收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 HEUR/Crypted
返回列表 发新帖
查看: 3029|回复: 5
收起左侧

[病毒样本] HEUR/Crypted

[复制链接]
绅博周幸
发表于 2007-10-10 03:06:03 | 显示全部楼层 |阅读模式

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

绅博周幸
 楼主| 发表于 2007-10-10 03:07:00 | 显示全部楼层
A-Squared  Found nothing
AntiVir  Found HEUR/Crypted  
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found W32/Suspicious_T.gen  
Panda Antivirus  Found nothing
Rising Antivirus  Found nothing
Sophos Antivirus  Found Mal/Basine-C  
VirusBuster  Found nothing
VBA32  Found nothing
回复

举报

a750828
发表于 2007-10-10 03:09:54 | 显示全部楼层
McAfee miss
回复

举报

Love=卡巴+费尔
发表于 2007-10-10 03:26:05 | 显示全部楼层
增加键:12
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000\Control
HKLM\SYSTEM\ControlSet001\Services\moonsilver
HKLM\SYSTEM\ControlSet001\Services\moonsilver\Security
HKLM\SYSTEM\ControlSet001\Services\moonsilver\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\Security
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\Enum

增加值:43
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000\Control\ActiveService: "moonsilver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000\Service: "moonsilver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\0000\DeviceDesc: "moonsilver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOONSILVER\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\moonsilver\Enum\0: "Root\LEGACY_MOONSILVER\0000"
HKLM\SYSTEM\ControlSet001\Services\moonsilver\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\moonsilver\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\moonsilver\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\moonsilver\Type: 0x00000110
HKLM\SYSTEM\ControlSet001\Services\moonsilver\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\moonsilver\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\moonsilver\ImagePath: "C:\WINDOWS\system32\service.exe"
HKLM\SYSTEM\ControlSet001\Services\moonsilver\DisplayName: "moonsilver"
HKLM\SYSTEM\ControlSet001\Services\moonsilver\ObjectName: "LocalSystem"
HKLM\SYSTEM\ControlSet001\Services\moonsilver\Description: "moonsilver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000\Control\ActiveService: "moonsilver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000\Service: "moonsilver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\0000\DeviceDesc: "moonsilver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MOONSILVER\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\Enum\0: "Root\LEGACY_MOONSILVER\0000"
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\ImagePath: "C:\WINDOWS\system32\service.exe"
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\DisplayName: "moonsilver"
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\moonsilver\Description: "moonsilver"
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\桌面\freivpr.rkr: 09 00 00 00 06 00 00 00 30 46 8C 24 AA 0A C8 01
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\桌面\service.exe: "service"
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\service.exe: "service"

