收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 高质量【2/42】
123下一页
返回列表 发新帖
查看: 6281|回复: 25
收起左侧

[病毒样本] 高质量【2/42】

  [复制链接]
K7200000
发表于 2012-6-22 09:26:17 | 显示全部楼层 |阅读模式
本帖最后由 K7200000 于 2012-6-22 09:43 编辑

下载:http://www.kuaipan.com.cn/file/id_45530892470321169.htm
密码infected

Antivirus        Result        Update
AhnLab-V3        -        20120621
AntiVir        -        20120621
Antiy-AVL        -        20120622
Avast        -        20120621
AVG        -        20120621
BitDefender        -        20120622
ByteHero        -        20120613
CAT-QuickHeal        -        20120621
ClamAV        -        20120622
Commtouch        -        20120622
Comodo        -        20120621
DrWeb        -        20120622
Emsisoft        -        20120622
eSafe        -        20120621
F-Prot        -        20120622
F-Secure        -        20120622
Fortinet        -        20120622
GData        -        20120621
Ikarus        -        20120622
Jiangmin        -        20120621
K7AntiVirus        -        20120621
Kaspersky        Trojan-PSW.Win32.Tepfer.ahbb        20120622
McAfee        -        20120622
McAfee-GW-Edition        -        20120621
Microsoft        -        20120622
NOD32        a variant of Win32/Injector.SZM        20120621
Norman        -        20120621
nProtect        -        20120621
Panda        -        20120621
PCTools        -        20120622
Rising        -        20120621
Sophos        -        20120622
SUPERAntiSpyware        -        20120621
Symantec        -        20120622
TheHacker        -        20120621
TotalDefense        -        20120621
TrendMicro        -        20120622
TrendMicro-HouseCall        -        20120621
VBA32        -        20120621
VIPRE        -        20120621
ViRobot        -        20120622
VirusBuster        -        20120620
anubis分析报告
http://anubis.iseclab.org/?action=result&task_id=1637e3b08e882d544c1ce1e63672374d0&format=html
1. General Information

        - Information about Anubis' invocation         
Time needed:        255 s
Report created:        06/22/12, 01:02:16 UTC
Termination reason:        Timeout
Program version:        1.76.3886

2. w.exe

        - General information about this executable         
Analysis Reason:        Primary Analysis Subject
Filename:        w.exe
MD5:        789058585ffe7cbc0784aebd0e8dd092
SHA-1:        f3b27b3f197d0bd8625a701a5b9fc333e8de985e
File Size:        137728 Bytes
Command Line:        "C:\w.exe"
Process-status at analysis end:        alive
Exit Code:        0

        - Load-time Dlls         
Module Name        Base Address        Size
C:\​WINDOWS\​system32\​ntdll.dll         0x7C900000         0x000AF000
C:\​WINDOWS\​system32\​kernel32.dll         0x7C800000         0x000F6000
C:\​WINDOWS\​system32\​USER32.dll         0x7E410000         0x00091000
C:\​WINDOWS\​system32\​GDI32.dll         0x77F10000         0x00049000
C:\​WINDOWS\​system32\​COMCTL32.dll         0x5D090000         0x0009A000
C:\​WINDOWS\​system32\​ADVAPI32.dll         0x77DD0000         0x0009B000
C:\​WINDOWS\​system32\​RPCRT4.dll         0x77E70000         0x00092000
C:\​WINDOWS\​system32\​Secur32.dll         0x77FE0000         0x00011000
C:\​WINDOWS\​system32\​WINMM.dll         0x76B40000         0x0002D000
C:\​WINDOWS\​system32\​SHLWAPI.dll         0x77F60000         0x00076000
C:\​WINDOWS\​system32\​msvcrt.dll         0x77C10000         0x00058000
C:\​WINDOWS\​system32\​WINSTA.dll         0x76360000         0x00010000
C:\​WINDOWS\​system32\​NETAPI32.dll         0x5B860000         0x00055000
C:\​WINDOWS\​system32\​CRYPT32.dll         0x77A80000         0x00095000
C:\​WINDOWS\​system32\​MSASN1.dll         0x77B20000         0x00012000

