收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 全世界微点报未知木马!其他全挂!
123456下一页
返回列表 发新帖
楼主: xiaotuzi
 收起左侧

[病毒样本] 全世界微点报未知木马!其他全挂!

[复制链接]
hj5abc
发表于 2007-9-26 20:57:16 | 显示全部楼层
原帖由 <i>EQ2</i> 于 2007-9-26 11:52 发表
和nod32的Threatsense类似

应该是保存在cache目录中..
回复

举报

promised
发表于 2007-9-26 21:15:03 | 显示全部楼层
  1. 008F2B90 DD 复件_EVE.008F2BEE ASCII 0C,"TDownSrvFile"
  2. 008F2BEF ASCII "TDownSrvFile"
  3. 008F2C51 MOV EDX,复件_EVE.008F2CD4 ASCII ".bat"
  4. 008F2C56 MOV EAX,复件_EVE.008F2CE4 ASCII "nb"
  5. 008F2CD4 ASCII ".bat",0
  6. 008F2CE4 ASCII "nb",0
  7. 008F2CF0 ASCII "^",0
  8. 008F2DC7 MOV ECX,复件_EVE.008F2ED4 ASCII "downurl"
  9. 008F2DCC MOV EDX,复件_EVE.008F2EE4 ASCII "URLList"
  10. 008F2E19 MOV EDX,复件_EVE.008F2EF4 ASCII ".txt"
  11. 008F2ED4 ASCII "downurl",0
  12. 008F2EE4 ASCII "URLList",0
  13. 008F2EF4 ASCII ".txt",0
  14. 008F3068 DD 复件_EVE.008F309C ASCII 0B,"TPlayboyThd"
  15. 008F309D ASCII "TPlayboyThd"
  16. 008F30C8 MOV ECX,复件_EVE.008F3108 ASCII "http://upcfg.netdiu.cn/setupurl.txt"
  17. 008F3108 ASCII "http://upcfg.net"
  18. 008F3118 ASCII "diu.cn/setupurl."
  19. 008F3128 ASCII "txt",0
  20. 008F3185 MOV EDX,复件_EVE.008F3340 ASCII ".exe"
  21. 008F31A4 MOV ECX,复件_EVE.008F3350 ASCII "eventrep.dll"
  22. 008F31E2 MOV ECX,复件_EVE.008F3368 ASCII "wbem\SACH0ST.exe"
  23. 008F3274 MOV EAX,复件_EVE.008F3350 ASCII "eventrep.dll"
  24. 008F3285 MOV EAX,复件_EVE.008F3350 ASCII "eventrep.dll"
  25. 008F3295 MOV EAX,复件_EVE.008F3350 ASCII "eventrep.dll"
  26. 008F32A3 PUSH 复件_EVE.008F337C ASCII "TVisfrmMain"
  27. 008F3340 ASCII ".exe",0
  28. 008F3350 ASCII "eventrep.dll",0
  29. 008F3368 ASCII "wbem\SACH0ST.exe"
  30. 008F3378 ASCII 0
  31. 008F337C ASCII "TVisfrmMain",0
  32. 008F33CF MOV EDX,复件_EVE.008F3410 ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"
  33. 008F3410 ASCII "SOFTWARE\Microso"
  34. 008F3420 ASCII "ft\Windows NT\Cu"
  35. 008F3430 ASCII "rrentVersion\Svc"
  36. 008F3440 ASCII "host",0
  37. 008F3463 MOV EDX,复件_EVE.008F34A8 ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"
  38. 008F3470 MOV ECX,复件_EVE.008F34E8 ASCII "tmsscvl"
  39. 008F34A8 ASCII "SOFTWARE\Microso"
  40. 008F34B8 ASCII "ft\Windows NT\Cu"
  41. 008F34C8 ASCII "rrentVersion\Svc"
  42. 008F34D8 ASCII "host",0
  43. 008F34E8 ASCII "tmsscvl",0
  44. 008F3519 MOV EDX,复件_EVE.008F3604 ASCII "SYSTEM\ControlSet001\Services\tmsscvl\Start"
  45. 008F352D MOV EDX,复件_EVE.008F3638 ASCII "SYSTEM\CurrentControlSet\Services\tmsscvl\Type"
  46. 008F3541 MOV EDX,复件_EVE.008F3670 ASCII "SYSTEM\CurrentControlSet\Services\tmsscvl\ErrorControl"
  47. 008F3550 MOV ECX,复件_EVE.008F36B0 ASCII "VisPlug and Play Removable Storage"
  48. 008F3555 MOV EDX,复件_EVE.008F36DC ASCII "SYSTEM\CurrentControlSet\Services\tmsscvl\DisplayName"
  49. 008F3564 MOV ECX,复件_EVE.008F371C ASCII "%SystemRoot%\System32\svchost.exe -k tmsscvl"
  50. 008F3569 MOV EDX,复件_EVE.008F3754 ASCII "SYSTEM\CurrentControlSet\Services\tmsscvl\ImagePath"
  51. 008F357D MOV EDX,复件_EVE.008F3804 ASCII "SYSTEM\CurrentControlSet\Services\tmsscvl\Description"
