QVM报 2 可疑

显示全部楼层 · 发表于 2012-4-26 12:00:39

Emsisoft Anti-Malware killed 1：

显示全部楼层 · 发表于 2012-4-26 12:41:10

humanlwj52 发表于 2012-4-26 10:15
To ESET.

AVG的全盘扫描是哪个按钮？

显示全部楼层 · 发表于 2012-4-26 12:50:09

刘洋雨佳发表于 2012-4-26 12:41
AVG的全盘扫描是哪个按钮？

主界面左侧的“立即扫描”就是了

显示全部楼层 · 发表于 2012-4-26 12:54:01

微点杀一只S0的,S1的通过注入wuauclt.exe的方式下载病毒过微点,已上报.

显示全部楼层 · 发表于 2012-4-26 13:40:45

显示全部楼层 · 发表于 2012-4-26 14:09:09

文件名称：HNSZS0.EXE
文件哈希：f2e1e52f9a344edc3a35430f4459d44a
文件大小：214567字节
创建时间：2012-04-26 13:57:49
文件类型：EXE
PEID信息：Nothing found [Overlay] *
危险行为监控
行为描述：远程注入其他进程
附加信息：
360sd.exe
QQ.exe
TXPlatform.exe
cmd.exe
conime.exe
ctfmon.exe
deamon.exe
explorer.exe
kxetray.exe
zegoib.exe
行为描述：运行后删除自身，警惕恶意软件！
附加信息：
无
行为描述：inline Hook 函数入口代码
附加信息：
kernel32.dll!GetFileAttributesExW
ntdll.dll!LdrLoadDll
ntdll.dll!NtCreateThread
user32.dll!BeginPaint
user32.dll!CallWindowProcA
user32.dll!CallWindowProcW
user32.dll!DefDlgProcA
user32.dll!DefDlgProcW
user32.dll!DefFrameProcA
user32.dll!DefFrameProcW
user32.dll!DefMDIChildProcA
user32.dll!DefMDIChildProcW
user32.dll!DefWindowProcA
user32.dll!DefWindowProcW
user32.dll!EndPaint
user32.dll!GetCapture
user32.dll!GetClipboardData
user32.dll!GetCursorPos
user32.dll!GetDC
user32.dll!GetDCEx
user32.dll!GetMessageA
user32.dll!GetMessagePos
user32.dll!GetMessageW
user32.dll!GetUpdateRect
user32.dll!GetUpdateRgn
user32.dll!GetWindowDC
user32.dll!OpenInputDesktop
user32.dll!PeekMessageA
user32.dll!PeekMessageW
user32.dll!RegisterClassA
user32.dll!RegisterClassExA
user32.dll!RegisterClassExW
user32.dll!RegisterClassW
user32.dll!ReleaseCapture
user32.dll!ReleaseDC
user32.dll!SetCapture
user32.dll!SetCursorPos
user32.dll!SwitchDesktop
user32.dll!TranslateMessage
wininet.dll!HttpQueryInfoA
wininet.dll!HttpSendRequestA
wininet.dll!HttpSendRequestExA
wininet.dll!HttpSendRequestExW
wininet.dll!HttpSendRequestW
wininet.dll!InternetCloseHandle
wininet.dll!InternetQueryDataAvailable
wininet.dll!InternetReadFile
wininet.dll!InternetReadFileExA
ws2_32.dll!WSASend
ws2_32.dll!closesocket
ws2_32.dll!send
行为描述：启动宿主进程，注入代码，修改EIP执行自己的代码，偷梁换柱，使用户认为是正常的进程
附加信息：
sample.v
zegoib.exe
行为描述：检测注入的进程是否为指定进程
附加信息：
%windir%\explorer.exe
%system%\ctfmon.exe
%system%\dwm.exe
%system%\rdpclip.exe
%system%\taskeng.exe
%system%\taskhost.exe
%system%\wscntfy.exe
行为描述：确认账户大盗木马，该木马源于国外，其专门盗取存取于本地的各种账户信息，包括ftp账户、远程桌...
附加信息：
无