        - Run-time Dlls         
Module Name        Base Address        Size
C:\​WINDOWS\​system32\​faultrep.dll         0x69450000         0x00016000
C:\​WINDOWS\​system32\​MSCTF.dll         0x74720000         0x0004C000
C:\​WINDOWS\​system32\​USERENV.dll         0x769C0000         0x000B4000
C:\​WINDOWS\​system32\​WTSAPI32.dll         0x76F50000         0x00008000
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll         0x773D0000         0x00103000
C:\​WINDOWS\​system32\​SETUPAPI.dll         0x77920000         0x000F3000
C:\​WINDOWS\​system32\​apphelp.dll         0x77B40000         0x00022000
C:\​WINDOWS\​system32\​VERSION.dll         0x77C00000         0x00008000
C:\​WINDOWS\​system32\​shell32.dll         0x7C9C0000         0x00817000

2.a) w.exe - Registry Activities

        + Registry Values Read:         

2.b) w.exe - File Activities

        - Files Created:         
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8925_appcompat.txt

        - Files Read:         
C:\WINDOWS\system32\winsock.dll
PIPE\lsarpc

        - Files Modified:         
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8925_appcompat.txt
PIPE\lsarpc

        - File System Control Communication:         
File        Control Code        Times
C:\Program Files\Common Files\         0x00090028         1
PIPE\lsarpc         0x0011C017         6

        - Device Control Communication:         
File        Control Code        Times
\Device\KsecDD         0x00390008         1

        - Memory Mapped Files:         
File Name
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WTSAPI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\apphelp.dll
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\faultrep.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\winsock.dll
C:\Windows\AppPatch\sysmain.sdb

2.c) w.exe - Process Activities

        - Processes Created:         
Executable        Command Line
C:\WINDOWS\system32\dwwin.exe          
        C:\WINDOWS\system32\dwwin.exe -x -s 228

        - Remote Threads Created:         
Affected Process
C:\WINDOWS\system32\dwwin.exe

        - Foreign Memory Regions Read:         
Process: C:\WINDOWS\system32\dwwin.exe

        - Foreign Memory Regions Written:         
Process: C:\WINDOWS\system32\dwwin.exe

2.d) w.exe - Other Activities

        - Mutexes Created:         
CTF.Asm.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Compart.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.LBES.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Layouts.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TMD.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500MUTEX.DefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500

        + Windows SEH exceptions:         

3. dwwin.exe

        - General information about this executable         
Analysis Reason:        Started by w.exe
Filename:        dwwin.exe
MD5:        86042f6f6a5287eaf9379c91d0bf72b6
SHA-1:        532bf74e6aead7438aa7264d01759a065410ee68
File Size:        180224 Bytes
Command Line:        C:\WINDOWS\system32\dwwin.exe -x -s 228
Process-status at analysis end:        dead
Exit Code:        0

        - Load-time Dlls         
Module Name        Base Address        Size
C:\​WINDOWS\​system32\​ntdll.dll         0x7C900000         0x000AF000
C:\​WINDOWS\​system32\​kernel32.dll         0x7C800000         0x000F6000
C:\​WINDOWS\​system32\​ADVAPI32.DLL         0x77DD0000         0x0009B000
C:\​WINDOWS\​system32\​RPCRT4.dll         0x77E70000         0x00092000
C:\​WINDOWS\​system32\​Secur32.dll         0x77FE0000         0x00011000
C:\​WINDOWS\​system32\​COMCTL32.DLL         0x5D090000         0x0009A000
C:\​WINDOWS\​system32\​GDI32.dll         0x77F10000         0x00049000
C:\​WINDOWS\​system32\​USER32.dll         0x7E410000         0x00091000
C:\​WINDOWS\​system32\​OLEAUT32.DLL         0x77120000         0x0008B000
C:\​WINDOWS\​system32\​msvcrt.dll         0x77C10000         0x00058000
C:\​WINDOWS\​system32\​ole32.dll         0x774E0000         0x0013D000
C:\​WINDOWS\​system32\​SHELL32.DLL         0x7C9C0000         0x00817000
C:\​WINDOWS\​system32\​SHLWAPI.dll         0x77F60000         0x00076000
C:\​WINDOWS\​system32\​URLMON.DLL         0x7E1E0000         0x000A2000
C:\​WINDOWS\​system32\​VERSION.dll         0x77C00000         0x00008000
C:\​WINDOWS\​system32\​WININET.DLL         0x771B0000         0x000AA000
C:\​WINDOWS\​system32\​CRYPT32.dll         0x77A80000         0x00095000
C:\​WINDOWS\​system32\​MSASN1.dll         0x77B20000         0x00012000
C:\​WINDOWS\​system32\​ShimEng.dll         0x5CB70000         0x00026000
C:\​WINDOWS\​AppPatch\​AcGenral.DLL         0x6F880000         0x001CA000
C:\​WINDOWS\​system32\​WINMM.dll         0x76B40000         0x0002D000
C:\​WINDOWS\​system32\​MSACM32.dll         0x77BE0000         0x00015000
C:\​WINDOWS\​system32\​USERENV.dll         0x769C0000         0x000B4000
C:\​WINDOWS\​system32\​UxTheme.dll         0x5AD70000         0x00038000
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll         0x773D0000         0x00103000

