autoran一个挂很多,比较有技术含量D69266

promised

1.盘符值下释放autorun.inf,和病毒文件
00405044   MOV ECX,sbl.00405364                      ASCII "\1.inf"
00405072   MOV ECX,sbl.00405364                      ASCII "\1.inf"
004050B8   MOV EDX,sbl.00405374                      ASCII "[autorun]"
004050D2   MOV EDX,sbl.00405388                      ASCII "OPEN=sbl.exe"
004050EC   MOV EDX,sbl.004053A0                      ASCII "shellexecute=sbl.exe"
00405106   MOV EDX,sbl.004053C0                      ASCII "shell\Auto\command=sbl.exe"
00405120   MOV EDX,sbl.004053E4                      ASCII "shell=open"
004051DD   MOV EDX,sbl.004053FC                      ASCII ":\autorun.inf"
0040520D   MOV EDX,sbl.00405414                      ASCII ":\sbl.exe"
00405256   MOV EDX,sbl.004053FC                      (初始 CPU 选择)
00405272   MOV ECX,sbl.00405364                      ASCII "\1.inf"
004052A8   MOV EDX,sbl.004053FC                      ASCII ":\autorun.inf"
004052D8   MOV EDX,sbl.00405414                      ASCII ":\sbl.exe"
00405364   ASCII "\1.inf",0
2.关闭系统防火墙，释放DLL,EXE文件,创建服务
004055E6   PUSH sbl.00405664                         ASCII "Shell32.dll"
004055F5   PUSH sbl.00405670                         ASCII "ShellExecuteA"
00405619   PUSH sbl.00405680                         ASCII "open"
00405664   ASCII "Shell32.dll",0
00405670   ASCII "ShellExecuteA",0
00405680   ASCII "open",0
004056A6   PUSH sbl.00405730                         ASCII "cmd.exe /c net stop sharedaccess"
004056CA   MOV ECX,sbl.0040575C                      ASCII "\lovesbl.dll"
004056E6   MOV ECX,sbl.00405774                      ASCII "\urlmon.dll"
00405730   ASCII "cmd.exe /c net s"
00405740   ASCII "top sharedaccess"
00405750   ASCII 0
0040575C   ASCII "\lovesbl.dll",0
00405774   ASCII "\urlmon.dll",0

3.发送wm_close，每3毫秒一次，比较狠毒了，并结束avp.exe进程（作者和卡巴有仇）


4.下载后运行程序
睡200毫秒一次

a-squared	3.0.0.123	2007.09.20	2007-09-20	-	7.881
AntiVir	7.6.0.15	6.39.1.163	2007-09-21	TR/Hijack.Explor.4380	2.665
Arcavir	1.0.4	200709201237	2007-09-20	-	2.402
AVAST	1.0.8	000775-4	2007-09-20	Win32:Agent-KNZ [Trj]	3.070
AVG	7.5.49.442	269.13.25/1018	2007-09-19	Generic7.MVV	1.834
BitDefender	7.60825.896043	7.14874	2007-09-21	BehavesLike:Win32.ExplorerHijack	3.659
CA (VET)	8.4.0.24	31.2.5152	2007-09-21	-	1.571
ClamAV	0.91.1	4357	2007-09-21	-	0.039
Comodo	2.11	2.0.0.291	2007-09-21	-	2.801
Dr.WEB	4.33	2007.09.21	2007-09-21	Win32.HLLW.Autoruner.572	6.029
ewido	4.0.0.2	2007.09.20	2007-09-20	-	2.136
F-PROT	4.4.0.50	20070921	2007-09-21	-	1.610
F-SECURE	5.51.6100	2007.09.21.02	2007-09-21	-	3.985
IKARUS	T3.1.1.12	2007.09.21.69539	2007-09-21	Trojan-PWS.Win32.Delf.mc	2.277
MKS_VIR	2.01	2007.09.20	2007-09-20	-	4.353
NOD32	2.70.10	2542	2007-09-21	-	0.024
NORMAN	5.91.07	5.90	2007-09-21	W32/Malware.ARIA	5.180
nProtect	2007-09-21.00	57020	2007-09-21	-	20.375
QuickHeal	9.00	2007.09.20	2007-09-20	-	5.225
SOPHOS	2.49.1	4.21	2007-09-21	-	3.926
The Hacker	6.2.5	v00064	2007-09-20	-	1.692
VBA32	3.12.2.4	20070921.0404	2007-09-21	-	0.869
ViRobot	20070920	2007.09.20	2007-09-20	Trojan.Win32.PSWIGames.25088.P	0.745
VirusBuster	4.3.19:9	9.106.3/11.0	2007-09-20	-	2.176
卡巴斯基	5.5.10	2007.09.21	2007-09-21	-	0.033
江民杀毒	10.00.650	2007.09.20	2007-09-20	-	2.552
熊猫卫士	9.04.03.0001	2007.09.20	2007-09-20	-	11.355
瑞星	19.0	19.41.40.00	2007-09-20	-	4.020
赛门铁克	1.3.0.24	20070920.009	2007-09-20	-	0.237
趋势	8.500-1001	4.733.00	2007-09-20	TROJ_ARIA.A	0.036
迈克菲	5.2.00	5124	2007-09-20	-	1.241
金山毒霸	2007.6.20.249	2007.9.21	2007-09-21	-	1.843
飞塔	2.81-3.11	8.126	2007-09-19	-	2.126

