网购木马（三 二）

LockeHIPS

郑伟用户 发表于 2012-4-17 11:43
呵呵，不带给你玩了-------等待一会你上360拦截截图【但愿不是嘴上能拦截】，金山拦截现在无需更新什么规 ...

360早就不需要更新规则了，金山现在才做到这点啊，升级所有用户没啊，怎么好多金山用户还是需要本地规则啊

我不是早就跟你说过了？云端交互只是为了直接报毒，效果更佳而已～

蝉鸣时

To ESET.

留侯

大蜘蛛Clean，文件加了壳：
pd.dll packed by BINARYRES
已上报！

yhjtj

2012/4/17 12:24:44,C:\Windows\explorer.exe,53,Allowed ;Execution of an application (C:\Users\xxxx\Desktop\样本\32\LangHua.exe)
2012/4/17 12:24:59,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,ExpressPrint)
2012/4/17 12:25:11,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1b55460a-c650-4bb7-ad7a-63a629dc7d3a},LastModified)
2012/4/17 12:25:11,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1b55460a-c650-4bb7-ad7a-63a629dc7d3a},Description)
2012/4/17 12:25:12,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1b55460a-c650-4bb7-ad7a-63a629dc7d3a},ItemData)
2012/4/17 12:25:13,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1b55460a-c650-4bb7-ad7a-63a629dc7d3a},SaferFlags)
2012/4/17 12:25:14,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4314e86b-b31e-4da7-96d7-1cd29b762e9d},LastModified)
2012/4/17 12:25:14,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4314e86b-b31e-4da7-96d7-1cd29b762e9d},Description)
2012/4/17 12:25:15,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4314e86b-b31e-4da7-96d7-1cd29b762e9d},ItemData)
2012/4/17 12:25:15,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4314e86b-b31e-4da7-96d7-1cd29b762e9d},SaferFlags)
2012/4/17 12:25:16,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ae7f3361-2633-4b6b-839c-276bb5038de3},LastModified)
2012/4/17 12:25:17,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ae7f3361-2633-4b6b-839c-276bb5038de3},Description)
2012/4/17 12:25:17,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ae7f3361-2633-4b6b-839c-276bb5038de3},ItemData)
2012/4/17 12:25:18,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ae7f3361-2633-4b6b-839c-276bb5038de3},SaferFlags)
2012/4/17 12:25:19,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b0826656-dcb6-494f-884c-f0134a30d9ac},LastModified)
2012/4/17 12:25:19,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b0826656-dcb6-494f-884c-f0134a30d9ac},Description)
2012/4/17 12:25:20,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b0826656-dcb6-494f-884c-f0134a30d9ac},ItemData)
2012/4/17 12:25:20,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b0826656-dcb6-494f-884c-f0134a30d9ac},SaferFlags)
2012/4/17 12:25:21,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d7df96ae-4176-4f8b-a5ae-12da83f4ded3},LastModified)
2012/4/17 12:25:22,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d7df96ae-4176-4f8b-a5ae-12da83f4ded3},Description)
2012/4/17 12:25:22,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d7df96ae-4176-4f8b-a5ae-12da83f4ded3},ItemData)
2012/4/17 12:25:23,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d7df96ae-4176-4f8b-a5ae-12da83f4ded3},SaferFlags)
2012/4/17 12:25:26,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers,TransparentEnabled)
2012/4/17 12:25:29,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,53,Allowed ;Execution of an application (C:\Windows\System32\calc.exe)
2012/4/17 12:25:31,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Blocked ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:32,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Blocked ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:33,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Blocked ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:40,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Allowed ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:41,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Allowed ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:43,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Allowed ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:44,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Allowed ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:45,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Allowed ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:46,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Allowed ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:47,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Allowed ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:48,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Allowed ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:49,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,29,Allowed ;访问其它进程内存 (calc.exe(pid=4728))
2012/4/17 12:25:52,C:\Users\xxxx\Desktop\样本\32\LangHua.exe,36,Allowed ;注入DLL (calc.exe(pid=4728))
2012/4/17 12:25:55,C:\Windows\System32\calc.exe,50,Allowed ;Accessing the network via DNSResolver service
2012/4/17 12:25:56,C:\Program Files\alipay\alieditplus\AliUpdater.exe,50,Allowed ;Accessing the network via DNSResolver service
2012/4/17 12:26:01,C:\Windows\System32\calc.exe,48,Allowed ;Outgoing network access
2012/4/17 12:26:01,C:\Program Files\alipay\alieditplus\AliUpdater.exe,48,Allowed ;Outgoing network access
2012/4/17 12:26:10,C:\Windows\System32\calc.exe,40,Blocked ;打开其它进程并获取修改权限 (sogouexplorer.exe(pid=5788))
2012/4/17 12:26:20,C:\Windows\System32\calc.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1b55460a-c650-4bb7-ad7a-63a629dc7d3a},LastModified)
2012/4/17 12:26:22,C:\Windows\System32\calc.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1b55460a-c650-4bb7-ad7a-63a629dc7d3a},Description)
2012/4/17 12:26:27,C:\Windows\System32\calc.exe,26,Blocked ;改变关键注册表项目 (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,IMJPMIG0)
2012/4/17 12:26:33,C:\Windows\System32\calc.exe,51,Blocked ;Inter-process communication (Explorer.OLE-1704)

追影子的十三

过AVG，支持网购木马更新，不知能否破百

guidanba

daixiaoran 发表于 2012-4-17 12:47
过AVG，支持网购木马更新，不知能否破百

我自己也期待。

iyinyt

NOD 32拦截

iyinyt

二连了，编辑下

绅博周幸

guidanba 发表于 2012-4-17 11:29
我发帖子就确定它是木马。http://bbs.kafan.cn/thread-1267536-1-1.html

STOP! Bitdefender blocked this web page.





The page you are trying to access contains malware.


Details:
Web Page: http://bbs.kafan.cn/forum.php?mo ... ;aid=MTYwODA4N3w...
Detected viruses: Trojan.PWS.QQPass.NIQ



Access from your browser has been blocked.

Take me back to safety

^P_~~ヤ绹気

瑞星2010木马防御报了   爱瑞星越做越差了