        - Run-time Dlls         
Module Name        Base Address        Size
C:\​WINDOWS\​system32\​1033\​dwintl.dll         0x314C0000         0x0000C000
C:\​WINDOWS\​system32\​NETAPI32.dll         0x5B860000         0x00055000
C:\​WINDOWS\​system32\​WS2HELP.dll         0x71AA0000         0x00008000
C:\​WINDOWS\​system32\​WS2_32.dll         0x71AB0000         0x00017000
C:\​WINDOWS\​system32\​sensapi.dll         0x722B0000         0x00005000
C:\​WINDOWS\​system32\​MSCTF.dll         0x74720000         0x0004C000
C:\​WINDOWS\​system32\​riched20.dll         0x74E30000         0x0006D000
C:\​WINDOWS\​system32\​imm32.dll         0x76390000         0x0001D000
C:\​WINDOWS\​system32\​shfolder.dll         0x76780000         0x00009000
C:\​WINDOWS\​system32\​PSAPI.DLL         0x76BF0000         0x0000B000
C:\​WINDOWS\​system32\​rtutils.dll         0x76E80000         0x0000E000
C:\​WINDOWS\​system32\​rasman.dll         0x76E90000         0x00012000
C:\​WINDOWS\​system32\​TAPI32.dll         0x76EB0000         0x0002F000
C:\​WINDOWS\​system32\​RASAPI32.DLL         0x76EE0000         0x0003C000

        - Popups         
Window Name        Window Text        Screenshot        Number of Displayed Times
w.exe         &Don't Send w.exe has encountered a problem and needs to close. We are sorry for the inconvenience. w.exe has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous. To see what data this error report contains, Details &Send Error Report                   1

3.a) dwwin.exe - Registry Activities

        - Registry Values Modified:         
Key        Name        New Value
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings           ProxyEnable         0
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders         Common AppData         C:\​Documents and Settings\​All Users\​Application Data
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths           Directory         C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths           Paths         4
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1           CacheLimit         40852
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1           CachePath         C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache1
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2           CacheLimit         40852
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2           CachePath         C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache2
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3           CacheLimit         40852
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3           CachePath         C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache3
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4           CacheLimit         40852
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4           CachePath         C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders         AppData         C:\​Documents and Settings\​Administrator\​Application Data
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders         Cache         C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders         Cookies         C:\​Documents and Settings\​Administrator\​Cookies
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders         History         C:\​Documents and Settings\​Administrator\​Local Settings\​History
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders         Personal         C:\​Documents and Settings\​Administrator\​My Documents
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings           MigrateProxy         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings           ProxyEnable         0
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections           SavedLegacySettings         0x3c0000001600000001000000000000000000000000000000040000000000