  52. 008F358C MOV ECX,复件_EVE.008F3844 ASCII "LocalSystem"
  53. 008F3591 MOV EDX,复件_EVE.008F3858 ASCII "SYSTEM\CurrentControlSet\Services\tmsscvl\ObjectName"
  54. 008F35AB MOV EDX,复件_EVE.008F3898 ASCII "SYSTEM\CurrentControlSet\Services\tmsscvl\Parameters\ServiceDll"
  55. 008F35BA MOV EAX,复件_EVE.008F38E0 ASCII "tmsscvl"
  56. 008F3604 ASCII "SYSTEM\ControlSe"
  57. 008F3614 ASCII "t001\Services\tm"
  58. 008F3624 ASCII "sscvl\Start",0
  59. 008F3638 ASCII "SYSTEM\CurrentCo"
  60. 008F3648 ASCII "ntrolSet\Service"
  61. 008F3658 ASCII "s\tmsscvl\Type",0
  62. 008F3670 ASCII "SYSTEM\CurrentCo"
  63. 008F3680 ASCII "ntrolSet\Service"
  64. 008F3690 ASCII "s\tmsscvl\ErrorC"
  65. 008F36A0 ASCII "ontrol",0
  66. 008F36B0 ASCII "VisPlug and Play"
  67. 008F36C0 ASCII " Removable Stora"
  68. 008F36D0 ASCII "ge",0
  69. 008F36DC ASCII "SYSTEM\CurrentCo"
  70. 008F36EC ASCII "ntrolSet\Service"
  71. 008F36FC ASCII "s\tmsscvl\Displa"
  72. 008F370C ASCII "yName",0
  73. 008F371C ASCII "%SystemRoot%\Sys"
  74. 008F372C ASCII "tem32\svchost.ex"
  75. 008F373C ASCII "e -k tmsscvl",0
  76. 008F3754 ASCII "SYSTEM\CurrentCo"
  77. 008F3764 ASCII "ntrolSet\Service"
  78. 008F3774 ASCII "s\tmsscvl\ImageP"
  79. 008F3784 ASCII "ath",0
  80. 008F3804 ASCII "SYSTEM\CurrentCo"
  81. 008F3814 ASCII "ntrolSet\Service"
  82. 008F3824 ASCII "s\tmsscvl\Descri"
  83. 008F3834 ASCII "ption",0
  84. 008F3844 ASCII "LocalSystem",0
  85. 008F3858 ASCII "SYSTEM\CurrentCo"
  86. 008F3868 ASCII "ntrolSet\Service"
  87. 008F3878 ASCII "s\tmsscvl\Object"
  88. 008F3888 ASCII "Name",0
  89. 008F3898 ASCII "SYSTEM\CurrentCo"
  90. 008F38A8 ASCII "ntrolSet\Service"
  91. 008F38B8 ASCII "s\tmsscvl\Parame"
  92. 008F38C8 ASCII "ters\ServiceDll",0
  93. 008F38E0 ASCII "tmsscvl",0
  94. 008F39E6 MOV ECX,复件_EVE.008F3B90 ASCII "eventrep.dll"
  95. 008F39F5 MOV ECX,复件_EVE.008F3B90 ASCII "eventrep.dll"
  96. 008F3A04 MOV EDX,复件_EVE.008F3BA8 ASCII ".bat"
  97. 008F3A09 MOV EAX,复件_EVE.008F3BB8 ASCII "sm"
  98. 008F3A51 MOV EDX,复件_EVE.008F3BC4 ASCII "@echo off"
  99. 008F3A5E MOV EDX,复件_EVE.008F3BD8 ASCII ":loop"
  100. 008F3A6B MOV EDX,复件_EVE.008F3BE8 ASCII "net stop tmsscvl"
  101. 008F3A7E MOV EDX,复件_EVE.008F3C04 ASCII "del "
  102. 008F3A93 PUSH 复件_EVE.008F3C14 ASCII "if exist ""
  103. 008F3A9B PUSH 复件_EVE.008F3C28 ASCII "" goto loop"
  104. 008F3AB8 PUSH 复件_EVE.008F3C3C ASCII "copy "
  105. 008F3AE6 MOV EDX,复件_EVE.008F3C04 ASCII "del "
  106. 008F3AFB MOV EDX,复件_EVE.008F3C58 ASCII "net start tmsscvl"
  107. 008F3B08 MOV EDX,复件_EVE.008F3C74 ASCII "del %0"
  108. 008F3B90 ASCII "eventrep.dll",0
  109. 008F3BA8 ASCII ".bat",0
  110. 008F3BB8 ASCII "sm",0
  111. 008F3BC4 ASCII "@echo off",0
  112. 008F3BD8 ASCII ":loop",0
  113. 008F3BE8 ASCII "net stop tmsscvl"
  114. 008F3BF8 ASCII 0
  115. 008F3C04 ASCII "del ",0
  116. 008F3C14 ASCII "if exist "",0
  117. 008F3C28 ASCII "" goto loop",0
  118. 008F3C3C ASCII "copy ",0
  119. 008F3C4C ASCII " ",0
