看看这个传说中的QQ病毒程序D5FACF

显示全部楼层 · 发表于 2007-7-29 08:29:37

C:\Documents and Settings\Administrator\桌面\QQ.r
ar>>QQ.exe>>systwac.exe
Backdoor.Win32.Gpigeon.zyn

显示全部楼层 · 发表于 2007-7-29 08:55:22

NOD的居然不报.....

显示全部楼层 · 发表于 2007-7-29 09:04:57

上报nod仔了！

显示全部楼层 · 发表于 2007-7-29 09:25:45

运行后\Temp\IXP000.TMP下释放systwac.exe ＱＱ潜水者末日.exe
自行添加启动项
自动运行
ＱＱ潜水者末日.exe（我觉得其无特殊动作就是一个在线察看的东西）
在退出ＱＱ潜水者末日.exe 就会运行systwac.exe
\WINDOWS下释放文件安装服务
是鸽子吧~

显示全部楼层 · 发表于 2007-7-29 09:29:38

金山挂,费尔报灰鸽子

微点:
木马名称:Backdoor.Win32.Huigezi.2006.gt

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\IXP000.TMP\SYSTWAC.EXE
是木马程序!
已成功阻止其运行,是否要删除此文件?
哦呵呵,虽然杀了衍生物,但能打开,不过已经没什么用了

[ 本帖最后由微点卫士于 2007-7-29 09:30 编辑 ]

显示全部楼层 · 发表于 2007-7-29 09:31:38

VT错误 NORMAN不可能不报鸽子

显示全部楼层 · 发表于 2007-7-29 09:31:54

显示全部楼层 · 发表于 2007-7-29 09:58:54

norman果然没有报
准备晕了
QQ.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS

[ General information ]
* Applications uses MSVBVM60.DLL (Visual Basic 6).
* Form uses id Form.
* Creating several executable files on hard-drive.
* File length: 337408 bytes.
* MD5 hash: d5facff25350ac773adf7c9075ba178a.

[ Changes to filesystem ]
* Deletes directory C:\WINDOWS\TEMP\IXP0.TMP.
* Creates directory C:\WINDOWS\TEMP\IXP0.TMP.
* Creates file C:\WINDOWS\TEMP\IXP0.TMP\TMP4351$.TMP.
* Creates file C:\WINDOWS\TEMP\IXP0.TMP\##############.exe.
* Creates file C:\WINDOWS\TEMP\IXP0.TMP\systwac.exe.
* Deletes file C:\WINDOWS\TEMP\IXP0.TMP\systwac.exe.
* Deletes file C:\WINDOWS\TEMP\IXP0.TMP\##############.exe.
* Deletes file C:\WINDOWS\TEMP\IXP0.TMP\TMP4351$.TMP.
* Deletes directory C:\WINDOWS\TEMP\IXP0.TMP\.
* Creates file C:\WINDOWS\wsysato.exe.

[ Changes to registry ]
* Creates key
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
* Sets value "wextract_cleanup0"="rundll32.exe
C:\WINDOWS\SYSTEM32\advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\TEMP\IXP0.TMP\"" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
* Deletes value "wextract_cleanup0" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
* Creates key "HKLM\System\CurrentControlSet\Services\Tracking
Client".
* Sets value "ImagePath"="C:\WINDOWS\wsysato.exe" in key
"HKLM\System\CurrentControlSet\Services\Tracking Client".
* Sets value "DisplayName"="Tracking Client" in key
"HKLM\System\CurrentControlSet\Services\Tracking Client".

[ Process/window information ]
* Creates a COM object with CLSID
{E93AD7C1-C347-11D1-A3E2-00A0C90AEA82} : VBRuntime6.
* Creates an event called .
* Creates a mutex VERONETWO20070528.
* Attempts to access service "Tracking Client".
* Creates service "Tracking Client (Tracking Client)" as
"C:\WINDOWS\wsysato.exe".

[ Signature Scanning ]
* C:\WINDOWS\TEMP\IXP0.TMP\systwac.exe (277504 bytes) : no
signature detection.
* C:\WINDOWS\wsysato.exe (277504 bytes) : no signature detection.

(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information
source only.

This file is not flagged as malicious by the Norman Sandbox Information
Center. However, we can not guarantee that the file is harmless. If
you still suspect the file to be malicious and if you urgently need to
know for sure, please submit it to your local Norman support department
for manual analysis.

显示全部楼层 · 发表于 2007-7-29 09:59:17

已检测到: 木马程序 Backdoor.Win32.Hupigon.eou URL: http://bbs.kafan.cn/attachment.p ... 000.cab/systwac.exe

显示全部楼层 · 发表于 2007-7-29 10:37:50

实在是有点难看懂

[病毒样本] 看看这个传说中的QQ病毒程序D5FACF

本帖子中包含更多资源