一下载者与产物1CC399 BAABAA 51C645

显示全部楼层 · 发表于 2007-8-30 21:59:25

m1:

1314D4CF PUSH m1.1314D53C ASCII "C:\windows\winint.sys"
1314D4D4 PUSH m1.1314D554 ASCII "http://www.tesekl.info/winsys.exe"
1314D4EE PUSH m1.1314D578 ASCII "C:\windows\winsys.inf"
1314D4F3 PUSH m1.1314D590 ASCII "http://www.tesekl.info/winsys.inf"
1314D50D PUSH m1.1314D5B4 ASCII "C:\windows\winint.exe"
1314D512 PUSH m1.1314D5CC ASCII "http://www.tesekl.info/winint.exe"
1314D524 PUSH m1.1314D5B4 ASCII "C:\windows\winint.exe"

复制代码

[ 本帖最后由 promised 于 2007-8-30 22:00 编辑 ]

显示全部楼层 · 发表于 2007-8-30 22:00:26

2007-8-30 22:00:25 Scanning Log
2007-8-30 22:00:25 Version of virus signature database: 2492 (20070830)
2007-8-30 22:00:25 Date: 30.8.2007 Time: 22:00:25
2007-8-30 22:00:25 Scanned disks, folders and files: F:\v\ABC.zip;F:\v\m1.rar
2007-8-30 22:00:27 F:\v\ABC.zip » ZIP » winint.exe - probably a variant of Win32/TrojanDropper.Small trojan
2007-8-30 22:00:27 F:\v\ABC.zip » ZIP » winsys.exe - is OK
2007-8-30 22:00:27 F:\v\m1.rar » RAR » m1.exe - Win32/TrojanDownloader.Delf.NUM trojan
2007-8-30 22:00:27 Number of scanned files: 5
2007-8-30 22:00:27 Number of threats found: 2
2007-8-30 22:00:27 Time of completion: 22:00:27 Total scanning time: 2 sec (00:00:02)

显示全部楼层 · 发表于 2007-8-30 22:04:36

Ikarus:
30:08:2007 22:02:44 SEARCHTASK "USER_DEFINED" started...
scan item: C:\Documents and Settings\zhenjia\桌面\m1.rar
File scanned: C:\Documents and Settings\zhenjia\桌面\m1.rar - SIGNATURE FOUND "BehavesLikeWin32.ExplorerHijack"
30:08:2007 22:02:45 SEARCHTASK "USER_DEFINED" FINISHED...
----------------------------------------------------
Directories scanned: 0
Files scanned: 1
Virus found: 1
----------------------------------------------------
30:08:2007 22:04:17 SEARCHTASK "USER_DEFINED" started...
scan item: C:\Documents and Settings\zhenjia\桌面\ABC
File scanned: C:\Documents and Settings\zhenjia\桌面\ABC\winint.exe - SIGNATURE FOUND "Trojan-Dropper.Win32.Small.axj"
File scanned: C:\Documents and Settings\zhenjia\桌面\ABC\winsys.exe - SIGNATURE FOUND "Win32.SuspectCrc"
30:08:2007 22:04:18 SEARCHTASK "USER_DEFINED" FINISHED...
----------------------------------------------------
Directories scanned: 1
Files scanned: 2
Virus found: 2
----------------------------------------------------

显示全部楼层 · 发表于 2007-8-30 22:05:55

Result: 1 malware found
Trojan-Downloader.Win32.Delf.bki (virus)
C:\Documents and Settings\ssy\×ÀÃæ\m1.rar\m1.exe

显示全部楼层 · 发表于 2007-8-30 22:09:19

Virus or unwanted program 'TR/Delphi.Downloader.Gen

Virus or unwanted program 'TR/Drop.Small.axj.1 [TR/Drop.Small.axj.1]'

