收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 有个eeee.exe已经渗透到[泡泡网]pcpop.com,恐怖
123下一页
返回列表 发新帖
查看: 6429|回复: 23
收起左侧

[病毒样本] 有个eeee.exe已经渗透到[泡泡网]pcpop.com,恐怖

[复制链接]
flysoon
发表于 2007-10-5 15:30:40 | 显示全部楼层 |阅读模式
经常去pcpop.com看行情什么的,今天特别遨游2.0.3提示危险脚本
在Documents and Settings\Administrator\Local Settings\Temp文件夹下有eeee.exe 和eeee.vbs两个可疑文件
在baidu上搜索是一个ppstream漏洞
访问量这么大的网站竟然都有,恐怖
可疑文件在rar包里,高手分析一下

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

Giggs
发表于 2007-10-5 15:32:47 | 显示全部楼层

Start of the scan: 2007年10月5日  15:34

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\eeee.rar'
C:\Documents and Settings\Administrator\桌面\eeee.rar
  [0] Archive type: RAR
  --> eeee\eeee.exe
      [DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen
      [INFO]      A backup was created as '476ae987.qua'  ( QUARANTINE )
      [INFO]      The file was deleted!
回复

举报

flysoon
 楼主| 发表于 2007-10-5 15:33:17 | 显示全部楼层
补充一下,目前看来我常去的网站只有pcpop提示以上信息
回复

举报

The EQs
发表于 2007-10-5 15:35:04 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

qigang
发表于 2007-10-5 15:39:19 | 显示全部楼层
RX不杀。
回复

举报

微点卫士
发表于 2007-10-5 15:39:46 | 显示全部楼层
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\EEEE\EEEE.EXE
木马程序生成以下文件:
1) C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\SYSTEM36.JUP
2) C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\SYSTEM6.INS
是否删除木马程序及其衍生物?
回复

举报

hj5abc
发表于 2007-10-5 15:40:37 | 显示全部楼层
Max好厉害..

另外,组策略禁止一下temp\*.exe执行就好.

ps.EQ2装vista了? 还是美化包?
回复

举报

IllusionWing
发表于 2007-10-5 15:41:25 | 显示全部楼层
UGuard Log (Digital Fox - gankeyu@126.com)
UGuarduu.exe = 4.3.1
HC0.rlb = 2.9.1
HC2.rlb = 2.4.0
FN0.rlb = 2.3.1
扫描选项:扫描档案, 扩展, 忽略非活动, 忽略大文件, nFile, BAT模拟, 捆绑检测, 变形壳, 启发,
[扫描] [捆绑检测] 在 C:\Documents and Settings\Administrator\桌面\Virus\eeee\eeee.exe//UPX 检测到 Generic.Binder
检测到了 1 个未知的恶意程序,请上报。
任务 扫描 完成。共耗费的时间:0-00-00 00:00:00:0081,共扫描的文件数量:3,共扫描到的威胁数量:1,威胁率:33.33%,扫描速率: 37.04 文件/秒,扫描速度: 885.5 千字节/秒
回复

