除了金山毒霸。。。还没几个杀毒软件报毒。。。。几乎全过了了……

你去远方

金山毒霸的误报高 会不会是误报啊

无心絮语

这个已经有人发过了，当时还说是个驱动

hjitss

360杀毒：TR.kgd.A

无奈的C

这个好像见过 在哪里

飘飘小宇

hjitss 发表于 2012-6-23 12:24
360杀毒：TR.kgd.A

360杀毒的分析报告：http://vi.sd.360.cn/virus_info?ds=0&vname=Trojan.Agent.AVTZ&fname=RtWlan.exe

天空迷失了梦

avast    下载时被杀了   

aerobee

卡巴斯基 下载时提示威胁

imut

kill

明镜星空

火眼日志：https://fireeye.ijinshan.com/analyse.html?md5=a7aaf0649ea22ae99fe7b0984173ca80

基本信息

• 文件名称：新建 360压缩.zip
• 文件哈希：a7aaf0649ea22ae99fe7b0984173ca80
• 文件大小：221909字节
• 创建时间：2012-06-22 10:09:31
• 文件类型：ZIP
• PEID信息：Not a valid PE file
• 
  

[color=rgb(253, 85, 85) !important][color=rgb(253, 85, 85) !important]危险行为监控

• 行为描述：启动宿主进程，注入代码，修改EIP执行自己的代码，偷梁换柱，使用户认为是正常的进程
  附加信息：
  svchost.exe
• 行为描述：运行后删除自身，警惕恶意软件！
  附加信息：
  无
  
  

其他行为监控

• 行为描述：添加Windows防火墙例外，防止访问网络时被防火墙拦截
  附加信息：
  %ProgramFiles%\RealAudo\Ac97\vssvcr32.exe >> %ProgramFiles%\RealAudo\Ac97\vssvcr32.exe...
• 行为描述：创建互斥体
  附加信息：
  "AUTO0RUN113223"
  "AUTO1RUN113223"
  "AUTO2RUN113223"
  "AUTO3RUN113223"
  "{004D0B4C-3A34-4eD4-AFCD-8E5238E16743}"
• 行为描述：查找文件
  附加信息：
  "C:\temp"
  "%temp%\cdg491~tmp\_RND_1.tmp\*.*"
  "%temp%\cdg491~tmp\_RND_1.tmp\cuazac.tmp"
  "%temp%\gfz492~tmp\_RND_2.tmp\*.*"
  "%temp%\gfz492~tmp\_RND_2.tmp\mcngbm.tmp"
  "%temp%\pfg490~tmp"
  "%temp%\pfg490~tmp\*.*"
  "%temp%\pfg490~tmp\_RND_0.tmp"
  "%temp%\pfg490~tmp\_RND_0.tmp\*.*"
  "%temp%\pfg490~tmp\_RND_0.tmp\dewdcedfasdfd.bat"
  "%temp%\pfg490~tmp\_RND_0.tmp\vddwewe12dasdw.ded"
  "%temp%\pfg490~tmp\_RND_0.tmp\vsvsvs.tmp"
  "%temp%\vfr493~tmp\_RND_3.tmp\*.*"
  "D:\Vir"
  "%SampleStore%\dewdcedfasdfd.bat"
  "%SampleStore%\vddwewe12dasdw.ded"
• 行为描述：创建服务
  附加信息：
  "%ProgramFiles%\RealAudo\Ac97\vssvcr32.exe" -server
• 行为描述：提升权限
  附加信息：
  "SeTcbPrivilege"
  
  

文件操作监控[td]

操作	文件MD5	文件大小	文件路径
释放后删除	33090fac4b2223a3aa05f508471dedd6	167328	%temp%\vfr493~tmp\_RND_3.tmp\taskv...
释放后删除	33090fac4b2223a3aa05f508471dedd6	167328	%temp%\pfg490~tmp\_RND_0.tmp\vsvsv...
释放后删除	8448618b5cadd198b9d5ea2a36843380	210	%temp%\pfg490~tmp\_RND_0.tmp\vddwe...
释放后删除	993fc9e4f0acf0535711630762345d0e	2048	%temp%\pfg490~tmp\_RND_0.tmp\dewdc...
释放后删除	8448618b5cadd198b9d5ea2a36843380	210	%SampleStore%\vddwewe12dasdw.ded
释放后删除	7fe906568ece4c70849906567f2acaa7	2048	%SampleStore%\dewdcedfasdfd.bat
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\ALSnd...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...
新增	f1101d3b53a0ba88e1e7ce2e3e865e58	344064	%ProgramFiles%\RealAudo\Ac97\vssvc...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...
新增	33090fac4b2223a3aa05f508471dedd6	167328	%temp%\cdg491~tmp\_RND_1.tmp\cuaza...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\RtlCP...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcwd...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...
新增	33090fac4b2223a3aa05f508471dedd6	167328	%temp%\gfz492~tmp\_RND_2.tmp\mcngb...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxw...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxw...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...
新增	1e2b337c0f979db9e2e3af29d7898c3a	36	%ProgramFiles%\RealAudo\Ac97\Alcxa...