        - Registry Values Read:         
Key        Name        Value        Times
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​         CUAS         0         1
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings         UrlEncoding         0x00000000         2
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager         CriticalSectionTimeout         2592000         1
HKLM\​SYSTEM\​Setup         SystemSetupInProgress         0         1
HKLM\​SYSTEM\​WPA\​MediaCenter         Installed         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2         aFormatTagCache         0x01000000100000000204000014000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2         cFormatTags         2         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.iac2         fdwSupport         1         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm         aFormatTagCache         0x01000000100000001100000014000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm         cFormatTags         2         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.imaadpcm         fdwSupport         1         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm         aFormatTagCache         0x0100000010000000550000001e000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm         cFormatTags         2         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.l3acm         fdwSupport         1         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm         aFormatTagCache         0x01000000100000000200000032000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm         cFormatTags         2         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msadpcm         fdwSupport         1         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1         aFormatTagCache         0x01000000120000006001000016000000610100001c000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1         cFormatTags         3         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msaudio1         fdwSupport         1         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711         aFormatTagCache         0x010000001000000006000000120000000700000012000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711         cFormatTags         3         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg711         fdwSupport         1         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723         aFormatTagCache         0x0100000010000000420000001c000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723         cFormatTags         2         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msg723         fdwSupport         1         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610         aFormatTagCache         0x01000000100000003100000014000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610         cFormatTags         2         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.msgsm610         fdwSupport         1         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet         aFormatTagCache         0x01000000100000003001000016000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet         cFormatTags         2         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.sl_anet         fdwSupport         1         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch         aFormatTagCache         0x01000000100000002200000032000000         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch         cFilterTags         0         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch         cFormatTags         2         1
HKLM\​Software\​Microsoft\​AudioCompressionManager\​DriverCache\​msacm.trspch         fdwSupport         1         1
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_BEHAVIORS         *         1         1
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_DISABLE_MK_PROTOCOL         *         1         1
HKLM\​Software\​Microsoft\​Tracing         EnableConsoleTracing         0         1
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32         ConsoleTracingMask         4294901760         2
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32         EnableConsoleTracing         0         2
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32         EnableFileTracing         0         2
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32         FileDirectory         %windir%\​tracing         4
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32         FileTracingMask         4294901760         2
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32         MaxFileSize         1048576         2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion         DigitalProductId         0xa40000000300000037363438372d3634302d313435373233362d32333833         1
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​AeDebug         Debugger         drwtsn32 -p %ld -e %ld -g         4
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         midimapper                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.iac2                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.imaadpcm         imaadp32.acm         3
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.l3acm                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.msadpcm                  3
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.msaudio1                  3
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.msg711                  3
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.msg723                  3
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.msgsm610                  3
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.sl_anet                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         msacm.trspch                  3
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.I420                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.M261                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.M263                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.cvid                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.iv31                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.iv32                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.iv41                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.iv50                  1
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.iyuv                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.mrle                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.msvc                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.uyvy                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.yuy2                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.yvu9                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         vidc.yvyu                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Drivers32         wavemapper                  2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList         AllUsersProfile         All Users         2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList         DefaultUserProfile         Default User         2
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList         ProfilesDirectory         %SystemDrive%\​Documents and Settings         4
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500         ProfileImagePath         %SystemDrive%\​Documents and Settings\​Administrator         2
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion         CommonFilesDir         C:\​Program Files\​Common Files         3
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion         ProgramFilesDir         C:\​Program Files         3
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders         Common AppData         %ALLUSERSPROFILE%\​Application Data         1
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers         TransparentEnabled         1         1
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName         ComputerName         PC         5
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm         wheel         1         1
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions         ProductType         WinNT         1
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         ComSpec         %SystemRoot%\​system32\​cmd.exe         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         FP_NO_HOST_CHECK         NO         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         NUMBER_OF_PROCESSORS         1         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         OS         Windows_NT         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         PATHEXT         .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         PROCESSOR_ARCHITECTURE         x86         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         PROCESSOR_IDENTIFIER         x86 Family 6 Model 3 Stepping 3, GenuineIntel         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         PROCESSOR_LEVEL         6         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         PROCESSOR_REVISION         0303         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         Path         %SystemRoot%\​system32;%SystemRoot%;%SystemRoot%\​System32\​Wbem         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         TEMP         %SystemRoot%\​TEMP         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         TMP         %SystemRoot%\​TEMP         4
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment         windir         %SystemRoot%         4
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server         TSUserEnabled         0         1
HKLM\​System\​Setup         SystemSetupInProgress         0         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment         TEMP         %USERPROFILE%\​Local Settings\​Temp         4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment         TMP         %USERPROFILE%\​Local Settings\​Temp         4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle         Language Hotkey         1         6
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle         Layout Hotkey         2         6
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings         EnableHttp1_1         1         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings         EnableNegotiate         1         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings         MimeExclusionListForCache         multipart/mixed multipart/x-mixed-replace multipart/x-byteranges          4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings         WarnOnPost         0x01000000         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Settings         Anchor Color         0,0,255         4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Multimedia\​Audio         SystemFormats         CD Quality,Radio Quality,Telephone Quality         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon         ParseAutoexec         1         2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders         AppData         %USERPROFILE%\​Application Data         2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders         Cache         %USERPROFILE%\​Local Settings\​Temporary Internet Files         3
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders         Cookies         %USERPROFILE%\​Cookies         3
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders         History         %USERPROFILE%\​Local Settings\​History         3
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders         Local Settings         %USERPROFILE%\​Local Settings         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders         Personal         %USERPROFILE%\​My Documents         2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache         Signature         Client UrlCache MMF Ver 5.2         2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content         CacheLimit         163410         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content         CachePrefix                  2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content         PerUserItem         1         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies         CacheLimit         8192         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies         CachePrefix         Cookie:         2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies         PerUserItem         1         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218         CacheLimit         8192         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218         CacheOptions         11         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218         CachePath         %USERPROFILE%\​Local Settings\​History\​History.IE5\​MSHist012011021720110218\​         2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218         CachePrefix         :2011021720110218:          2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218         CacheRepair         0         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219         CacheLimit         8192         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219         CacheOptions         11         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219         CachePath         %USERPROFILE%\​Local Settings\​History\​History.IE5\​MSHist012011021820110219\​         2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219         CachePrefix         :2011021820110219:          2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219         CacheRepair         0         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History         CacheLimit         8192         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History         CachePrefix         Visited:         2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History         PerUserItem         1         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings         MigrateProxy         1         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings         ProxyEnable         0         1
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections         DefaultConnectionSettings         0x3c0000000300000001000000000000000000000000000000040000000000         2
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections         SavedLegacySettings         0x3c0000001500000001000000000000000000000000000000040000000000         4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment         APPDATA         C:\​Documents and Settings\​Administrator\​Application Data         4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment         CLIENTNAME         Console         4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment         HOMEDRIVE         C:         4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment         HOMEPATH         \​Documents and Settings\​Administrator         4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment         HOMESHARE                  4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment         LOGONSERVER         \​\​PC         4
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment         SESSIONNAME         Console         4

