trojan

jehovah_king

kis7最近才报 bd不报 瑞* 不报
很久以前一个“实用小工具”里的挂机锁居然现在查出来病毒，以前用的好好的

以下是email内容


Hello, yes it is a real trojan.


Please quote all when answering.

--
Best regards, Dmitry Shvetsov
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.



> Attachment: compress-icon.png
> Attachment: print-icon.png
> Attachment: avp.zip

>  is it really a virus?
>  
>  quote:
>  
>  File ______.exe received on 11.04.2007 12:16:53 (CET)
>  Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
>  
>  
>  Result: 5/32 (15.63%)
>  Loading server information...
>  Your file is queued in position: ___.
>  Estimated start time is between ___ and ___ .
>  Do not close the window until scan is complete.
>  The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
>  If you are waiting for more than five minutes you have to resend your file.
>  Your file is being scanned by VirusTotal in this moment,
>  results will be shown as they're generated.
>   Compact Print results  
>  Your file has expired or does not exists.
>  Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
>  
>  You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
>   Email:  
>        
>  
>        Antivirus Version Last Update Result
>        AhnLab-V3 2007.11.3.0 2007.11.02 -
>        AntiVir 7.6.0.30 2007.11.02 -
>        Authentium 4.93.8 2007.11.03 -
>        Avast 4.7.1074.0 2007.11.03 Win32:Trojan-gen {Other}
>        AVG 7.5.0.503 2007.11.03 PSW.Generic3.UDD
>        BitDefender 7.2 2007.11.04 -
>        CAT-QuickHeal 9.00 2007.11.03 -
>        ClamAV 0.91.2 2007.11.04 -
>        DrWeb 4.44.0.09170 2007.11.04 -
>        eSafe 7.0.15.0 2007.10.28 -
>        eTrust-Vet 31.2.5264 2007.11.02 -
>        Ewido 4.0 2007.11.03 -
>        FileAdvisor 1 2007.11.04 -
>        Fortinet 3.11.0.0 2007.10.19 -
>        F-Prot 4.4.2.54 2007.11.03 -
>        F-Secure 6.70.13030.0 2007.11.04 Trojan.Win32.Chifrax.a
>        Ikarus T3.1.1.12 2007.11.04 -
>        Kaspersky 7.0.0.125 2007.11.04 Trojan.Win32.Chifrax.a
>        McAfee 5155 2007.11.02 -
>        Microsoft 1.2908 2007.11.04 TrojanDropper:Win32/Hupigon.gen!A
>        NOD32v2 2636 2007.11.03 -
>        Norman 5.80.02 2007.11.02 -
>        Panda 9.0.0.4 2007.11.04 -
>        Prevx1 V2 2007.11.04 -
>        Rising 20.16.62.00 2007.11.04 -
>        Sophos 4.23.0 2007.11.04 -
>        Sunbelt 2.2.907.0 2007.11.02 -
>        Symantec 10 2007.11.04 -
>        TheHacker 6.2.9.110 2007.10.27 -
>        VBA32 3.12.2.4 2007.11.03 -
>        VirusBuster 4.3.26:9 2007.11.03 -
>        Webwasher-Gateway 6.6.1 2007.11.02 -
>        Additional information
>        File size: 421825 bytes
>        MD5: 7d6bb37fdcd90d61745e630b1b5282b1
>        SHA1: 83f89d7ba48d04efbecdad18a0bc8034fff7db79
>  onshе
"
x
7

