[MD5: D1D2BB]重复了，已换

promised

[ 本帖最后由 promised 于 2007-7-25 20:18 编辑 ]

woai_jolin

===================================================================================================
NVCOD On Demand Scanner 5.80.02

NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/25 08:17:31 (815477 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 835818
Command line: "@C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~OD29.tmp"
===================================================================================================

       Time  Filename                                                     Virus name
---------------------------------------------------------------------------------------------------
- Scanning files matching: F:\v\server.zip
     1157 ms F:\v\server.zip : server.exe                                 Virus W32/NetworkWorm ( [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * Decompressing UPX.
    * Creating several executable files on hard-drive.
    * File length:        26624 bytes.

[ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\SVSH0ST.EXE.
    * Creates file C:\sample.bat.
    * Creates file C:\WINDOWS\SYSTEM32\Autorun.inf.
    * Creates file C:\lcg.exe.
    * Creates file C:\autorun.inf.
    * Creates file N:\autorun.inf.
    * Creates file N:\lcg.exe.

[ Spreading through LAN/WAN ]
    * Worm spreading over a network connection.

[ Process/window information ]
    * Creates a mutex niux.
    * Attemps to open REG.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V svchost /T REG_SZ /D C:\WINDOWS\SYSTEM32\SVSH0ST.EXE /F.
    * Attemps to open REG.exe add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.hao123.com                                                                                /f.
    * Attemps to open REG.exe add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f.
    * Attemps to open REG.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f.

)
        0 ms F:\v\server.zip                                             
        0 ms F:\v\server.zip:Zone.Identifier                             
- File F:\v\server.zip quarantined.

===================================================================================================

The scanning started: 2007/07/25 20:14:47
               ended: 2007/07/25 20:14:49
Logged on as        : Administrator
on hostname         : 2FEA146376E2420

Scanning results:
   Total number of files found..............................:       3
   Number of files scanned..................................:       3
   Number of files/directories skipped due to exclude list..:       0
   Number of files that could not be opened.................:       0
   Number of archive files unpacked.........................:       1
   Number of archive files not unpacked.....................:       0
   Number of infections.....................................:       1

Copyright (c) 1993-2005 Norman ASA.
HAO123晕

1688388728

Kaspersky Internet Security 7.0
The requested URL http://bbs.kafan.cn/attachment.php?aid=104973 is infected with Downloader virus
Kaspersky Internet Security 7.0
The requested URL http://bbs.kafan.cn/attachment.php?aid=104974 is infected with Trojan-Downloader.Win32.Delf.aoh virus

woai_jolin

又是sandbox
===================================================================================================
NVCOD On Demand Scanner 5.80.02

NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/25 08:17:31 (815477 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 835818
Command line: "@C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~OD2A.tmp"
===================================================================================================

       Time  Filename                                                     Virus name
---------------------------------------------------------------------------------------------------
- Scanning files matching: F:\v\QQ唰业务工具.zip
      265 ms F:\v\QQ唰业务工具.zip : QQ唰业务工具.exe                     Virus W32/Malware ( [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * **Locates window "NULL [class IEFrame]" on desktop.
    * File length:        10240 bytes.

[ Changes to registry ]
    * Creates key "HKLM\Software\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}".
    * Sets value "StubPath"="c:\temp\install.pif" in key "HKLM\Software\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}".

[ Process/window information ]
    * Modifies other process memory.
    * Creates a remote thread.

)
        0 ms F:\v\QQ唰业务工具.zip                                       
        0 ms F:\v\QQ唰业务工具.zip:Zone.Identifier                       
- File F:\v\QQ唰业务工具.zip quarantined.

===================================================================================================

The scanning started: 2007/07/25 20:18:18
               ended: 2007/07/25 20:18:19
Logged on as        : Administrator
on hostname         : 2FEA146376E2420

Scanning results:
   Total number of files found..............................:       3
   Number of files scanned..................................:       3
   Number of files/directories skipped due to exclude list..:       0
   Number of files that could not be opened.................:       0
   Number of archive files unpacked.........................:       1
   Number of archive files not unpacked.....................:       0
   Number of infections.....................................:       1

Copyright (c) 1993-2005 Norman ASA.

微点卫士

微点:
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RAR$EX00.562\QQ唰业务工具.EXE
是否删除木马程序及其衍生物?

金山报1个,费尔启发报2个

tracydk

avast挂

1p1

微点卫士 (东方微点保安部副部长)


好厉害啊

hj5abc

Scanning Log
NOD32 version 2418 (20070725) NT
Command line: F:\QQ唰业务工具.zip
Operating memory - is OK

Date: 25.7.2007  Time: 20:47:51
Anti-Stealth technology is enabled.
Scanned disks, folders and files: F:\QQ唰业务工具.zip
F:\QQ唰业务工具.zip ?ZIP ?QQ唰业务工具.exe - probably a variant of Win32/TrojanDownloader.Delf.NJH trojan
Number of scanned files: 2
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 20:47:51 Total scanning time: 0 sec (00:00:00)

胡同文化

Kaspersky Internet Security 7.0
The requested URL http://bbs.kafan.cn/attachment.php?aid=104974 is infected with Trojan-Downloader.Win32.Delf.aoh virus

taihuxian

[0] Archive type: ZIP
  --> QQà§ÒµÎñ¹¤¾ß.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [INFO]      A backup was created as '9bd7547d.qua'  ( QUARANTINE )
      [INFO]      The file was deleted!