0c01d3，幼稚的U盘病毒！

显示全部楼层 · 发表于 2007-9-15 11:40:00

朋友U盘上的，装成记事本，名字挺诱人的^_^

显示全部楼层 · 发表于 2007-9-15 11:43:38

Access to the data has been denied!
Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL: bbs.kafan.cn/attachment.php?aid=127845
Information: Is the Trojan horse TR/Delphi.Downloader.Gen

--------------------------------------------------------------------------------
Generated by AntiVir WebGuard 7.01.00.11, AVE 7.6.0.10, VDF 6.39.1.134

显示全部楼层 · 发表于 2007-9-15 11:49:37

C:\ABC\少女日记.rar:\少女日记.exe - 特征码 'Trojan-PWS.Win32.QQPass.uu' 被发现
C:\ABC\少女日记.rar

显示全部楼层 · 发表于 2007-9-15 11:51:08

detected: Trojan program Trojan-PSW.Win32.QQPass.uj URL: http://bbs.kafan.cn/attachment.php?aid=127845//ÉÙÅ®ÈÕ¼Ç.exe//FSG

显示全部楼层 · 发表于 2007-9-15 11:54:29

小A拦截

显示全部楼层 · 发表于 2007-9-15 11:58:05

Uhthn Anti-Spyware V3 Alpha
Version - 3.0.0
Paranoia Database - 4945
Heuristics Analysis - Excessive
Scan in - C:\Documents and Settings\uhthn\Desktop\少女日.exe

C:\Documents and Settings\uhthn\Desktop\少女日.exe - Suspicious of Trojan.Autorun.1

1 Files scanned
0 Infected files found
1 Suspicious files found
0 Files cured
0 Files deleted

显示全部楼层 · 发表于 2007-9-15 12:06:31

卡巴 7.0.0.125 最新病毒库报
老病毒库扫描过，运行了一下，主动防御报，但恢复失败。立即扫描后发现：
已隔离: 病毒 Heur.Invader (变种)       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\1a8.27AF180A01C7F746.history\00000011.bak/Myshell.exe//UPack
已删除: 病毒 Virus.Win32.AutoRun.mg       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\1a8.27AF180A01C7F746.history\00000019.bak/D597CB0D.EXE//ASPack
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\1a8.27AF180A01C7F746.history\0000001e.bak/少女日记.exe//FSG
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\790.4AB3BE5001C7F74B.history\00000000.bak//FSG
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\790.4AB3BE5001C7F74B.history\00000001.bak//FSG
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\790.4AB3BE5001C7F74B.history\00000002.bak//FSG
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\d30.4AC6D12001C7F74B.history\00000000.bak//FSG
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\d30.4AC6D12001C7F74B.history\00000001.bak//FSG
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\d30.4AC6D12001C7F74B.history\00000002.bak//FSG
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\fc0.4CE8CBA201C7F74B.history\00000000.bak//FSG
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\fc0.4CE8CBA201C7F74B.history\00000001.bak//FSG
已删除: 木马程序 Trojan-PSW.Win32.QQPass.uj       文件: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\fc0.4CE8CBA201C7F74B.history\00000002.bak//FSG

更新主动防御模块后怎么成这样了？

显示全部楼层 · 发表于 2007-9-15 12:19:59

Scan performed at: 2007-9-15 12:19:26
Scanning Log
NOD32 version 2531 (20070915) NT
Command line: D:\Documents and Settings\EKINCHENG\桌面\少女日记.rar

Date: 15.9.2007 Time: 12:19:28
Anti-Stealth technology is enabled.
Scanned disks, folders and files: D:\Documents and Settings\EKINCHENG\桌面\少女日记.rar
D:\Documents and Settings\EKINCHENG\桌面\少女日记.rar ?RAR ?少女日记.exe - probably a variant of Win32/PSW.QQPass.NBL trojan
Number of scanned files: 2
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 12:19:28 Total scanning time: 0 sec (00:00:00)

显示全部楼层 · 发表于 2007-9-15 13:45:06

微点：
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\少女日记.EXE
木马程序生成以下文件:
1) C:\WINDOWS.0\SYSTEM32\SEVERE.EXE
2) C:\WINDOWS.0\SYSTEM32\IWBKVD.EXE
3) C:\WINDOWS.0\SYSTEM32\DRIVERS\WEVVRI.EXE
是否删除木马程序及其衍生物?

显示全部楼层 · 发表于 2007-9-15 14:01:26

Kaspersky Internet Security 7.0

The requested URL http://bbs.kafan.cn/attachment.php?aid=127845 is infected with Trojan-PSW.Win32.QQPass.uj virus

[病毒样本] 0c01d3，幼稚的U盘病毒！

本帖子中包含更多资源

本帖子中包含更多资源