SciCalc] UseSep =
WIN.INI [intl] sDecimal =
WIN.INI [intl] sThousand =
WIN.INI [intl] sGrouping =

Report generated at 7/23/2007 10:44:36 PM with CWSandbox Version 2.0.6
This analysis was created by the CWSandbox Copyright 2006 Carsten Willems
Copyright 1996-2006 Sunbelt Software. All rights reserved.

显示全部楼层 · 发表于 2007-7-24 10:48:42

这个是标准计算器的沙盘
Analysis Summary:

Analysis Date 10/25/2006 9:43:04 PM
Sandbox Version Beta 1.83
Filename 829e4805b0e12b383ee09abdc9e2dc3c.exe

Technical Details:

Analysis Number 1
Parent ID 0
Process ID 192
Filename c:\temp\829e4805b0e12b383ee09abdc9e2dc3c.exe
Filesize 114688 bytes
MD5 829e4805b0e12b383ee09abdc9e2dc3c
Start Reason AnalysisTarget
Termination Reason Timeout
Start Time 00:00.313
Stop Time 03:00.454
Detection - (Authentium Command Antivirus - EngVer: 4.92.123.35 - SigVer: 20061023 35)
- (BitDefender Antivirus - EngVer: 7.0.0.2311 - SigVer: 7.09606)
- (CounterSpy - EngVer: 2.1.560.0 - SigVer: )
- (Microsoft Malware Protection - EngVer: 1.1.1609.0 - SigVer: Tue Oct 24 01:37:27 2006)
- (Norton AntiVirus - EngVer: 20061.3.0.12 - SigVer: 20061024 12:26:58)

DLL-Handling Loaded DLLs
c:\temp\829e4805b0e12b383ee09abdc9e2dc3c.exe
\ C:\WINDOWS\System32\ntdll.dll
\ C:\WINDOWS\system32\kernel32.dll
\ C:\WINDOWS\system32\SHELL32.dll
\ C:\WINDOWS\system32\ADVAPI32.dll
\ C:\WINDOWS\system32\RPCRT4.dll
\ C:\WINDOWS\system32\GDI32.dll
\ C:\WINDOWS\system32\USER32.dll
\ C:\WINDOWS\system32\msvcrt.dll
\ C:\WINDOWS\system32\SHLWAPI.dll
\ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\
\ C:\WINDOWS\system32\oleaut32.dll
\ C:\WINDOWS\system32\OLE32.DLL
\ C:\WINDOWS\System32\wsock32.dll
\ C:\WINDOWS\System32\WS2_32.dll
\ C:\WINDOWS\System32\WS2HELP.dll
\ C:\WINDOWS\System32\Wship6.dll
\ C:\WINDOWS\System32\iphlpapi.dll
\ C:\WINDOWS\System32\pstorec.dll
\ C:\WINDOWS\System32\ATL.DLL
\ C:\WINDOWS\System32\mswsock.dll
\ C:\WINDOWS\System32\DNSAPI.dll
\ C:\WINDOWS\System32\winrnr.dll
\ C:\WINDOWS\system32\WLDAP32.dll
\ C:\WINDOWS\System32\Secur32.dll
\ .\UxTheme.dll
\ UxTheme.dll
\

INI Files Read INI File
WIN.INI [SciCalc] layout =
WIN.INI [SciCalc] UseSep =
WIN.INI [intl] sDecimal =
WIN.INI [intl] sThousand =
WIN.INI [intl] sGrouping =

Registry Reads
Software\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing"
Control Panel\Desktop "LameButtonText"

Window Enum Windows

显示全部楼层 · 发表于 2007-7-24 11:39:04

detected: riskware Invader Running process: C:\calc.exe

2007-7-24 11:33:54 C:\calc.exe Intrusive process: C:\calc.exe Process ID (PID): 3104 Attempt of process intrusion: C:\calc.exe Process ID (PID): 2476
2007-7-24 11:33:54 C:\calc.exe Attempt to terminate process
2007-7-24 11:33:55 C:\calc.exe Attempt to terminate process: successfully
2007-7-24 11:33:55 C:\calc.exe Attempt to terminate process: successfully

显示全部楼层 · 发表于 2007-7-24 11:47:40

运行即重启

显示全部楼层 · 发表于 2007-7-24 12:04:35

卡巴点他就在下载前拦截了

刚刚删除微点(见他没扫描,不好玩,而且防毒不好了)
刚刚用卡巴来测试下!爽阿

显示全部楼层 · 发表于 2007-7-24 12:14:53

瑞星病毒查杀结果报告

清除病毒种类列表：
病毒： Dropper.Dropres.b

用户来源：互联网

软件版本：19.33.10

显示全部楼层 · 发表于 2007-7-25 16:45:53

norman pass

[病毒样本] f78cc带壳入库者可以哭了2