举报

The EQs
发表于 2007-10-5 15:42:11 | 显示全部楼层

回复 7楼 hj5abc 的帖子

vista界面仿真器。。。。要装怎么也得装MAC OS玩
回复

举报

promised
发表于 2007-10-5 15:46:06 | 显示全部楼层
  1. 0040478B |. 50 PUSH EAX ; |String1
  2. 0040478C |. E8 A7F2FFFF CALL ; \lstrcmpiA
  3. 00404791 |. 85C0 TEST EAX,EAX
  4. 00404793 |. 74 5D JE SHORT eeee.004047F2
  5. 00404795 |. 8B0D D0514000 MOV ECX,DWORD PTR DS:[4051D0] ; eeee.004050AC
  6. 0040479B |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
  7. 0040479D |. A1 D0514000 MOV EAX,DWORD PTR DS:[4051D0]
  8. 004047A2 |. 8B15 BC514000 MOV EDX,DWORD PTR DS:[4051BC]
  9. 004047A8 |. E8 47E9FFFF CALL eeee.004030F4
  10. 004047AD |. A1 D0514000 MOV EAX,DWORD PTR DS:[4051D0]
  11. 004047B2 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
  12. 004047B4 |. E8 53EAFFFF CALL eeee.0040320C
  13. 004047B9 |. 50 PUSH EAX ; /FileName
  14. 004047BA |. E8 D1F1FFFF CALL ; \DeleteFileA
  15. 004047BF |. 6A 00 PUSH 0
  16. 004047C1 |. A1 D0514000 MOV EAX,DWORD PTR DS:[4051D0]
  17. 004047C6 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
  18. 004047C8 |. E8 3FEAFFFF CALL eeee.0040320C
  19. 004047CD |. 50 PUSH EAX
  20. 004047CE |. A1 C8514000 MOV EAX,DWORD PTR DS:[4051C8]
  21. 004047D3 |. E8 34EAFFFF CALL eeee.0040320C
  22. 004047D8 |. 50 PUSH EAX ; |ExistingFileName
  23. 004047D9 |. E8 A2F1FFFF CALL ; \CopyFileA
  24. 004047DE |. 6A 06 PUSH 6
  25. 004047E0 |. A1 D0514000 MOV EAX,DWORD PTR DS:[4051D0]
  26. 004047E5 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
  27. 004047E7 |. E8 20EAFFFF CALL eeee.0040320C
  28. 004047EC |. 50 PUSH EAX ; |FileName
  29. 004047ED |. E8 16F2FFFF CALL ; \SetFileAttributesA
  30. 004047F2 |> B8 C0514000 MOV EAX,eeee.004051C0
  31. 004047F7 |. B9 BC494000 MOV ECX,eeee.004049BC ; ASCII "System6.ins"
  32. 004047FC |. 8B15 BC514000 MOV EDX,DWORD PTR DS:[4051BC]
  33. 00404802 |. E8 EDE8FFFF CALL eeee.004030F4
  34. 00404807 |. B8 C4514000 MOV EAX,eeee.004051C4
  35. 0040480C |. B9 D0494000 MOV ECX,eeee.004049D0 ; ASCII "System6.tmp"
  36. 00404811 |. 8B15 BC514000 MOV EDX,DWORD PTR DS:[4051BC]
  37. 00404817 |. E8 D8E8FFFF CALL eeee.004030F4
  38. 0040481C |. A1 C0514000 MOV EAX,DWORD PTR DS:[4051C0]
  39. 00404821 |. E8 E6E9FFFF CALL eeee.0040320C
  40. 00404826 |. 50 PUSH EAX ; /Arg1
  41. 00404827 |. E8 58F9FFFF CALL eeee.00404184 ; \eeee.00404184
  42. 0040482C |. A1 C0514000 MOV EAX,DWORD PTR DS:[4051C0]
  43. 00404831 |. E8 D6E9FFFF CALL eeee.0040320C
  44. 00404836 |. 50 PUSH EAX ; /Path
  45. 00404837 |. E8 14F4FFFF CALL ; \PathFileExistsA
  46. 0040483C |. 85C0 TEST EAX,EAX
