[6129cd]BehavesLike:Trojan.ShellStartup

promised

solcroft

无法执行的MZ开头文件
死尸？

wangjay1980

BehavesLike启发死尸？

Nerazzurri

Trojan-Downloader.Win32.Delf.chj

wangjay1980

原来SYS

changzheng2

Avira  HEUR/Malware
Prevx1  Heuristic: Suspicious Self Modifying File
Webwasher  Heuristic.Malware
Fortinet  Suspicious
Symentec  Trojan Horse
Kaspersky  Trojan-Downloader.Win32.Delf.chj
VirusBuster  Trojan.PWS.Agent.JBN.Gen
nProtect  BehavesLike:Trojan.ShellStartup
Nod32  

a variant of Win32/Adware.MoKeAD application Ikarus  not-a-virus:AdWare.Win32.Agent.bs Bitdefender  BehavesLike:Trojan.ShellStartup (suspected) Avast!  Win32:Delf-FBC [Trj]

jsshow.sys : INFECTED with W32/Malware
    Compressed: NO

[ GNR info]
    * Drops files in %WINSYS% folder.
   
[ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\8a08F8Lg.dll.
    * Creates directory C:\Windows\system32\wbem.
    * Creates file C:\windows\system32\XXXXXYYYYZZZZA.DLL.
    * Creates file C:\WINDOWS\system32\wbem\EEEFFF.MDA.
    * Creates file C:\windows\system32\wbem\CCDDDD.DLL.
    * Creates file C:\WINDOWS\SYSTEM32\arun.reg.
    * Deletes file C:\WINDOWS\SYSTEM32\arun.reg.

[ Changes to registry ]
    * Sets value "shell"="Explorer.exe jshelp.exe" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon".

[ Network services ]
    * Connects to "xxx.gjj.cc" （中国重庆市合川区电信）on port 80 (IP).
    * Opens URL: xxx.gjj.cc/.
    * Opens URL: hxxp://xxx.hjob123.com/dfiles/txt/corphff.txt.
    * Connects to "xxx.hjob123.com"（中国福建省泉州市电信ADSL) on port 80 (TCP).
    * Opens URL: xxx.hjob123.com/dfiles/txt/corphff.txt.

[ Process&window info ]
    * Creates an event called .
    * Will automatically restart after boot (I'll be back...).

king6808

已删除：木马程序 Trojan-Downloader.Win32.Delf.chj        文件　: G:\10.1\jsshow.rar/jsshow.sys