进程操作监控

• 创建进程：无
  启动参数：ipconfig /all
• 创建进程：无
  启动参数：net start StacSV
• 创建进程：%system%\svchost.exe
  启动参数：无
• 创建进程：无
  启动参数：dewdcedfasdfd.bat
• 创建进程：无
  启动参数：%temp%\pfg490~tmp\_RND_0.tmp\vsvsvs.tmp -server
• 创建进程：无
  启动参数：%temp%\cdg491~tmp\_RND_1.tmp\cuazac.tmp -random
• 创建进程：无
  启动参数：%temp%\gfz492~tmp\_RND_2.tmp\mcngbm.tmp -random_1
• 创建进程：无
  启动参数：%ProgramFiles%\RealAudo\Ac97\vssvcr32.exe -install -p1 data01
• 创建进程：无
  启动参数：netsh firewall set allowedprogram "%ProgramFiles%\RealAudo\Ac97\vssvcr32.exe" Stac...
  

注册表监控

• 新增
• 删除
• 修改
  

• HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
• HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\install
• HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\install\Settings
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG[EnableConsoleTracing] = [0x00000000]
  [MaxFileSize] = [0x00100000]
  [FileDirectory] = [%windir%\tracing]
  [ConsoleTracingMask] = [0xffff0000]
  [FileTracingMask] = [0xffff0000]
  [EnableFileTracing] = [0x00000000]
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh[ControlFlags] = [0x00000001]
  [Active] = [0x00000001]
  [LogSessionName] = [stdout]
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr[Guid] = [710adbf0-ce88-40b4-a50d-231ada6593f0]
  [BitNames] = [ NAP_TRACE_BASE NAP_TRACE_NETSH]
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent[ControlFlags] = [0x00000001]
  [LogSessionName] = [stdout]
  [Active] = [0x00000001]
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdenti...[BitNames] = [ Error Unusual Info Debug]
  [Guid] = [b0278a28-76f1-4e15-b1df-14b209a12613]
• HKEY_LOCAL_MACHINE\SOFTWARE\StacSV[VSO] = [gA==]
  [P1] = [1PmIF9aE]
  [P2] = []
  [P3] = []
  [iso] = [gA==]
  [CTC] = [garM]
  [CAM] = [0/qdQtXQN5FydeugpPwPAw0ICMxSpFDVpy4EB1hALVM=]
  [DIUG] = [0/qdQtXQN5FydeugpPwPAw0ICMxSpFDVpy4EB1hALVM=]
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STACSV[NextInstance] = [0x00000001]
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STACSV\0000[ConfigFlags] = [0x00000000]
  [Service] = [StacSV]
  [ClassGUID] = [{8ECC055D-047F-11D1-A537-0000F8753ED1}]
  [Legacy] = [0x00000001]
  [DeviceDesc] = [Audio Service]
  [Class] = [LegacyDriver]
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STACSV\0000\Control[*NewlyCreated*] = [0x00000000]
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig\Enroll
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig\Enroll\HcsGroups
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig\UI
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProf...[%ProgramFiles%\RealAudo\Ac97\vssvcr32.exe] = [%ProgramFiles%\RealAudo\Ac97\vssvcr32.exe:*...
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\StacSV[DisplayName] = [Audio Service]
  [ImagePath] = ["%ProgramFiles%\RealAudo\Ac97\vssvcr32.exe" -server]
  [Type] = [0x00000110]
  [ObjectName] = [LocalSystem]
  [ErrorControl] = [0x00000000]
  [Start] = [0x00000002]
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\StacSV\Enum[0] = [Root\LEGACY_STACSV\0000]
  [Count] = [0x00000001]
  [NextInstance] = [0x00000001]
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\StacSV\Security[Security] = [\x01\x00\x14\x80\xb4...]
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STACSV[NextInstance] = [0x00000001]
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STACSV\0000[DeviceDesc] = [Audio Service]
  [Service] = [StacSV]
  [ConfigFlags] = [0x00000000]
  [Legacy] = [0x00000001]
  [ClassGUID] = [{8ECC055D-047F-11D1-A537-0000F8753ED1}]
  [Class] = [LegacyDriver]
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STACSV\0000\Control[*NewlyCreated*] = [0x00000000]
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\UI
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standard...[%ProgramFiles%\RealAudo\Ac97\vssvcr32.exe] = [%ProgramFiles%\RealAudo\Ac97\vssvcr32.exe:*...
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StacSV[DisplayName] = [Audio Service]
  [Type] = [0x00000110]
  [ErrorControl] = [0x00000000]
  [ObjectName] = [LocalSystem]
  [ImagePath] = ["%ProgramFiles%\RealAudo\Ac97\vssvcr32.exe" -server]
  [Start] = [0x00000002]
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StacSV\Enum[Count] = [0x00000001]
  [0] = [Root\LEGACY_STACSV\0000]
  [NextInstance] = [0x00000001]
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StacSV\Security[Security] = [\x01\x00\x14\x80\xb4...]
  

网络监控

• 网络操作【访问网址】http://lnk.ray678.com:8661/lltj/ ... c0f7c011a12b07ba...
  【访问网址】http://lnk.ray678.com:8662/lltj/ ... c0f7c011a12b07ba...
  【访问网址】http://lnk.ray678.com:8663/lltj/ ... c0f7c011a12b07ba...
  【访问网址】http://lnk.ray678.com:8664/lltj/ ... c0f7c011a12b07ba...
  

ujty

这个文件名有一定寓意