显示全部楼层 · 发表于 2007-8-30 22:38:01

A-Squared 3.0.0.123 2007.08.29 2007-08-29 - 4.138
AntiVir 7.4.1.66 6.39.1.65 2007-08-30 - 2.338
Arcavir 1.0.4 200708291740 2007-08-29 - 1.224
Avast 1.0.8 000769-2 2007-08-29 - 3.074
AVG 7.5.48.442 269.12.10/976 2007-08-27 - 1.455
BitDefender 7.60825.815208 7.14561 2007-08-30 - 2.996
CA (VET) 8.4.0.24 31.1.5095 2007-08-30 - 0.815
ClamAV 0.91.1 4108 2007-08-30 - 0.024
Dr.Web 4.33 2007.08.30 2007-08-30 - 5.782
Ewido 4.0.0.2 2007.08.30 2007-08-30 - 2.090
F-Prot 3.16.16 2007.08.29 2007-08-29 - 0.425
F-Secure 5.51.6100 2007.08.30.03 2007-08-30 - 2.503
Ikarus T3.1.1.12 2007.08.30.69419 2007-08-30 Win32.SuspectCrc 1.236
JiangMin 10.00.650 2007.08.30 2007-08-30 - 0.722
Kaspersky 5.5.10 2007.08.30 2007-08-30 - 0.030
KingSoft 2007.6.20.249 2007.8.30 2007-08-30 - 0.823
McAfee 5.1.00 5108 2007-08-29 - 0.727
mks_vir 2.01 2007.08.30 2007-08-30 - 2.048
NOD32 2.70.8 2492 2007-08-30 - 0.009
Norman 5.91.05 5.90 2007-08-30 - 3.070
nProtect 2007-08-28.00 37774 2007-08-28 - 6.870
Panda 9.04.03.0001 2007.08.29 2007-08-29 - 3.076
Quick Heal 9.00 2007.08.30 2007-08-30 - 2.190
Rising 19.0 19.38.30.00 2007-08-29 - 1.391
Sophos 2.49.1 4.21 2007-08-30 - 2.323
Symantec 1.3.0.24 20070829.009 2007-08-29 - 0.256
Trend Micro 8.500-1001 4.679.00 2007-08-29 - 0.039
VBA32 3.12.2.3 20070830.0607 2007-08-30 - 0.694
VirusBuster 4.3.19:9 9.099.11/11.0 2007-08-30 - 0.942

显示全部楼层 · 发表于 2007-8-30 23:22:47

微点：
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\M1.EXE
木马程序生成以下文件:
1) C:\PROGRAM FILES\COMMON FILES\SYSTEM\WMIDS.EXE
是否删除木马程序及其衍生物?
木马名称:Trojan-Dropper.Win32.Small.app

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\WININT.EXE
是木马程序!
已成功阻止其运行,是否要删除此文件?

winsys.exe无法运行

显示全部楼层 · 发表于 2007-8-30 23:23:16

winsys其实是个sys

代码里后段写着的
我没贴

显示全部楼层 · 发表于 2007-8-30 23:49:49

已删除: 木马程序 Trojan-Downloader.Win32.Delf.bki 文件: E:\test\m1.rar/m1.exe
已删除: 木马程序 Trojan-Dropper.Win32.Small.axj 文件: E:\test\ABC.zip/winint.exe

显示全部楼层 · 发表于 2007-8-31 07:29:39

江民杀毒软件报告文件

北京江民新科技术有限公司

扫描引擎 11.00.700
病毒库日期 2007-08-30
更新日期 2007-08-31

扫描目标 C:\Documents and Settings\Administrator\桌面\m1.rar

扫描目标 C:\Documents and Settings\Administrator\桌面\ABC.zip

开始时间 2007-08-31 07:29:01

在 C:\Documents and Settings\Administrator\桌面\ABC.zip->winint.exe 中发现 Trojan/Agent.ivp 病毒, 已删除
正常结束。

扫描结果:
               文件数 :453                               病毒体 :1
               删除 :1                                  解毒 :0
扫描速度(千字节/秒) :13348                            扫描时间 :00:00:09
扫描文件速度(个/秒) :50

[病毒样本] 一下载者与产物1CC399 BAABAA 51C645

本帖子中包含更多资源

winsys

回复 #7 微点卫士的帖子

[病毒样本] 一下载者与产物1CC399 BAABAA 51C645

本帖子中包含更多资源

winsys

回复 #7 微点卫士 的帖子

回复 #7 微点卫士的帖子