pmj_sh

检测到病毒: Trojan.Win32.Chifrax.a
文件: 挂机锁.exe

Nerazzurri

pmj_sh

机器上没有HIPS，只有DW这个沙盘，看了下写注册表关键位置，衍生物报后门，应该是有问题

检测到病毒: Backdoor.Win32.Bifrose.kt
文件: SysDriver.exe






VirSCAN.org Scanned Report :
Scanned time   : 2007/11/04 21:55:24 (CST)
Scanner results: 83%的杀软(29/35)报告发现病毒
File Name      : SysDriver.rar
File Size      : 320589 byte
File Type      : RAR archive data, v1d, os
MD5            : 50adf690a82da4bea10a41ad5b361e29
SHA1           : e54f687000412eb27fbfce0743059cc08ecb7a19
Online report  : http://virscan.org/report/258a171d053109bd822b76db1ac1c898.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      3.0.0.126       2007.11.02        2007-11-02  4.43   Backdoor.Win32.Bifrose.kt
安博士V3       2007.11.03.00   2007.11.03        2007-11-03  1.33   -
AntiVir        7.6.0.30        7.0.0.165         2007-11-02  6.75   BDS/Hupigon.Gen
Arcavir        1.0.4           200711032011      2007-11-03  5.80   Trojan.Bifrose.Kt
AVAST          1.0.8           071103-0          2007-11-03  7.42   Win32:Trojan-gen {Other}
AVG            7.5.49.442      269.15.14/1100    2007-10-30  4.85   BackDoor.Generic7.AYZ
BitDefender    7.60825.937692  7.15659           2007-11-04  9.13   Backdoor.Bifrose.KT
CA (VET)       8.4.0.24        31.2.5264         2007-11-03  0.75   -
ClamAV         0.91.2          4672              2007-11-04  0.71   PUA.Packed.SVKP
Comodo         2.11            2.0.0.334         2007-11-04  1.48   -
Dr.WEB         4.44.0.9170     2007.11.04        2007-11-04  7.27   BackDoor.Pigeon.740
ewido          4.0.0.2         2007.11.03        2007-11-03  2.23   Backdoor.Bifrose.kt
F-PROT         4.4.1.52        20071103          2007-11-03  1.39   W32/Backdoor.AVJV (exact)
F-SECURE       5.51.6100       2007.11.02.02     2007-11-02  0.51   Backdoor.Win32.Bifrose.kt [AVP]
飞塔           2.81-3.11       8.322             2007-11-04  3.15   W32/GrayBird.KT!tr.bdr
ViRobot        20071102        2007.11.02        2007-11-02  0.65   -
IKARUS         T3.1.01.15      2007.11.04.69764  2007-11-04  1.30   Backdoor.Win32.Hupigon.dsx
江民杀毒       10.00.650       2007.11.03        2007-11-03  1.29   Backdoor/Huigezi.evi
卡巴斯基       5.5.10          2007.11.04        2007-11-04  12.34  Backdoor.Win32.Bifrose.kt
金山毒霸       2007.6.20.249   2007.11.2         2007-11-02  1.19   Win32.Hack.Huigezi.cz
迈克菲         5.2.00          5155              2007-11-02  4.88   BackDoor-AWQ.b
MKS_VIR        2.01            2007.11.03        2007-11-03  7.25   -
NOD32          2.70.10         2636              2007-11-03  67.07  probably a variant of Win32/Bifrose trojan
NORMAN         5.91.08         5.90              2007-11-02  5.46   W32/Bifrose.HPB
熊猫卫士       9.04.03.0001    2007.11.03        2007-11-03  6.68   Generic Malware     
趋势           8.500-1001      4.810.27          2007-11-04  0.07   Possible_HPGN-1
Prevx          V2              20071104          2007-11-04  10.44  BACKDOOR.PIGEON.740
QuickHeal      9.00            2007.11.03        2007-11-03  2.31   Backdoor.Bifrose.kt
瑞星           19.0            20.16.62.00       2007-11-04  2.46   Backdoor.Gpigeon.GEN
SOPHOS         2.49.1          4.21              2007-11-04  10.12  Mal/GrayBird
赛门铁克       1.3.0.24        20071103.005      2007-11-03  0.88   Backdoor.Graybird!Gen
nProtect       2007-11-03.00   1019615           2007-11-03  7.97   Backdoor.Bifrose.KT
The Hacker     6.2.9           v00110            2007-10-26  0.78   Backdoor/Bifrose.kt
VBA32          3.12.2.4        20071103.0757     2007-11-03  5.79   Backdoor.Win32.Bifrose.kt
VirusBuster    4.3.19:9        9.113.10/11.0     2007-11-03  2.90   -

SONGBOWEN

卡巴6：
已检测: 木马程序 Trojan.Win32.Chifrax.a        文件: C:\Documents and Settings\Administrator\桌面\gjs.exe

BitDefender 2008飘

小红伞飘

jehovah_king

卡巴斯基       5.5.10          2007.11.04        2007-11-04  12.34  Backdoor.Win32.Bifrose.kt
Kaspersky           7.0.0.125     2007.11.04 Trojan.Win32.Chifrax.a
为何一样的病毒库报的结果不一样？

SONGBOWEN

原帖由 jehovah_king 于 2007-11-4 22:10 发表
卡巴斯基       5.5.10          2007.11.04        2007-11-04  12.34  Backdoor.Win32.Bifrose.kt
Kaspersky           7.0.0.125     2007.11.04 Trojan.Win32.Chifrax.a
为何一样的病毒库报的结果不一样？

晕死……卡巴搞什么名堂？？？

SONGBOWEN

等一下，我发Norman的沙盘报告……
到时候就会明白了～

SONGBOWEN

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

&#26700 : INFECTED with W32/Malware (Signature: NO_VIRUS)


[ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS
    * Compressed: NO

[ General information ]
    * Attempts to run Visual Basic Script (VBS).
    * File length:       421825 bytes.
    * MD5 hash: 7d6bb37fdcd90d61745e630b1b5282b1.

[ Changes to filesystem ]
    * Creates directory C:.
    * Creates directory C:\WINDOWS.
    * Creates directory C:\WINDOWS\TEMP.
    * Creates directory C:\WINDOWS\TEMP\RarSFX0.
    * Creates file C:\WINDOWS\TEMP\RarSFX0\DSMODAL.DLL.
    * Creates file C:\WINDOWS\TEMP\RarSFX0\;
.exe.
    * Creates file C:\WINDOWS\TEMP\RarSFX0\SysDriver.exe.
    * Creates file C:\WINDOWS\TEMP\RarSFX0\AutoRegister.vbs.
    * Deletes file C:\WINDOWS\TEMP\RarSFX0.

[ Process/window information ]
    * Attemps to NULL C:\WINDOWS\TEMP\RarSFX0\AutoRegister.vbs NULL.

[ Signature Scanning ]
    * C:\WINDOWS\TEMP\RarSFX0\DSMODAL.DLL (7168 bytes) : no signature detection.
    * C:\WINDOWS\TEMP\RarSFX0\;
.exe (14336 bytes) : no signature detection.
    * C:\WINDOWS\TEMP\RarSFX0\SysDriver.exe (338432 bytes) : no signature detection.
    * C:\WINDOWS\TEMP\RarSFX0\AutoRegister.vbs (134 bytes) : no signature detection.



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

看来是有点问题的，怎么是RAR自解压的？？？
我解压了看看……

SONGBOWEN

晕死……解压不了啊……
PEiD：Nothing Found……