其他行为监控
行为描述：检测是否存在指定注册表键
附加信息：
HKEY_CURRENT_USER\SOFTWARE\Far2\Plugins\ftp\hosts
HKEY_CURRENT_USER\SOFTWARE\Far\Plugins\ftp\hosts
HKEY_CURRENT_USER\SOFTWARE\Ghisler\Total Commander
HKEY_CURRENT_USER\SOFTWARE\ftpware\coreftp\sites
HKEY_CURRENT_USER\SOFTWARE\ipswitch\ws_ftp
HKEY_CURRENT_USER\SOFTWARE\martin prikryl\winscp 2\sessions
HKEY_CURRENT_USER\SOFTWARE\smartftp\client 2.0\settings\backup
HKEY_CURRENT_USER\SOFTWARE\smartftp\client 2.0\settings\general\favorites
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
HKEY_LOCAL_MACHINE\SOFTWARE\FlashFXP\3
HKEY_LOCAL_MACHINE\SOFTWARE\martin prikryl\winscp 2\sessions
行为描述：添加开机自启动项
附加信息：
[{4A1C1B23-B2EE-C2DF-06AA-17C9CC7C5CFD}] : "%APPDATA%\Otu\zegoib.exe"
行为描述：创建互斥体
附加信息：
"Global\{011C3030-99FD-89DF-06AA-17C9CC7C5CFD}"
"Global\{111C3094-9959-99DF-06AA-17C9CC7C5CFD}"
"Global\{212F76AD-DF60-A9EC-06AA-17C9CC7C5CFD}"
"Global\{3D6D3731-9EFC-B5AE-06AA-17C9CC7C5CFD}"
"Global\{4A105B83-F24E-C2D3-06AA-17C9CC7C5CFD}"
"Global\{53C3569B-FF56-DB00-071D-9641CDCBDD75}"
"Global\{53C3569B-FF56-DB00-0B19-9641C1CFDD75}"
"Global\{53C3569B-FF56-DB00-1F1B-9641D5CDDD75}"
"Global\{53C3569B-FF56-DB00-2F1A-9641E5CCDD75}"
"Global\{53C3569B-FF56-DB00-4B1C-964181CADD75}"
"Global\{53C3569B-FF56-DB00-4F1B-964185CDDD75}"
"Global\{53C3569B-FF56-DB00-4F1D-964185CBDD75}"
"Global\{53C3569B-FF56-DB00-531D-964199CBDD75}"
"Global\{53C3569B-FF56-DB00-571B-96419DCDDD75}"
"Global\{53C3569B-FF56-DB00-5F1A-964195CCDD75}"
"Global\{53C3569B-FF56-DB00-5F1F-964195C9DD75}"
"Global\{53C3569B-FF56-DB00-6318-9641A9CEDD75}"
"Global\{53C3569B-FF56-DB00-671D-9641ADCBDD75}"
"Global\{53C3569B-FF56-DB00-6B1E-9641A1C8DD75}"
"Global\{53C3569B-FF56-DB00-771E-9641BDC8DD75}"
"Global\{53C3569B-FF56-DB00-831B-964149CDDD75}"
"Global\{53C3569B-FF56-DB00-931A-964159CCDD75}"
"Global\{53C3569B-FF56-DB00-931F-964159C9DD75}"
"Global\{53C3569B-FF56-DB00-971B-96415DCDDD75}"
"Global\{53C3569B-FF56-DB00-B71C-96417DCADD75}"
"Global\{53C3569B-FF56-DB00-C31B-964109CDDD75}"
"Global\{53C3569B-FF56-DB00-C31F-964109C9DD75}"
"Global\{53C3569B-FF56-DB00-CF1A-964105CCDD75}"
"Global\{53C3569B-FF56-DB00-DF1D-964115CBDD75}"
"Global\{53C3569B-FF56-DB00-E319-964129CFDD75}"
"Global\{53C3569B-FF56-DB00-F31C-964139CADD75}"
"Global\{53C3569B-FF56-DB00-FB1C-964131CADD75}"
"Global\{53C3569B-FF56-DB00-FB1F-964131C9DD75}"