  47. 0040483E |. 74 33 JE SHORT eeee.00404873
  48. 00404840 |. A1 CC514000 MOV EAX,DWORD PTR DS:[4051CC]
  49. 00404845 |. 50 PUSH EAX
  50. 00404846 |. A1 C4514000 MOV EAX,DWORD PTR DS:[4051C4]
  51. 0040484B |. E8 BCE9FFFF CALL eeee.0040320C
  52. 00404850 |. 8BC8 MOV ECX,EAX ; |
  53. 00404852 |. BA DC494000 MOV EDX,eeee.004049DC ; |ASCII "DATAINFO"
  54. 00404857 |. B8 0A000000 MOV EAX,0A ; |
  55. 0040485C |. E8 3FF4FFFF CALL eeee.00403CA0 ; \eeee.00403CA0
  56. 00404861 |. 8B15 C4514000 MOV EDX,DWORD PTR DS:[4051C4] ; eeee.0040459C
  57. 00404867 |. A1 C0514000 MOV EAX,DWORD PTR DS:[4051C0]
  58. 0040486C |. E8 2BF8FFFF CALL eeee.0040409C
  59. 00404871 |. EB 21 JMP SHORT eeee.00404894
  60. 00404873 |> A1 CC514000 MOV EAX,DWORD PTR DS:[4051CC]
  61. 00404878 |. 50 PUSH EAX
  62. 00404879 |. A1 C0514000 MOV EAX,DWORD PTR DS:[4051C0]
  63. 0040487E |. E8 89E9FFFF CALL eeee.0040320C
  64. 00404883 |. 8BC8 MOV ECX,EAX ; |
  65. 00404885 |. BA DC494000 MOV EDX,eeee.004049DC ; |ASCII "DATAINFO"
  66. 0040488A |. B8 0A000000 MOV EAX,0A ; |
  67. 0040488F |. E8 0CF4FFFF CALL eeee.00403CA0 ; \eeee.00403CA0
  68. 00404894 |> 68 E8494000 PUSH eeee.004049E8 ; /Title = "bla145a"
  69. 00404899 |. 68 F0494000 PUSH eeee.004049F0 ; |Class = "ListBox"
  70. 0040489E |. E8 C5F1FFFF CALL ; \FindWindowA
  71. 004048A3 |. 50 PUSH EAX ; /hWnd
  72. 004048A4 |. E8 07F2FFFF CALL ; \IsWindow
  73. 004048A9 |. 85C0 TEST EAX,EAX
  74. 004048AB |. 0F85 A4000000 JNZ eeee.00404955
  75. 004048B1 |. 68 F8494000 PUSH eeee.004049F8 ; /Title = "bg5dx8e"
  76. 004048B6 |. 68 F0494000 PUSH eeee.004049F0 ; |Class = "ListBox"
  77. 004048BB |. E8 A8F1FFFF CALL ; \FindWindowA
  78. 004048C0 |. 50 PUSH EAX ; /hWnd
  79. 004048C1 |. E8 EAF1FFFF CALL ; \IsWindow
  80. 004048C6 |. 85C0 TEST EAX,EAX
  81. 004048C8 |. 0F85 87000000 JNZ eeee.00404955
  82. 004048CE |. 6A 00 PUSH 0 ; /Arg8 = 00000000
  83. 004048D0 |. 6A 00 PUSH 0 ; |Arg7 = 00000000
  84. 004048D2 |. 6A 00 PUSH 0 ; |Arg6 = 00000000
  85. 004048D4 |. 6A 00 PUSH 0 ; |Arg5 = 00000000
  86. 004048D6 |. 6A 00 PUSH 0 ; |Arg4 = 00000000
  87. 004048D8 |. 6A 00 PUSH 0 ; |Arg3 = 00000000
  88. 004048DA |. A1 50664000 MOV EAX,DWORD PTR DS:[406650] ; |
  89. 004048DF |. 50 PUSH EAX ; |Arg2 => 00000000
  90. 004048E0 |. 6A 00 PUSH 0 ; |Arg1 = 00000000
  91. 004048E2 |. BA F8494000 MOV EDX,eeee.004049F8 ; |ASCII "bg5dx8e"
  92. 004048E7 |. B8 F0494000 MOV EAX,eeee.004049F0 ; |ASCII "ListBox"
  93. 004048EC |. 33C9 XOR ECX,ECX ; |
  94. 004048EE |. E8 49FCFFFF CALL eeee.0040453C ; \eeee.0040453C
