c7c1bd 红伞 sophos vba32 drweb报其余不报

显示全部楼层 · 发表于 2007-11-11 03:17:33

沙盘报告：

2.a)sample.exe - Registry Activities - Registry Keys Created:

HKLM\SYSTEM\ControlSet003
HKLM\SYSTEM\ControlSet003\Services
HKLM\SYSTEM\ControlSet003\Services\BITS
HKLM\SYSTEM\ControlSet003\Services\BITS\Parameters

   + Registry Values Modified:


.b) sample.exe - File Activities    - Files Created:

C:\WINDOWS\system32\help.dll

.c) sample.exe - Windows Service Activities    - Services Started:

BITS

   - Services Changed:

BITS
BITS
BITS

.d) sample.exe - Process Activities    - Thread Overview:

Time Number of threads
fter 6 seconds 1

.e) sample.exe - Other Activities    - Mutexes Created:

DBWinMutex
min

   + Windows SEH exceptions:


. services.exe - General information about this executable

nalysis Reason: A service was started.
ilename: services.exe
D5: c6ce6eec82f187615d1002bb3bb50ed4
HA-1: b958912d139cb8dbfeeacdd38ba048c4f452174e
File Size: 108032 Bytes
ommand Line: C:\WINDOWS\system32\services.exe
rocess-status at analysis end: alive
xit Code: 0

   + Load-time Dlls


.a) services.exe - Registry Activities - Registry Keys Created:

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Control

   + Registry Values Modified:


   + Registry Values Read:


.b) services.exe - File Activities    - Files Created:

pipe\net\NtControlPipe9

   - Files Read:

pipe\net\NtControlPipe9

   - Files Modified:

C:\WINDOWS\system32\config\SysEvent.Evt

   - File System Control Communication:

File Control Code Times
ipe\net\NtControlPipe9 0x00110008 1
ipe\net\NtControlPipe9 0x0011C017 1

.c) services.exe - Process Activities    - Processes Created:

Executable Command Line
   C:\WINDOWS\system32\svchost.exe -k netsvcs

. svchost.exe - General information about this executable

nalysis Reason: Started by services.exe
ilename: svchost.exe
D5: 8f078ae4ed187aaabc0a305146de6716
HA-1: da0ff4006859a7580aba81f486f692dead2014fe
File Size: 14336 Bytes
ommand Line: C:\WINDOWS\system32\svchost.exe -k netsvcs
rocess-status at analysis end: alive
xit Code: 0

   + Load-time Dlls


   + Run-time Dlls


.a) svchost.exe - Registry Activities - Registry Keys Created Or Opened:

HKLM\SOFTWARE\CLASSES

   + Registry Values Modified:


   + Registry Values Read:


.b) svchost.exe - File Activities    - Files Deleted:

C:\sample.exe

   - Files Read:

PIPE\lsarpc
pipe\net\NtControlPipe9

   - Files Modified:

PIPE\lsarpc
\Device\RasAcd

   - File System Control Communication:

File Control Code Times
IPE\lsarpc 0x0011C017 3
DosDevices\pipe\ 0x00110018 1

   - Device Control Communication:


   - Memory Mapped Files:

File Name
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\winlogon.exe

.c) svchost.exe - Windows Service Activities    - Services Changed:

BITS

.d) svchost.exe - Process Activities    - Thread Overview:

Time Number of threads
fter 41 seconds 1

.e) svchost.exe - Network Activity    + DNS Queries:


   + TCP Conversation from 192.168.0.2:1074 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1072 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1078 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1076 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1082 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1080 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1054 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1052 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1084 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1058 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1088 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1056 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1086 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1062 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1060 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1066 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1064 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1070 to 222.173.188.18:80


   + TCP Conversation from 192.168.0.2:1068 to 222.173.188.18:80


   +  HTTP Conversations:


   +  TCP Connection Attempts:


.f) svchost.exe - Other Activities    - Mutexes Created:

DBWinMutex
netsrv

   + Windows SEH exceptions:

显示全部楼层 · 发表于 2007-11-11 03:49:16

Starting the file scan:

Begin scan in 'C:\Users\morgan\Documents\sample.rar'
C:\Users\morgan\Documents\
  sample.rar
[0] Archive type: RAR
--> sample.exe
      [DETECTION] Contains suspicious code HEUR/Malware
      [WARNING] Infected files in archives cannot be repaired!
      [WARNING] The file was ignored!

显示全部楼层 · 发表于 2007-11-11 07:07:44

KILL PASS

显示全部楼层 · 发表于 2007-11-11 10:07:20

显示全部楼层 · 发表于 2007-11-11 10:19:56

Kaspersky Internet Security 7.0
The requested URL http://bbs.kafan.cn/attachment.php?aid=151968 is infected with Trojan.Win32.Agent.cra virus

显示全部楼层 · 发表于 2007-11-11 10:25:33

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\SAMPLE\SAMPLE.EXE
病毒程序生成以下文件:
1) C:\WINDOWS\SYSTEM32\HELP.DLL
是否删除木马程序及其衍生物?

显示全部楼层 · 发表于 2007-11-11 11:38:34

AVAST没报

显示全部楼层 · 发表于 2007-11-11 11:43:30

McAfee MISS

显示全部楼层 · 发表于 2007-11-11 16:42:21

RX20.17.60未报毒。。

显示全部楼层 · 发表于 2007-11-11 16:55:43

我用微点，运行貌似没反应

[病毒样本] c7c1bd 红伞 sophos vba32 drweb报其余不报

本帖子中包含更多资源

本帖子中包含更多资源

[病毒样本] c7c1bd 红伞 sophos vba32 drweb报 其余不报

本帖子中包含更多资源

本帖子中包含更多资源

[病毒样本] c7c1bd 红伞 sophos vba32 drweb报其余不报