        - Monitored Registry Keys:         
Key Name        Watch subtree        Notify Filter        Count
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32         0         Attributes Change,Value Change,Security Descriptor Change         2

3.b) dwwin.exe - File Activities

        - Files Deleted:         
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6D45A.dmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8925_appcompat.txt

        - Files Created:         
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6D45A.dmp

        - Files Read:         
C:\WINDOWS\win.ini
C:\w.exe
PIPE\lsarpc
c:\autoexec.bat

        - Files Modified:         
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6D45A.dmp
PIPE\lsarpc

        - File System Control Communication:         
File        Control Code        Times
C:\WINDOWS\system32         0x00090028         1
PIPE\lsarpc         0x0011C017         16

        - Device Control Communication:         
File        Control Code        Times
\Device\KsecDD         0x00390008         8

        - Memory Mapped Files:         
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6D45A.dmp
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\1033\dwintl.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\COMCTL32.DLL
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.DLL
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\URLMON.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\WININET.DLL
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WTSAPI32.dll
C:\WINDOWS\system32\faultrep.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\riched20.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\shfolder.dll
C:\Windows\AppPatch\sysmain.sdb
C:\w.exe

3.c) dwwin.exe - Process Activities

        - Foreign Memory Regions Read:         
Process: C:\w.exe

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

K7200000
 楼主| 发表于 2012-6-22 09:29:59 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

Nocria
发表于 2012-6-22 09:32:30 | 显示全部楼层
To Avira.
回复

举报

hddu
发表于 2012-6-22 09:33:28 | 显示全部楼层
2012-06-22 09:33:07    运行应用程序      操作:允许
进程路径:F:\virus\【2012.6.22】w\w.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\860477.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*


2012-06-22 09:33:16    运行应用程序      操作:允许
进程路径:F:\virus\【2012.6.22】w\w.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\869239.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*


2012-06-22 09:33:22    运行应用程序      操作:允许
进程路径:F:\virus\【2012.6.22】w\w.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\875639.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*


2012-06-22 09:33:26    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\875639.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\875639.exe
触发规则:应用程序规则->TEMP临时目录->*\Temp\*->*\Temp\*.exe


2012-06-22 09:33:30    创建文件      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\875639.exe
文件路径:C:\Documents and Settings\Administrator\Application Data\Riojes
触发规则:所有程序规则->Documents and Settings设置(二)->?:\Documents and Settings\*\Application Data\*