"Global\{53C3569B-FF56-DB00-FF1F-964135C9DD75}"
"Global\{606E1322-BAEF-E8AD-06AA-17C9CC7C5CFD}"
"Global\{613E37E4-9E29-E9FD-06AA-17C9CC7C5CFD}"
"Global\{6BCF3297-9B5A-E30C-06AA-17C9CC7C5CFD}"
"Local\{3F2D05C3-AC0E-B7EE-06AA-17C9CC7C5CFD}"
"Local\{480D3131-98FC-C0CE-06AA-17C9CC7C5CFD}"
"Local\{6D0DD781-7E4C-E5CE-06AA-17C9CC7C5CFD}"
行为描述：查找文件
附加信息：
"C:\*"
"%APPDATA%\*"
"%USERPROFILE%\Cookies\*"
"%USERPROFILE%\Cookies\Low\*"
"%AllUsersProfile%\Application Data\*"
"%ProgramFiles%\*"
"%windir%\*"
"%temp%\tmpda89e0fa.bat"
"C:\totalcmd\*"
"C:\totalcmd\LANGUAGE\*"
"%SampleStore%\sample.v"
行为描述：提升权限
附加信息：
"SeSecurityPrivilege"
行为描述：添加Windows防火墙例外，防止访问网络时被防火墙拦截
附加信息：
%windir%\explorer.exe >> %windir%\explorer.exe
文件操作监控
操作文件MD5 文件大小文件路径
释放后删除 f2e1e52f9a344edc3a35430f4459d44a 214567 %SampleStore%\sample.v
释放后删除 48d6fd64d40dfdb4a1ba78089c2e3d72 107 %temp%\tmpda89e0fa.bat
新增 db217b27980763f9d5c58537bec84d21 76500 %USERPROFILE%\Local Settings\Appli...
新增 d536202b3a6feb87dfddf7aa39296269 906 %APPDATA%\Omusw\miulpi.tmp
新增 24ee9227e30e5e250d5cf241dd3b1771 214567 %APPDATA%\Otu\zegoib.exe
新增 c9cde5ce7b61bca903a286cd8e507b6e 176562 %APPDATA%\Microsoft\Address Book\A...
新增 d6b6a9f040b2cd38e331b31b288711b6 142036 %USERPROFILE%\Local Settings\Appli...
新增 c78f0742eae95fcf92f7f1c6009d9341 9656 %USERPROFILE%\Local Settings\Appli...
新增 c9cde5ce7b61bca903a286cd8e507b6e 176562 %APPDATA%\Microsoft\Address Book\A...
新增 346334e4748601d2d55ec5bd138f7419 75204 %USERPROFILE%\Local Settings\Appli...
进程操作监控
创建进程：无
启动参数：%SampleStore%\sample.v
创建进程：无
启动参数："%APPDATA%\Otu\zegoib.exe"
创建进程：无
启动参数："%system%\cmd.exe" /c "%temp%\tmpda89e0fa.bat"
创建进程：无
启动参数：%APPDATA%\Otu\zegoib.exe

显示全部楼层 · 发表于 2012-4-26 14:15:23

郑伟用户发表于 2012-4-26 14:09
文件名称：HNSZS0.EXE
文件哈希：f2e1e52f9a344edc3a35430f4459d44a
文件大小：214567字节

这是火眼的报告吗？

显示全部楼层 · 发表于 2012-4-26 16:27:47

Dear Depp,

Thank you for your submission.
The detection for this threat will be included in our next signature update.

HNSZS0.EXE - Win32/Injector.QQG trojan
HNSZS1.EXE - Win32/Injector.QQG trojan

Regards,

ESET Malware Response Team

显示全部楼层 · 发表于 2012-4-26 18:17:59

木马的说，微点KILL

显示全部楼层 · 发表于 2012-4-26 21:33:38

humanlwj52 发表于 2012-4-26 16:27
Dear Depp,

Thank you for your submission.

.....IDP好像拦截失败了点了一个然后隔离再过了一会电脑重启了没来的及上图

[可疑文件] QVM报 2 可疑

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

RE: QVM报 2 可疑