  120. 008F3C58 ASCII "net start tmsscv"
  121. 008F3C68 ASCII "l",0
  122. 008F3C74 ASCII "del %0",0
  123. 008F3C97 MOV EAX,复件_EVE.008F3D90 ASCII "tmsscvl"
  124. 008F3CDA PUSH 复件_EVE.008F3D98 ASCII "%SystemRoot%\System32\svchost.exe -k tmsscvl"
  125. 008F3CEA PUSH 复件_EVE.008F3DC8 ASCII "VisPlug and Play Removable Storage"
  126. 008F3CEF PUSH 复件_EVE.008F3DEC ASCII "tmsscvl"
  127. 008F3D34 MOV EDX,复件_EVE.008F3E70 ASCII "SYSTEM\CurrentControlSet\Services\tmsscvl\Description"
  128. 008F3D4E MOV EDX,复件_EVE.008F3EB0 ASCII "SYSTEM\CurrentControlSet\Services\tmsscvl\Parameters\ServiceDll"
  129. 008F3D90 ASCII "tmsscvl",0
  130. 008F3D98 ASCII "%SystemRoot%\Sys"
  131. 008F3DA8 ASCII "tem32\svchost.ex"
  132. 008F3DB8 ASCII "e -k tmsscvl",0
  133. 008F3DC8 ASCII "VisPlug and Play"
  134. 008F3DD8 ASCII " Removable Stora"
  135. 008F3DE8 ASCII "ge",0
  136. 008F3DEC ASCII "tmsscvl",0
  137. 008F3E70 ASCII "SYSTEM\CurrentCo"
  138. 008F3E80 ASCII "ntrolSet\Service"
  139. 008F3E90 ASCII "s\tmsscvl\Descri"
  140. 008F3EA0 ASCII "ption",0
  141. 008F3EB0 ASCII "SYSTEM\CurrentCo"
  142. 008F3EC0 ASCII "ntrolSet\Service"
  143. 008F3ED0 ASCII "s\tmsscvl\Parame"
  144. 008F3EE0 ASCII "ters\ServiceDll",0
  145. 008F3F24 MOV EAX,复件_EVE.008F4018 ASCII "tmsscvl"
  146. 008F3F5E PUSH 10000 UNICODE "=::=::"
  147. 008F3F63 PUSH 复件_EVE.008F4020 ASCII "tmsscvl"
  148. 008F4018 ASCII "tmsscvl",0
  149. 008F4020 ASCII "tmsscvl",0
  150. 008F4073 PUSH 复件_EVE.008F443C ASCII "tmsscvl"
  151. 008F40A6 MOV EDX,复件_EVE.008F444C ASCII "Error Code: "
  152. 008F417B MOV EAX,复件_EVE.008F4468 ASCII "http://upcfg.netdiu.cn/viscp%d.txt"
  153. 008F4227 MOV EDX,复件_EVE.008F4494 ASCII ".tmp"
  154. 008F422C MOV EAX,复件_EVE.008F44A4 ASCII "ms"
  155. 008F4271 MOV EAX,复件_EVE.008F4468 ASCII "http://upcfg.netdiu.cn/viscp%d.txt"
  156. 008F42CC MOV EAX,复件_EVE.008F4468 ASCII "http://upcfg.netdiu.cn/viscp%d.txt"
  157. 008F42FE MOV ECX,复件_EVE.008F44B0 ASCII "eventrep.dll"
  158. 008F443C ASCII "tmsscvl",0
  159. 008F444C ASCII "Error Code: ",0
  160. 008F4468 ASCII "http://upcfg.net"
  161. 008F4478 ASCII "diu.cn/viscp%d.t"
  162. 008F4488 ASCII "xt",0
  163. 008F4494 ASCII ".tmp",0
  164. 008F44A4 ASCII "ms",0
  165. 008F44B0 ASCII "eventrep.dll",0
  166. 008F44D9 MOV EAX,复件_EVE.008F4510 ASCII "tmsscvl"
  167. 008F4510 ASCII "tmsscvl",0
  168. 008F4750 MOV EDX,复件_EVE.008F477C ASCII "fdsaf"
  169. 008F4763 MOV EDX,复件_EVE.008F478C ASCII "afqfdsafdsaw"
  170. 008F477C ASCII "fdsaf",0
  171. 008F478C ASCII "afqfdsafdsaw",0
  172. 008F60E8 MOV EDX,复件_EVE.008F6130 ASCII "0x"
  173. 008F6130 ASCII "0x",0
  174. 008F648F PUSH 复件_EVE.008F64A0 ASCII "TaskbarCreated"
  175. 008F64A0 ASCII "TaskbarCreated",0
  176. 008F64F9 PUSH 复件_EVE.008F6524 ASCII "Delphi Picture"
  177. 008F6509 PUSH 复件_EVE.008F6534 ASCII "Delphi Component"
  178. 008F6524 ASCII "Delphi Picture",0
  179. 008F6534 ASCII "Delphi Component"
  180. 008F6544 ASCII 0
  181. 008F66CD PUSH 复件_EVE.008F6704 ASCII "TaskbarCreated"
复制代码
回复

