f42951

wangjay1980

1

tracydk

miss

FBAV

为PC护航风暴微塔
_____________________________________________
                                          
             风暴微塔反间谋
[强力查杀各种Win32位的病毒,木马,蠕虫,恶意软件]              
                            [内测版]      
                   http://www.v0day.com/  
----------------------------------------------
开始扫描……

[C:\Documents and Settings\Administrator\桌面\virus\qq.rar]
                    …………特征码引擎[1]发现病毒
OK  扫描完毕！

The EQs

Scan performed at: 2007-8-22 9:56:08
Scanning Log
NOD32 version 2474 (20070822) NT
Command line: C:\Documents and Settings\Don johnson\桌面\qq.rar
Operating memory - is OK

Date: 22.8.2007  Time: 09:56:12
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\Don johnson\桌面\qq.rar
C:\Documents and Settings\Don johnson\桌面\qq.rar ?RAR ?qq.exe - a variant of Win32/AutoRun.Q worm
Number of scanned files: 2
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 09:56:13 Total scanning time: 1 sec (00:00:01)

残缺的唯美

--> qq.exe
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [INFO]      A backup was created as '46f9a0b9.qua'  ( QUARANTINE )
      [INFO]      The file was deleted!

Nblock

程序:
E:\SOFT_KILLER\QQ\QQ.EXE
由
E:\AUTORUN.INF
自启动运行!
并生成以下文件:
1) E:\AUTORUN.EXE
2) E:\AUTORUN.INF
以及可由此INF文件引导自启的文件:
E:\AUTORUN.EXE

是否删除木马程序及其衍生物?

[ 本帖最后由 Nblock 于 2007-8-22 10:36 编辑 ]

碧水寒潭

Starting the file scan:

Begin scan in 'H:\AV-TEST'
H:\AV-TEST\qq.rar
  [0] Archive type: RAR
  --> qq.exe
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [INFO]      The file was deleted!

woai_jolin

qq.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)


[ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS

[ General information ]
    * Decompressing UPX.
    * **Locates window
"vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv [class xxx]" on desktop.
    * Accesses executable file from resource section.
    * **Locates window "zyr8jgjjk9bjko [class NULL]" on desktop.
    * **Locates window "zkxgoxjtrj8jok [class NULL]" on desktop.
    * File length:        33393 bytes.
    * MD5 hash: f4295159b5a49aa049f6caccee09aa0b.

[ Changes to filesystem ]
    * Deletes file E:\AutoRun.exe.
    * Deletes file C:\Program Files\Internet
Explorer\PLUGINS\SysWin64.Jmp.
    * Creates file C:\Program Files\Internet
Explorer\PLUGINS\SysWin64.Jmp.
    * Deletes file C:\Program Files\Internet
Explorer\PLUGINS\WinSys64.Sys.
    * Creates file C:\Program Files\Internet
Explorer\PLUGINS\WinSys64.Sys.

[ Changes to registry ]
    * Creates value "{5D83AD9C-3BFC-43F5-979D-2904DBC54A8E}"="" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks".
    * Creates key "HKCR\CLSID\{5D83AD9C-3BFC-43F5-979D-2904DBC54A8E}".
    * Sets value ""="" in key
"HKCR\CLSID\{5D83AD9C-3BFC-43F5-979D-2904DBC54A8E}".
    * Creates key
"HKCR\CLSID\{5D83AD9C-3BFC-43F5-979D-2904DBC54A8E}\InProcServer32".
    * Sets value ""="C:\Program Files\Internet
Explorer\PLUGINS\WinSys64.Sys" in key
"HKCR\CLSID\{5D83AD9C-3BFC-43F5-979D-2904DBC54A8E}\InProcServer32".
    * Sets value "ThreadingModel"="Apartment" in key
"HKCR\CLSID\{5D83AD9C-3BFC-43F5-979D-2904DBC54A8E}\InProcServer32".

[ Network ]
    * Hooks into Shell explorer.



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information
source only.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

沸沸

将upx解开后，卡巴还是没发现……不敢测主动防御

eubyo

qq.exe

AhnLab-V3    2007.8.22.0    2007.08.21    Win-Trojan/QQPass.Gen
AntiVir    7.4.1.63    2007.08.21    DR/Delphi.Gen
BitDefender    7.2    2007.08.22    Generic.PWStealer.5013F998
ClamAV    0.91    2007.08.22    Trojan.Delf-1462
eSafe    7.0.15.0    2007.08.20    suspicious Trojan/Worm
eTrust-Vet    31.1.5079    2007.08.22    Win32/QQPass!generic
F-Secure    6.70.13030.0    2007.08.22    W32/Malware
Ikarus    T3.1.1.12    2007.08.22    Trojan-Proxy.Win32.Delf.AN
McAfee    5102    2007.08.21    PWS-QQGame
Microsoft    1.2803    2007.08.22    PWS:Win32/Agent.AC
NOD32v2    2474    2007.08.22    a variant of Win32/AutoRun.Q
Norman    5.80.02    2007.08.21    W32/Malware
Panda    9.0.0.4    2007.08.21    Suspicious file
Sophos    4.20.0    2007.08.22    Mal/Dropper-H
Symantec    10    2007.08.22    Infostealer.Gampass
VBA32    3.12.2.2    2007.08.21    MalwareScope.Trojan-PSW.Game.7
Webwasher-Gateway    6.0.1    2007.08.22    Trojan.Delphi.Gen