[14688]不知是什么病毒，似乎是一个下载者……

显示全部楼层 · 发表于 2007-8-18 22:33:36

VirSCAN.org Scanned Report :
Scanned time : 2007/08/18 22:24:43 (CST)
Scanner results: 72%的杀软(21/29)报告发现病毒
File Name    : arp.exe
File Size    : 98816 byte
File Type    : MS-DOS executable (EXE), OS/2 or MS Windows
MD5          : 14688f47dd8c1a26ce9217456a945b2c
SHA1          : da39a3ee5e6b4b0d3255bfef95601890afd80709
Online report  : http://virscan.org/report.php?id=14688f47dd8c1a26ce9217456a945b2c
Scanner       Engine Ver       Sig Ver    Sig Date Time Scan result
a-squared    3.0.0.123    2007.08.16       2007-08-16  4.64 Trojan-Downloader.Win32.Delf.bms
小红伞       7.4.1.62       6.39.1.16       2007-08-17  2.26 TR/Delphi.Downloader.Gen
Arcavir       1.0.4          200708171725    2007-08-17  1.20 Trojan.Downloader.Delf.Bms
AVAST       1.0.8          000766-1       2007-08-17  3.06 Win32:Agent-HUT [Wrm]
AVG          7.5.48.442    269.12.0/959    2007-08-17  1.36 Downloader.Generic5.RGL
BitDefender 7.60825.793349  7.14404          2007-08-18  2.94 BehavesLike:Win32.ExplorerHijack
CA (VET)    8.4.0.24       31.1.5069       2007-08-18  0.84 -
ClamAV       0.91.1       3983             2007-08-18  0.05 -
大蜘蛛       4.33          2007.08.18       2007-08-18  5.79 WIN.WORM.Virus
ewido       4.0.0.2       2007.08.18       2007-08-18  2.66 -
冰岛杀毒    3.16.16       2007.08.17       2007-08-17  0.41 W32/Downloader-WebExe-based!Maximus
F-SECURE    5.51.6100    2007.08.15.03    2007-08-15  0.04 Trojan-Downloader.Win32.Delf.bms
IKARUS       T3.1.1.12    2007.08.18.69365  2007-08-18  1.25 Trojan-Downloader.Win32.Delf.bms
江民杀毒    10.00.650    2007.08.18       2007-08-18  0.73 TrojanDownloader.Delf.dez
卡巴斯基    5.5.10       2007.08.18       2007-08-18  0.02 Trojan-Downloader.Win32.Delf.bms
金山毒霸    2007.6.20.249 2007.8.18       2007-08-18  0.82 Win32.TrojDownloader.Delf.98816
迈克菲       5.1.00       5100             2007-08-17  0.74 -
MKS_VIR       2.01          2007.08.16       2007-08-16  2.02 -
NOD32       2.70.8       2469             2007-08-18  0.04 probably unknown NewHeur_PE virus
诺曼          5.91.04       5.90             2007-08-17  3.28 Sandbox: W32/Malware
熊猫卫士    9.00.00       2007.08.18       2007-08-18  5.47 Trj/Downloader.ICL
趋势          8.500-1001    4.657.00       2007-08-16  0.04 -
QuickHeal    9.00          2007.08.18       2007-08-18  2.78 TrojanDownloader.Delf.bms
瑞星          19.0          19.36.52.00    2007-08-18  2.44 Worm.Win32.Delf.ytn
SOPHOS       2.47.0       4.19             2007-08-18  2.85 Mal/SillyFDC-A
赛门铁克    1.3.0.24       20070817.009    2007-08-17  2.73 -
nProtect    2007-08-17.00 36336          2007-08-17  8.28 BehavesLike:Win32.ExplorerHijack
VBA32       3.12.2.2       20070818.0935    2007-08-18  0.67 Trojan-Downloader.Win32.Delf.bms
VirusBuster 4.3.19:9       9.098.4/11.0    2007-08-18  0.99 -

显示全部楼层 · 发表于 2007-8-18 22:34:20

Norman的SandBox报告：

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

&#26700 : INFECTED with W32/Downloader (Signature: NO_VIRUS)

[ DetectionInfo ]
* Sandbox name: W32/Downloader
* Signature name: NO_VIRUS

[ General information ]
* **Locates window "NULL [class Shell_TrayWnd]" on desktop.
* Drops files in %WINSYS% folder.
* File length:       98816 bytes.
* MD5 hash: 14688f47dd8c1a26ce9217456a945b2c.

[ Changes to filesystem ]
* Creates file C:\windows\system32\install.exe.
* Creates file C:\WINDOWS\Autorun.inf.
* Creates file C:\WINDOWS\SYSTEM32\interneter.exe.

[ Changes to registry ]
* Modifies value "Start Page"="http://alalmn.3322.org" in key "HKCU\Software\Microsoft\Internet Explorer\Main".
* Creates value "system"="interneter.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Downloads file from http://www.popo321.cn/0/vip.exe as c:\windows\system32\install.exe.
* Connects to "www.popo321.cn" on port 80 (TCP).
* Opens URL: www.popo321.cn/0/vip.exe.

[ Security issues ]
* Starting downloaded file - potential security problem.

[ Process/window information ]
* Creates an event called .
* Modifies other process memory.
* Creates a remote thread.
* Will automatically restart after boot (I'll be back...).

[ Signature Scanning ]
* C:\windows\system32\install.exe (4096 bytes) : no signature detection.
* C:\WINDOWS\Autorun.inf (168 bytes) : no signature detection.

(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

显示全部楼层 · 发表于 2007-8-18 22:34:36

微点；
木马名称:Trojan-Downloader.Win32.Delf.gxn

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\ARP.EXE
是木马程序!
已成功阻止其运行,是否要删除此文件?

显示全部楼层 · 发表于 2007-8-18 22:35:26

名字报的很清楚

显示全部楼层 · 发表于 2007-8-18 22:41:34

2007-08-18 22:39:07 AMON 文件 D:\病毒库\arp\arp.exe 未查明的 NewHeur_PE 病毒已隔离 - 已删除 B9DE82B9897244F\Administrator 程序新建文件时发生事件： C:\Program Files\WinRAR\WinRAR.exe. 文件已被移入隔离区。您可以关闭本窗口。

显示全部楼层 · 发表于 2007-8-18 22:48:35

瑞星病毒查杀结果报告

清除病毒种类列表：
病毒： Worm.Win32.Delf.ytn

MAC 地址：00:17:31:D9:E8:29

用户来源：局域网

软件版本：20.05.51

显示全部楼层 · 发表于 2007-8-18 23:07:37

检测到病毒: Trojan-Downloader.Win32.Delf.bms

Virus found while downloading Web content.

Address: bbs.kafan.cn

显示全部楼层 · 发表于 2007-8-18 23:40:14

C:\virus\arp.exe - probably infected with WIN.WORM.Virus

显示全部楼层 · 发表于 2007-8-19 04:16:13

显示全部楼层 · 发表于 2007-8-19 08:18:22

检测到病毒: Trojan-Downloader.Win32.Delf.bms

发现病毒,在下载网页内容时.

地址: bbs.kafan.cn

[病毒样本] [14688]不知是什么病毒，似乎是一个下载者……

本帖子中包含更多资源

本帖子中包含更多资源