使用fscs的首次中毒，请globe和david_sg莅临指导。

david_sg

Hi sob2007
It is a Sinit P2P Trojan,suchost.exe is part of  Trojan.Treb.
This malware will get a foothold on a system then downloads additional components from hidden websites or FTP server. This allows the trojan controller additional flexibility in being able to update the functionality of the trojan system from one location,your computer will be controlled by the invader at that time.

If this malware was detected,it is usually shut down in short order. Later variants of malware attempted to solve this problem by establishing an encrypted communication with an intermediary layer of xx hosts that would point it to the real download site.(xx = the number will define by writer),indeed,the malware that planted on your computer is a variants of Trojan.Treb.

The malware has a communication protocol based on six types of packets, each one prefixed with a byte of value 1-6 and maximum size of 512 bytes.

It listens on UDP port 53 and a high-numbered random UDP port. Either port will respond to the protocol packets:
0x01 - Discovery
0x02 - Status
0x03 - File Transfer
0x04 - File Request
0x05 - Discovery Response
0x06 - EOF

This malware also provide additional functionality,there is a 412-byte header added to each executable or DLL file. This header contains the timestamp of the file which is converted to a system filename using an alphabetic substitution cipher and stored in the Windows system directory as a .TMP file.The header also contains two digital signatures, one for the embedded executable code, another for the header itself.The header signature is checked when the first 0x03 packet is sent, and the file signature is checked when the transfer is complete. If the first check fails the transfer will be aborted. If the second check fails, the file will be deleted from memory before being copied to the filesystem.If this two checks are successful passed, the embedded file is copied to the filesystem. If the file is executable, it is launched as a separate process,otherwise it is loaded into the memory space of Sinit and the "Init" function of the .DLL is called.
Start from now on,Sinit listens on TCP port 53, and acts as a webserver in a limited way,and also under invader's controll.

As I known,there are many of variants of Sinit P2P,you can disable your network,then try use the task manager to kill the malware's process, then remove malware files from your Windows system directory and remove the registry key associated with the executable. If the action failed,please send sample to Computer security company,they will help you to solve this problem.

[ 本帖最后由 david_sg 于 2007-8-27 09:39 编辑 ]

andyangela

呵呵，把言论改了，我还是看到了。我觉得我说的没啥问题啊，虽然论坛是用来大家交流的，但是不是无理取闹的，在你发表第一次评论前，大家可以看到说的都是f-secure6，可你却突然说证明了f-secure7的sandbox是鸡肋，加上你以前发的那个群起而攻之的鸡肋帖子，我就自然说你了，而且我的话好像也没有啥问题，就说别捣乱而已，当然你脑子有屎，你想抽我那就来，俺等着，从小到大除了俺妈还没人抽过俺呢，呵呵。

david_sg

"inbound malware probe" means there is (there are) worm(s) trying to get into your computer system,your firewall blocked dangerous intrusion.There is nothing you can do to stop the probes,it is a attack from outside.

[ 本帖最后由 david_sg 于 2007-8-27 09:22 编辑 ]

david_sg

Well,I can give you some info about Steath Scanning

Please read this website

http://www.networkuptime.com/nmap/page3-4.shtml

taihuxian

全盘扫描吧

[ 本帖最后由 taihuxian 于 2007-8-27 09:50 编辑 ]

david_sg

我在想如果你遇到了过其他防病毒软件的病毒会是什么样的态度，会认为其他的防病毒软件也是鸡肋吗？我估计会。赫赫~~要是你看到针对防病毒软件的大量的免杀以后，可能你连电脑都不敢开了。

taihuxian

fs确实不错的，技术/美工方面都很好，希望各个部分都可以更加完美

sob2007

oh, my god，传说中的david终于现身了。不知今日何日兮，上午听老板做报告，大放阙词。饭毕，发图两张，以飨众毒友。



[ 本帖最后由 sob2007 于 2007-8-27 15:07 编辑 ]

sob2007

原帖由 david_sg 于 2007-8-27 09:09 发表
Hi sob2007
It is a Sinit P2P Trojan,suchost.exe is part of  Trojan.Treb.
This malware will get a foothold on a system then downloads additional components from hidden websites or FTP server. Th ...

thanks, david_sg.

i've got all the info about sinit_trojan through dr.web, although fscs6.03 cannot identify the trojan.

我怎么贴不了图了? 郁闷啊！！

david_sg

这个病毒可以手动清除,前提就是要禁止网络，用Software Repair Engineer或者Hijackthis扫描一下电脑，找出病毒文件然后把相关的文件和注册表里的key删除，否则重新开机以后病毒会自己通过Internet下载来还原自己。
你把这个文件上传到http://virusscan.jotti.org/看看Kasperksy报的什么，可能这个病毒对Kaspersky免杀了。fscs6.03对系统的防护跟F-Secure2007比起来差了不少,因为F-Secure2007引进了HIPS，sandbox以及改善的引擎，如果内存能达到512的话建议你换成fscs7.01。

[ 本帖最后由 david_sg 于 2007-8-27 13:38 编辑 ]