Zbot

显示全部楼层 · 发表于 2012-7-20 11:12:40

ESET killed

C:\Users\Gateway\Desktop\0561827FB86CC983C1B6BC59AE6EAE5E.exe - a variant of Win32/Kryptik.AIQS trojan

Created:    2012/7/20 11:10:21
Summary:    Firewall: Automatic decision
Description:  C:\Users\Gateway\AppData\Roaming\Zaufax\peum.exe, Outgoing UDP access allowed to: 190.190.172.166:12278
Event type: Firewall: Automatic decision(16)
Event action: Allowed(2)

Created:    2012/7/20 11:10:20
Summary:    Firewall: Automatic decision
Description:  C:\Users\Gateway\AppData\Roaming\Zaufax\peum.exe, Incoming TCP access allowed to: 0.0.0.0:17457
Event type: Firewall: Automatic decision(16)
Event action: Allowed(2)

Created:    2012/7/20 11:10:20
Summary:    Firewall: User decision
Description:  C:\Users\Gateway\AppData\Roaming\Zaufax\peum.exe, Incoming UDP access allowed to: 0.0.0.0:12668
Event type: Firewall: User decision(15)
Event action: Allowed(2)

Created:    2012/7/20 11:10:07
Summary:    Program Guard: 0561827FB86CC983C1B6BC59AE6EAE5E.exe -> tmp11dd392d.bat
Description:  C:\Users\Gateway\Desktop\0561827FB86CC983C1B6BC59AE6EAE5E.exe wants to modify executable file C:\Users\Gateway\AppData\Local\Temp\tmp11dd392d.bat
Event type: Suspicious file(13)
Event action: Allowed(2)

Created:    2012/7/20 11:10:04
Summary:    Program Guard: 0561827FB86CC983C1B6BC59AE6EAE5E.exe -> tmp11dd392d.bat
Description:  C:\Users\Gateway\Desktop\0561827FB86CC983C1B6BC59AE6EAE5E.exe wants to create executable file C:\Users\Gateway\AppData\Local\Temp\tmp11dd392d.bat
Event type: Suspicious file(13)
Event action: Allowed(2)

Created:    2012/7/20 11:10:02
Summary:    Program Guard: kernel event
Description:  OADriver: Registry, PID: 246128, Act:  8, Idn: 0, Mask: \REGISTRY\USER\S-1-5-21-3869693177-4215885030-2690111904-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB0A0FB4-33DB-AD40-4A28-3DE3545C1EFE} - Deny (rule)
Event type: Kernel event(26)
Event action: None(1)
Processes:
  PID:  246128 Name: peum.exe

Created:    2012/7/20 11:10:02
Summary:    Program Guard: peum.exe -> taskhost.exe
Description:  C:\Users\Gateway\AppData\Roaming\Zaufax\peum.exe(246128) wants to open C:\Windows\system32\taskhost.exe(153152)
Event type: Program Guard(9)
Event action: Blocked(3)

Created:    2012/7/20 11:10:02
Summary:    Program Guard: kernel event
Description:  OADriver: OB_OPERATION_HANDLE_CREATE, 246128 -> 153152, Mask: 147A - 1410
Event type: Kernel event(26)
Event action: None(1)
Processes:
  PID:  153152 Name: taskhost.exe
  PID:  246128 Name: peum.exe

Created:    2012/7/20 11:09:54
Summary:    Program Guard: peum.exe
Description:  C:\Users\Gateway\Desktop\0561827FB86CC983C1B6BC59AE6EAE5E.exe -> C:\Users\Gateway\AppData\Roaming\Zaufax\peum.exe
Event type: Program Guard(9)
Event action: Allowed(2)

Created:    2012/7/20 11:09:32
Summary:    Program Guard: 0561827FB86CC983C1B6BC59AE6EAE5E.exe -> usapo.exe
Description:  C:\Users\Gateway\Desktop\0561827FB86CC983C1B6BC59AE6EAE5E.exe wants to create executable file C:\Users\Gateway\AppData\Roaming\Ibujl\usapo.exe
Event type: Suspicious file(13)
Event action: Allowed(2)

Created:    2012/7/20 11:09:29
Summary:    Program Guard: 0561827FB86CC983C1B6BC59AE6EAE5E.exe -> usapo.exe
Description:  C:\Users\Gateway\Desktop\0561827FB86CC983C1B6BC59AE6EAE5E.exe wants to create executable file C:\Users\Gateway\AppData\Roaming\Ibujl\usapo.exe
Event type: Suspicious file(13)
Event action: Allowed(2)

Created:    2012/7/20 11:09:19
Summary:    Program Guard: 0561827FB86CC983C1B6BC59AE6EAE5E.exe
Description:  C:\Windows\Explorer.EXE -> C:\Users\Gateway\Desktop\0561827FB86CC983C1B6BC59AE6EAE5E.exe
Event type: Program Guard(9)
Event action: Allowed(2)

显示全部楼层 · 发表于 2012-7-20 11:13:35

金山miss

显示全部楼层 · 发表于 2012-7-20 11:20:38

显示全部楼层 · 发表于 2012-7-20 11:21:11

显示全部楼层 · 发表于 2012-7-20 11:22:51

文件信息
文件名称：D:\Download\0561827FB86CC983C1B6BC59AE6EAE5E.exe
文件大小：
330 Kb
内部名称：
无内部名称
文件签名：
77779585991584859941614338271863252642922618334872855927233775299732453649731895315274369766516585112682566279998717874311795897是一个木马
文件描述：
是一个木马
文件MD5：
0561827fb86cc983c1b6bc59ae6eae5e

显示全部楼层 · 发表于 2012-7-20 11:28:13

完整路径: f:\样本\0561827fb86cc983c1b6bc59ae6eae5e.exe
威胁: Suspicious.Cloud.5.A
____________________________
____________________________
在电脑上的创建时间不可用
上次使用时间 2012-7-20 ( 11:27:58 )
启动项目否
已启动否
____________________________
____________________________
未知
诺顿社区中使用此文件的用户数量: 未知
____________________________
未知
此文件版本当前未知。
____________________________
高
此文件具有高风险。
____________________________
威胁详细信息
威胁类型: 启发式病毒。根据恶意软件启发式技术检测威胁。
____________________________

____________________________
文件操作
文件: f:\样本\0561827fb86cc983c1b6bc59ae6eae5e.exe
已删除
____________________________
文件指纹 - SHA:
1ad94dda8498ee1859364a475acb33a4bb3801ecf96da4fabf6d4d0993cd9bb6
____________________________
文件指纹 - MD5:
0561827fb86cc983c1b6bc59ae6eae5e
____________________________

显示全部楼层 · 发表于 2012-7-20 11:34:27

过费尔V8

显示全部楼层 · 发表于 2012-7-20 11:50:06

本帖最后由 WeeVee 于 2012-7-20 11:53 编辑

Gdata
Gen:Variant.Kazy.81891 (引擎A)

双击测试

显示全部楼层 · 发表于 2012-7-20 11:56:37

扫描不报，解压报

显示全部楼层 · 发表于 2012-7-20 11:59:06

大A解压后扫描报

[病毒样本] Zbot

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源