修改值:7
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: FB D7 26 0E E9 B6 8F 85 51 B9 E9 EB 29 91 AF 74 65 7A 9E 42 3C A7 7D 6F F6 59 B1 00 A8 35 30 C0 F2 45 B7 AC 01 C1 C4 5B B9 ED 8E 05 77 88 6F 33 4E 4F 9C 15 43 CF D8 CA D8 53 8A DB E9 42 3E A5 C7 59 D0 2D C7 E6 81 51 CA 79 C9 F7 43 D2 5A 6E
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: A9 46 84 4C 01 3D 1B 17 E5 0E 2C 0F 8F 23 A1 F7 BE C2 B6 A9 98 8D 0F 1A A9 E8 58 39 C2 B8 EA 16 6E 4D AD 29 5C DC F7 FD 63 A0 17 DB 9F C3 21 9E 4E 3B 29 3B C0 AE D8 D0 11 D8 DB 8C 50 A1 0E 6F BE B5 09 18 1F CE B4 7B 12 60 67 F8 00 15 D5 D7
HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent\: 0x00000008
HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent\: 0x00000009
HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000008
HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000009
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 14 00 00 00 10 75 49 C7 A9 0A C8 01
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 15 00 00 00 F0 38 89 24 AA 0A C8 01
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 14 00 00 00 B0 FB 4A C7 A9 0A C8 01
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 15 00 00 00 30 46 8C 24 AA 0A C8 01
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 04 00 20 00 10 00 00 00 28 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 B4 00 60 00 78 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 04 00 20 00 10 00 28 00 3C 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 B4 00 60 00 78 00 78 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1016x670(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 00 00 00 02 00 00 00 14 00 1F 48 BA 8F 0D 45 25 AD D0 11 98 A8 08 00 36 1B 11 03 17 00 00 00 52 00 00 00 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 17 00 00 00 A2 00 00 00 14 00 1F 58 60 2C 8D 20 EA 3A 69 10 A2 D7 08 00 2B 30 30 9D 17 00 00 00 42 01 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 17 00 00 00 F2 00 00 00 14 00 1F 68 80 53 1C 87 A0 42 69 10 A2 EA 08 00 2B 30 30 9D 01 01 00 00 A2 00 00 00 4C 00 32 00 81 68 00 00 49 37 3B 99 20 00 6C 61 6E 67 75 61 67 65 2E 69 6E 69 00 00 30 00 03 00 04 00 EF BE 49 37 3A 99 49 37 00 80 14 00 00 00 6C 00 61 00 6E 00 67 00 75 00 61 00 67 00 65 00 2E 00 69 00 6E 00 69 00 00 00 1C 00 39 02 00 00 F2 00 00 00 40 00 32 00 00 7E 01 00 5B 21 00 80 20 00 6F 70 65 6E 2E 65 78 65 00 00 28 00 03 00 04 00 EF BE 49 37 36 99 49 37 00 80 14 00 00 00 6F 00 70
00 65 00 6E 00 2E 00 65 00 78 00 65 00 00 00 18 00 39 02 00 00 52 00 00 00 36 00 32 00 00 00 01 00 17 37 86 93 20 00 70 2E 65 78 65 00 22 00 03 00 04 00 EF BE 49 37 34 99 49 37 00 80 14 00 00 00 70 00 2E 00 65 00 78 00 65 00 00 00 14 00 9D 01 00 00 A2 00 00 00 48 00 32 00 00 78 00 00 D4 36 3D 68 20 00 72 65 67 73 68 6F 74 2E 65 78 65 00 2E 00 03 00 04 00 EF BE 49 37 3A 99 49 37 00 80 14 00 00 00 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 1A 00 39 02 00 00 A2 00 00 00 46 00 32 00 00 8C 00 00 45 37 18 B2 21 00 74 73 69 74 72 61 2E 65 78 65 00 00 2C 00 03 00 04 00 EF BE 49 37 34 99 49 37 00 80 14 00 00 00 74 00 73 00 69 00 74 00 72 00 61 00 2E 00 65 00 78 00 65 00 00 00 1A 00 39 02 00 00 A2 00 00 00 00 00 00 00
HKU\S-1-5-21-842925246-1606980848-854245398-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1016x670(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 00 00 00 02 00 00 00 14 00 1F 48 BA 8F 0D 45 25 AD D0 11 98 A8 08 00 36 1B 11 03 17 00 00 00 52 00 00 00 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 17 00 00 00 A2 00 00 00 14 00 1F 58 60 2C 8D 20 EA 3A 69 10 A2 D7 08 00 2B 30 30 9D 17 00 00 00 42 01 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 17 00 00 00 F2 00 00 00 14 00 1F 68 80 53 1C 87 A0 42 69 10 A2 EA 08 00 2B 30 30 9D 01 01 00 00 A2 00 00 00 4C 00 32 00 81 68 00 00 49 37 19 9A 20 00 6C 61 6E 67 75 61 67 65 2E 69 6E 69 00 00 30 00 03 00 04 00 EF BE 49 37 3A 99 49 37 00 80 14 00 00 00 6C 00 61 00 6E 00 67 00 75 00 61 00 67 00 65 00 2E 00 69 00 6E 00 69 00 00 00 1C 00 39 02 00 00 F2 00 00 00 40 00 32 00 00 7E 01 00 5B 21 00 80 20 00 6F 70 65 6E 2E 65 78 65 00 00 28 00 03 00 04 00 EF BE 49 37 36 99 49 37 00 80 14 00 00 00 6F 00 70
00 65 00 6E 00 2E 00 65 00 78 00 65 00 00 00 18 00 39 02 00 00 52 00 00 00 36 00 32 00 00 00 01 00 17 37 86 93 20 00 70 2E 65 78 65 00 22 00 03 00 04 00 EF BE 49 37 34 99 49 37 00 80 14 00 00 00 70 00 2E 00 65 00 78 00 65 00 00 00 14 00 9D 01 00 00 A2 00 00 00 48 00 32 00 00 78 00 00 D4 36 3D 68 20 00 72 65 67 73 68 6F 74 2E 65 78 65 00 2E 00 03 00 04 00 EF BE 49 37 3A 99 49 37 00 80 14 00 00 00 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 1A 00 39 02 00 00 A2 00 00 00 46 00 32 00 00 8C 00 00 45 37 18 B2 21 00 74 73 69 74 72 61 2E 65 78 65 00 00 2C 00 03 00 04 00 EF BE 49 37 34 99 49 37 00 80 14 00 00 00 74 00 73 00 69 00 74 00 72 00 61 00 2E 00 65 00 78 00 65 00 00 00 1A 00 71 03 00 00 42 01 00 00 48 00 32 00 00 1A 09 00 49 37 66 1F 20 00 73 65 72 76 69 63 65 2E 65 78 65 00 2E 00 03 00 04 00 EF BE 49 37 17 9A 49 37 00 80 14 00 00 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 2E 00 65 00 78 00 65 00 00 00 1A 00 71 03 00 00 42 01 00 00 00 00 00 00

文件增加:3
C:\WINDOWS\system32\service.exe
C:\WINDOWS\Prefetch\SERVICE.EXE-3B559444.pf
C:\WINDOWS\Prefetch\SERVICE.EXE-396E850B.pf

文件删除:1
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb

文件修改:14
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\SYSTEM
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
C:\WINDOWS\system32\wbem\Logs\wbemess.log
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
C:\Documents and Settings\Administrator\ntuser.dat.LOG
回复

举报

绅博周幸
 楼主| 发表于 2007-10-10 09:39:06 | 显示全部楼层
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\SYSTEM
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
C:\WINDOWS\system32\wbem\Logs\wbemess.log
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
C:\Documents and Settings\Administrator\ntuser.dat.LOG
回复

举报

scottxzt
发表于 2007-10-10 17:45:07 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-5-20 07:25 , Processed in 0.143693 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表