6.exe

显示全部楼层 · 发表于 2012-2-28 16:18:50

运行后FS杀衍生物管家KILL

显示全部楼层 · 发表于 2012-2-28 16:24:40

网站被阻止！
G Data 互联网安全套装 2012已阻止访问此网站。
该站点包含被感染的代码：JS:ADODB-CA [Expl] (引擎B)。

显示全部楼层 · 发表于 2012-2-28 16:28:15

NIS2012下载分析

完整路径: c:\users\sshss\downloads\6\6.exe
威胁: WS.Reputation.1
____________________________
____________________________
在电脑上的创建时间不可用
上次使用时间 2012/2/28 ( 16:27:45 )
启动项目否
已启动否
____________________________
____________________________
未知
诺顿社区中使用此文件的用户数量: 未知
____________________________
未知
此文件版本当前未知。
____________________________
中
此文件具有中等程度风险。
____________________________
威胁详细信息
威胁类型: 智能网络威胁。很多迹象表明此文件不可信任，不安全
____________________________
http://bbs.kafan.cn/forum.php?mo ... DQ4OTAzN3wxMjMxNjMx 已下载文件6.exe
威胁名称:
WS.Reputation.1自
bbs.kafan.cn
____________________________
文件操作
文件: c:\users\sshss\downloads\6\6.exe
已删除
____________________________
文件指纹 - SHA:
3d0bc3ab7146613e3d18c71a0004acdba196fe3a6e3462ed4ff58a8d98983492
____________________________
文件指纹 - MD5:
698c2e533fbbc56436998b5ee9648b86
____________________________

显示全部楼层 · 发表于 2012-2-28 23:45:58

Write to file [C:\Documents and Settings\Administrator\桌面\6.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\Hackeyes_Microsoftde_Server.Bat]

Write to file [C:\Documents and Settings\Administrator\桌面\6.exe -> \\.\PIPE\wkssvc]

Write to file [C:\Documents and Settings\Administrator\桌面\6.exe -> \\.\PIPE\lsarpc]

Write to file [C:\Documents and Settings\Administrator\桌面\6.exe -> \\.\PIPE\lsarpc]

Adjust Privileges [C:\Documents and Settings\Administrator\桌面\6.exe  ]

Adjust Privileges [C:\Documents and Settings\Administrator\桌面\6.exe  ]

Execute [C:\Documents and Settings\Administrator\桌面\6.exe (628) ->  (584)]
Command-line: "C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\Hackeyes_Microsoftde_Server.Bat"
The window of the new process is invisible. (Suspicious)

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Write to file [C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS.vbs]

Execute [C:\WINDOWS\system32\cmd.exe (584) -> C:\WINDOWS\system32\reg.exe (120)]
Command-line: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /ve /d "C:\WINDOWS.vbs" /f

Execute [C:\WINDOWS\system32\cmd.exe (584) -> C:\WINDOWS.vbs (0)]
Command-line: C:\WINDOWS.vbs

Process C:\WINDOWS\system32\cmd.exe has terminated.

显示全部楼层 · 发表于 2012-2-29 07:13:24

File 6_exe declared INFECTED

[病毒样本] 6.exe