2012-06-22 09:33:31    创建文件      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\875639.exe
文件路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
触发规则:所有程序规则->Documents and Settings设置(二)->?:\Documents and Settings\*\Application Data\*.exe


2012-06-22 09:33:31    创建文件      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\875639.exe
文件路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
触发规则:所有程序规则->Documents and Settings设置(二)->?:\Documents and Settings\*\Application Data\*.exe


2012-06-22 09:33:35    运行应用程序      操作:允许
进程路径:F:\virus\【2012.6.22】w\w.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\abcd.bat"     "F:\virus\【2012.6.22】w\w.exe"   "
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe


2012-06-22 09:33:37    修改文件      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\875639.exe
文件路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
触发规则:所有程序规则->Documents and Settings设置(二)->?:\Documents and Settings\*\Application Data\*.exe


2012-06-22 09:33:38    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\875639.exe
文件路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
触发规则:应用程序规则->程序->?:\*


2012-06-22 09:33:39    删除文件      操作:允许
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:F:\virus\【2012.6.22】w\w.exe
触发规则:应用程序规则->CMD设置->%windir%\system32\cmd.exe->?:\*


2012-06-22 09:33:42    创建远程线程      操作:阻止
进程路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
目标进程:C:\WINDOWS\explorer.exe
触发规则:所有程序规则->*


2012-06-22 09:33:42    创建远程线程      操作:阻止
进程路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
目标进程:C:\WINDOWS\system32\ctfmon.exe
触发规则:所有程序规则->*


2012-06-22 09:33:42    创建远程线程      操作:阻止
进程路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
目标进程:C:\Program Files\SogouExplorer\sogouexplorer.exe
触发规则:所有程序规则->*


2012-06-22 09:33:42    创建远程线程      操作:阻止
进程路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
目标进程:C:\Program Files\SogouExplorer\sogouexplorer.exe
触发规则:所有程序规则->*


2012-06-22 09:33:43    创建远程线程      操作:阻止
进程路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
目标进程:C:\Program Files\SogouExplorer\sogouexplorer.exe
触发规则:所有程序规则->*


2012-06-22 09:33:43    创建远程线程      操作:阻止
进程路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
目标进程:C:\Program Files\SogouExplorer\sogouexplorer.exe
触发规则:所有程序规则->*


2012-06-22 09:33:43    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\875639.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpd2d10926.bat"
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe


2012-06-22 09:33:44    创建远程线程      操作:阻止
进程路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
目标进程:C:\Program Files\SogouExplorer\sogouexplorer.exe
触发规则:所有程序规则->*


2012-06-22 09:33:44    创建远程线程      操作:阻止
进程路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
目标进程:C:\WINDOWS\system32\conime.exe
触发规则:所有程序规则->*


2012-06-22 09:33:44    创建远程线程      操作:阻止
进程路径:C:\Documents and Settings\Administrator\Application Data\Riojes\orsy.exe
目标进程:C:\WINDOWS\system32\cmd.exe
触发规则:所有程序规则->*
回复

举报

122693882
发表于 2012-6-22 09:35:50 | 显示全部楼层
诺顿家压缩 kill
回复

举报

Nocria
发表于 2012-6-22 09:38:48 | 显示全部楼层
https://fireeye.ijinshan.com/ana ... cbc0784aebd0e8dd092

行为描述:启动宿主进程,注入代码,修改EIP执行自己的代码,偷梁换柱,使用户认为是正常的进程
附加信息:w.exe
回复

举报

K7200000
 楼主| 发表于 2012-6-22 09:42:07 | 显示全部楼层
humanlwj52 发表于 2012-6-22 09:38
https://fireeye.ijinshan.com/analyse.html?md5=789058585ffe7cbc0784aebd0e8dd092

还是金山的这个好点,anubis的那个看着头疼
不过火眼没anubis详细
回复

举报

Nocria
发表于 2012-6-22 09:48:04 | 显示全部楼层
K7200000 发表于 2012-6-22 09:42
还是金山的这个好点,anubis的那个看着头疼
不过火眼没anubis详细

其实都是一样的,anubis 标红的恶意行为也是注入其他进程。
金山这个把可疑度较低的行为都忽略了。
回复

举报

jayavira
发表于 2012-6-22 10:12:49 | 显示全部楼层
下载器
附上下载物
PW;virus

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

3801187
发表于 2012-6-22 11:23:55 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-9-25 13:00 , Processed in 0.138772 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表