在360区看到的，貌似很猛的病毒

ppy0606

能过MD，那是没规则吧··

HIPS靠的是规则

英九

下载分析也杀了 完整路径: c:\documents and settings\administrator\桌面\文档\virus\xh.exe
威胁: WS.Reputation.1
____________________________
____________________________
在电脑上的创建时间 不可用
上次使用时间 2012-3-2 ( 23:21:00 )
启动项目 否
已启动 否
____________________________
____________________________
未知
诺顿社区中使用此文件的用户数量: 未知
____________________________
未知
此文件版本当前未知。
____________________________
中
此文件具有中等程度风险。
____________________________
威胁详细信息
威胁类型: 智能网络威胁。 很多迹象表明此文件不可信任，不安全
____________________________
http://183.60.157.66/down_group2 ... 6td&file=xh.rar 已下载文件xh.exe
威胁名称:
WS.Reputation.1自
183.60.157.66
____________________________
文件操作
文件: c:\documents and settings\administrator\桌面\文档\virus\xh.exe
已删除
____________________________
文件指纹 - SHA:
318354be718f69ce1017f038cdd50b8592a2621edd9fe4acc751ec894bfdda24
____________________________
文件指纹 - MD5:
8457a17856a611b010a553bd0e0f945a
____________________________

倾枫锝渔♂

tomochan 发表于 2012-3-2 22:41
双击后直接隔离...
然后取消隔离，从不信任文件中移除，再次双击弹出警告，【提示会无限制要求访问计算机】 ...

你在虚拟机里的话 直接把沙盘关了嘛~

Nocria

tomochan 发表于 2012-3-2 22:41
双击后直接隔离...
然后取消隔离，从不信任文件中移除，再次双击弹出警告，【提示会无限制要求访问计算机】 ...

AVG应该也有签名校验机制的，可是不知道为什么没有报警

h8888

谁最先。。。谁的XY最大。

h8888

对DW来说，小菜一碟。


DefenseWall log file

03.03.2012  00:38:22, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 1:Process is running untrusted now (进程)

03.03.2012  00:38:22, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cache within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:38:22, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Directory within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ (注册表)

03.03.2012  00:38:22, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cookies within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:38:22, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value History within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:38:22, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 1:Process is running untrusted now (进程)

03.03.2012  00:38:22, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:38:22, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:38:22, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 8:Attempt to open protected file C:\Documents and Settings\china\Cookies\index.dat (资源隔离)

03.03.2012  00:38:23, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cache within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:38:23, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Directory within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ (注册表)

03.03.2012  00:38:23, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cookies within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:38:23, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value History within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:38:23, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:38:23, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:38:23, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 8:Attempt to open protected file C:\Documents and Settings\china\Cookies\index.dat (资源隔离)

03.03.2012  00:38:20, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cache within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:38:20, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Directory within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ (注册表)

03.03.2012  00:38:20, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cookies within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:38:20, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value History within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:38:20, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:38:20, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:38:20, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 8:Attempt to open protected file C:\Documents and Settings\china\Cookies\index.dat (资源隔离)

03.03.2012  00:38:19, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 1:Process is running untrusted now (进程)

03.03.2012  00:37:56, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cache within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:37:56, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Directory within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ (注册表)

03.03.2012  00:37:56, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cookies within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:37:56, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value History within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:37:56, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:37:56, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:37:56, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 8:Attempt to open protected file C:\Documents and Settings\china\Cookies\index.dat (资源隔离)

03.03.2012  00:37:56, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 1:Process is running untrusted now (进程)

03.03.2012  00:37:07, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Directory within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ (注册表)

03.03.2012  00:37:07, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cookies within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:37:07, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value History within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

03.03.2012  00:37:07, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:37:07, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 10:Attempt to open protected file C:\Documents and Settings\china\Cookies\ (资源隔离)

03.03.2012  00:37:07, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, 8:Attempt to open protected file C:\Documents and Settings\china\Cookies\index.dat (资源隔离)

03.03.2012  00:37:07, 模块 C:\Documents and Settings\*\桌面\xh\xh.exe, Attempt to set value Cache within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

liulangzhecgr

h8888 发表于 2012-3-3 00:49
对DW来说，小菜一碟。

dw厉害 可md。。。 样本一闪而过，没有留下踪迹 ！

jayavira

确实是反沙盘啊
无法测试TF

ywsuda

wjcharles 发表于 2012-3-2 22:42
NIS2012 下载分析杀，绕过下载分析，双击sonar杀

下载分析：

为啥下载分析是中风险，sonar是高风险？

木桃恋夏

  数字报