举报

cy6266812
发表于 2007-9-26 22:52:02 | 显示全部楼层
卡吧7报,不准下载
回复

举报

capsshift
发表于 2007-9-26 23:32:23 | 显示全部楼层
看吧,我说红伞在新版中会报了。
Start of the scan: 2007年9月26日  23:31

Starting the file scan:

Begin scan in 'C:\Users\lenovo\Downloads\EVENTREP.rar'
C:\Users\lenovo\Downloads\EVENTREP.rar
  [0] Archive type: RAR
  --> EVENTREP.DLL
      [DETECTION] Is the Trojan horse TR/Banker.FRN
      [INFO]      The file was moved to '473f7b9c.qua'!

只是我真的不明白,不能运行的这个文件,真的有害吗
回复

举报

xxh21cn
发表于 2007-9-26 23:35:50 | 显示全部楼层
原帖由 Nblock 于 2007-9-26 11:17 发表
真的很无语 发现很多朋友真的很不了解微点  我要写点东东科普下下

哈哈,这坛子里面很多人从来没用过微点,但却喜欢对微点品头论足
这还好,有的更本连微点有些什么特点都不知道,也敢在这里说
微点从来没说自己没有特症码,而是反复说自己是有特症码的
结果还是有很多人拿这个来说事,一点都不了解的东西,某些人也敢评论
真是服了这里面的某些人!!!!!!
回复

举报

Nblock
发表于 2007-9-26 23:53:01 | 显示全部楼层
扫毒软件更新后终于报了吧  是误报么
回复

举报

Nblock
发表于 2007-9-27 00:07:13 | 显示全部楼层
事实上有些朋友对微点有偏见 认为拥有5项专利的微点不是行为判断 是在淘浆糊瞎报 说微点误报多 说什么微点是白名单+黑名单 总喜欢带有色眼镜去看  而不去真正实际测试实践下 看看微点自带的帮助文件也好   他们不想想一个公测2年的软件要是真这么简单浆糊 人家高人早说话了   

微点官方:“像你这么简单的软件 人家是不会付钱给你的”     微点上市后 慢慢来
回复

举报

运指如飞
发表于 2007-9-27 09:46:25 | 显示全部楼层
dll文件

微点的工作模式不一样,是行为判断吧?
回复

举报

googlehack
发表于 2007-9-30 11:04:34 | 显示全部楼层
微点可真厉害啊!
回复

举报

gold2007
发表于 2007-9-30 11:21:13 | 显示全部楼层
原帖由 Nblock 于 2007-9-27 00:07 发表
事实上有些朋友对微点有偏见 认为拥有5项专利的微点不是行为判断 是在淘浆糊瞎报 说微点误报多 说什么微点是白名单+黑名单 总喜欢带有色眼镜去看  而不去真正实际测试实践下 看看微点自带的帮助文件也好   他 ...

可以这样解释某些人的心态:
虽然我没有用过微点,但是我认为它肯定不行;
虽然有时候它显得比别的杀软厉害,但是并不是它真的厉害,而是瞎蒙的;
虽然你试图让我使用微点从而相信微点厉害,但是我不必使用就知道它真的不行;
虽然你让我拿出微点不行的证据以证明我的观点,但是我没有也不需要有证据,说它不行它就不行。
...
回复

举报

下一页 »
123456下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-5-5 03:48 , Processed in 0.101289 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表