[ 本帖最后由 promised 于 2007-9-22 14:39 编辑 ]

gzg

驱逐舰杀

FBAV

MicroVita AntiSpyware  
_____________________________________________
                                          
             风暴微塔反间谍
[强力查杀各种Win32位的病毒,木马,蠕虫,恶意软件]                  
                   http://221.10.254.214/
----------------------------------------------
开始扫描……

正在检查启动……
[C:\Documents and Settings\Administrator\桌面\virus\sbl\sbl.exe]
                    …………发现Spy！报告: [4]
文件信息:  大小:25088  MD5:d69266621483947f9f7c3ae9d22a7cc3

文件数:1   病毒数:1  比重:1
OK  扫描完毕！
  ***日志解释
[4] 集中有害分析引擎
[3] 全局系统判断引擎   
[2] 文件特征码引擎
[1] 文件启发式引擎

wangjay1980

第一次见这么启发的
detected: virus Heur.AntiAV (modification)        File: C:\Documents and Settings\Owner\×ÀÃæ\sbl.rar/sbl.exe

1688388728

007-09-21 21:34:29    创建文件      操作:阻止
进程路径:D:\病毒库\sbl\sbl.exe
文件路径:C:\WINDOWS\system32\chostbl.exe
触发规则:所有程序规则->文件规则->%systemdrive%\*.exe


2007-09-21 21:35:23    创建文件      操作:阻止
进程路径:D:\病毒库\sbl\sbl.exe
文件路径:C:\WINDOWS\system32\chostbl.exe
触发规则:所有程序规则->文件规则->%systemdrive%\*.exe


2007-09-21 21:35:23    创建文件      操作:阻止
进程路径:D:\病毒库\sbl\sbl.exe
文件路径:C:\WINDOWS\system32\chostbl.exe
触发规则:所有程序规则->文件规则->%systemdrive%\*.exe


2007-09-21 21:35:23    创建文件      操作:阻止
进程路径:D:\病毒库\sbl\sbl.exe
文件路径:C:\WINDOWS\system32\chostbl.exe
触发规则:所有程序规则->文件规则->%systemdrive%\*.exe

promised

晕
前面意外中招
这东西还真有花头
姑且就分析这么点
运行的东西不管了

[ 本帖最后由 promised 于 2007-9-21 21:57 编辑 ]

uhthn2002

Uhthn Anti-Spyware V3 Alpha
Version - 3.0.0
Standard Database - 164
Paranoia Database - 5431
Heuristics Analysis - Excessive
Scan in - C:\Documents and Settings\uhthn\Desktop\sbl.exe

C:\Documents and Settings\uhthn\Desktop\sbl.exe - Infected with SDB:Win32.Trojan-Dropper.Small.ayg - Deleted

1 Files scanned
1 Infected files found
0 Suspicious files found
0 Files cured
1 Files deleted

promised

又发现了些
马上补上其他连带的东西

[ 本帖最后由 promised 于 2007-9-21 22:36 编辑 ]

Nblock

微点杀

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ANHAO_VIP_CAHW\ IMAGEPATH  C:\WINDOWS\SYSTEM32\CHOSTBL.EXE

mofunzone

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\My Documents\sbl.rar'
C:\Documents and Settings\Administrator\My Documents\
  sbl.rar
    [0] Archive type: RAR
    --> sbl.exe
        [DETECTION] Is the Trojan horse TR/Hijack.Explor.4380
        [WARNING]   Infected files in archives cannot be repaired!
        [INFO]      The file was deleted!