070705全过瑞星.rar 分析报告

hbd

caocao发的71个病毒样本（070705全过瑞星.rar），多数杀软只杀出50个左右
http://bbs.kafan.cn/viewthread.php?tid=104656

AntiVir查出52个，事实上，剩下的文件里面只有一个是漏掉的病毒。

来看一下工程师半人工分析结果：（感谢caocao的收集）
AntiVir判断为CLEAN的文件重分析：

File ID	Filename	Size (Byte)	Result
1114901	070705-Avira-PASS.zip	2.11 MB	OK

A listing of files contained inside archives alongside their results can be found below:

File ID	Filename	Size (Byte)	Result
275117	1.exe	20 KB	CLEAN
271863	cq.exe	47.3 KB	DAMAGED FILE (UNKNOWN)
204617	gz.exe	96 KB	KNOWN CLEAN
552011	hhnsdl.exe	122 KB	CLEAN
1096999	install.exe	533.25 KB	CLEAN
538275	iviRegMgr.exe	109.52 KB	CLEAN
529995	mmvem.exe	100 KB	CLEAN
533518	npptools.dll.exe	83.73 KB	CLEAN
204668	rundll2000.exe	10 KB	FALSE POSITIVE
271865	virus1.exe	204 KB	CLEAN
1097020	######.exe	952 KB	MALWARE
996435	####.exe	182.91 KB	CLEAN
275602	536enc.dll	144 KB	CLEAN
206784	6to4svc.dll	98 KB	KNOWN CLEAN
682727	aaaamon.dll	39 KB	KNOWN CLEAN
736981	IEINFO5.OCX	98.5 KB	KNOWN CLEAN
206397	npptools.dll	53 KB	KNOWN CLEAN
206398	Packet.dll	80 KB	KNOWN CLEAN
206396	WanPacket.dll	60 KB	KNOWN CLEAN
536964	msconftb.sys	188 Byte	CLEAN
1096783	###l.scr	102.85 KB	DAMAGED FILE (MALWARE)

Please find a detailed report concerning each individual sample below:

Filename	Result
1.exe	CLEAN

The file '1.exe' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
cq.exe	DAMAGED FILE (UNKNOWN)

The file 'cq.exe' has been determined to be 'DAMAGED FILE (UNKNOWN)'. In particular this means that this file is damaged and not working properly. We could not find any malicious content. However the heuristic detection module may still detect this particular file even though it is damaged. In that case we will not adjust and remove detection for this damaged file.

Filename	Result
gz.exe	KNOWN CLEAN

The file 'gz.exe' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Winrar 3.62'.

Filename	Result
hhnsdl.exe	CLEAN

The file 'hhnsdl.exe' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
install.exe	CLEAN

The file 'install.exe' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
iviRegMgr.exe	CLEAN

The file 'iviRegMgr.exe' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
mmvem.exe	CLEAN

The file 'mmvem.exe' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
npptools.dll.exe	CLEAN

The file 'npptools.dll.exe' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
rundll2000.exe	FALSE POSITIVE

The file 'rundll2000.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 6.38.0.58 .

Filename	Result
virus1.exe	CLEAN

The file 'virus1.exe' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
######.exe	MALWARE

The file '######.exe' has been determined to be 'MALWARE'.
Our analysts discovered that the file is a Trojan. In general this kind of programs contains harmful functionality called payload. Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename	Result
####.exe	CLEAN

The file '####.exe' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
536enc.dll	CLEAN

The file '536enc.dll' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
6to4svc.dll	KNOWN CLEAN

The file '6to4svc.dll' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Windows XP (SP2)'.

Filename	Result
aaaamon.dll	KNOWN CLEAN

The file 'aaaamon.dll' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Microsoft Windows Server 2003 (SP1)'.

Filename	Result
IEINFO5.OCX	KNOWN CLEAN

The file 'IEINFO5.OCX' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Microsoft Windows Server 2003 (SP2)'.

Filename	Result
npptools.dll	KNOWN CLEAN

The file 'npptools.dll' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Windows XP (SP2)'.

Filename	Result
Packet.dll	KNOWN CLEAN

The file 'Packet.dll' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'WinPcap 3.1'.

Filename	Result
WanPacket.dll	KNOWN CLEAN

The file 'WanPacket.dll' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'WinPcap 3.1'.

Filename	Result
msconftb.sys	CLEAN

The file 'msconftb.sys' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

Filename	Result
###l.scr	DAMAGED FILE (MALWARE)

The file '###l.scr' has been determined to be 'DAMAGED FILE (MALWARE)'. In particular this means that this file is damaged and not working properly. Nevertheless we were able to determine that it contains malicious code fragments.

moonsilver

那个包里很多都不是病毒，瑞星的鉴定……