  95. 004048F3 |. A1 C0514000 MOV EAX,DWORD PTR DS:[4051C0]
  96. 004048F8 |. E8 0FE9FFFF CALL eeee.0040320C
  97. 004048FD |. 50 PUSH EAX ; /FileName
  98. 004048FE |. E8 D5F0FFFF CALL ; \LoadLibraryA
  99. 00404903 |. 8BD8 MOV EBX,EAX
  100. 00404905 |. 85DB TEST EBX,EBX
  101. 00404907 |. 74 4C JE SHORT eeee.00404955
  102. 00404909 |. 68 004A4000 PUSH eeee.00404A00 ; /ProcNameOrOrdinal = "HookCl"
  103. 0040490E |. 53 PUSH EBX ; |hModule
  104. 0040490F |. E8 10FCFFFF CALL ; \GetProcAddress
  105. 00404914 |. 89C7 MOV EDI,EAX
  106. 00404916 |. 68 084A4000 PUSH eeee.00404A08 ; /ProcNameOrOrdinal = "HookOn"
  107. 0040491B |. 53 PUSH EBX ; |hModule
  108. 0040491C |. E8 03FCFFFF CALL ; \GetProcAddress
  109. 00404921 |. 89C6 MOV ESI,EAX
  110. 00404923 |. 85F6 TEST ESI,ESI
  111. 00404925 |. 74 2E JE SHORT eeee.00404955
  112. 00404927 |. 85FF TEST EDI,EDI
  113. 00404929 |. 74 2A JE SHORT eeee.00404955
  114. 0040492B |. FFD6 CALL ESI
  115. 0040492D |. EB 0A JMP SHORT eeee.00404939
  116. 0040492F |> 68 98664000 /PUSH eeee.00406698 ; /pMsg = WM_NULL
  117. 00404934 |. E8 1FF1FFFF |CALL ; \DispatchMessageA
  118. 00404939 |> 6A 00 PUSH 0 ; /MsgFilterMax = 0
  119. 0040493B |. 6A 00 |PUSH 0 ; |MsgFilterMin = 0
  120. 0040493D |. 6A 00 |PUSH 0 ; |hWnd = NULL
  121. 0040493F |. 68 98664000 |PUSH eeee.00406698 ; |pMsg = eeee.00406698
  122. 00404944 |. E8 4FF1FFFF |CALL ; \GetMessageA
  123. 00404949 |. 85C0 |TEST EAX,EAX
  124. 0040494B |.^ 75 E2 \JNZ SHORT eeee.0040492F
  125. 0040494D |. FFD7 CALL EDI
  126. 0040494F |. 53 PUSH EBX ; /hLibModule
  127. 00404950 |. E8 4BF0FFFF CALL ; \FreeLibrary
  128. 00404955 |> A1 D4514000 MOV EAX,DWORD PTR DS:[4051D4]
  129. 0040495A |. 8378 08 00 CMP DWORD PTR DS:[EAX+8],0
  130. 0040495E |. 74 28 JE SHORT eeee.00404988
  131. 00404960 |. A1 C0514000 MOV EAX,DWORD PTR DS:[4051C0]
  132. 00404965 |. E8 A2E8FFFF CALL eeee.0040320C
  133. 0040496A |. E8 F9F5FFFF CALL eeee.00403F68
  134. 0040496F |. 68 104A4000 PUSH eeee.00404A10 ; /Arg4 = 00404A10
  135. 00404974 |. 68 144A4000 PUSH eeee.00404A14 ; |Arg3 = 00404A14 ASCII "{37C3125C-9CB6-4503-8F38-63D80ADEFA07}"
  136. 00404979 |. 68 3C4A4000 PUSH eeee.00404A3C ; |Arg2 = 00404A3C ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"
  137. 0040497E |. 68 02000080 PUSH 80000002 ; |Arg1 = 80000002
  138. 00404983 |. E8 7CF5FFFF CALL eeee.00403F04 ; \eeee.00403F04
复制代码

主要就是注入后下载东西
回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-5-4 03:40 , Processed in 0.129730 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表