597aaf

lanvin

ummary:
 escription  Risk
   utostart capabilities: This executable registers processes to be executed at
 ystem start. This could result in unwanted actions to be performed
 utomatically.
    hanges security settings of Internet Explorer: This system alteration could
 eriousley affect safety surfing the World Wide Web.
   

 able of Contents
 xpand all  collapse all
 eneral information

 ample.EXE

 VMP~1.EXE

 wwin.exe

 rwtsn32.exe
  
 . General Information
  
 ime needed: 37 s
   eport created: 11/11/07, 13:08:44
   ermination reason: All tracked processes have exited
   rogram version: 1.5
  
 . sample.EXE
    General information about this executable
   nalysis Reason: Primary Analysis Subject
   ilename: sample.EXE
   D5: 597aaf02779b13e72723bc50a2b821ec
   HA-1: b5a544648ac29ce179f071a7d9dd25450b50b29e
   ile Size: 406528 Bytes
 ommand Line: "C:\sample.EXE"
   rocess-status at analysis end: dead
   xit Code: 0
  
  Load-time Dlls
  
  Run-time Dlls
  
  Ikarus Virus Scanner
   ackdoor.Win32.Beastdoor.l (Sig-Id:157611)

 .a) sample.EXE - Registry Activities
    Registry Values Deleted:
   ey Name
 KLM\​Software\​Microsoft\​Windows\​CurrentVersion\​RunOnce  wextract_cleanup0
  
  Registry Values Modified:
  
  Registry Values Read:
  
 .b) sample.EXE - File Activities
    Files Deleted:
   :\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\2VMP~1.EXE

  Files Created:
   :\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\2VMP~1.EXE
 :\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP

  Files Read:
   IPE\lsarpc

  Files Modified:
   ountPointManager
 IPE\lsarpc

  Directories Created:
   :\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP

  File System Control Communication:
   ile Control Code Times
 IPE\lsarpc  0x0011C017  1
  
  Device Control Communication:
   ile Control Code Times
 :  0x5046280  1
   ountPointManager  0x7143432  1
  
 .c) sample.EXE - Process Activities
    Processes Created:
   xecutable Command Line
 :\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\2VMP~1.EXE
  
 . 2VMP~1.EXE
    General information about this executable
   nalysis Reason: Started by sample.EXE
   ilename: 2VMP~1.EXE
   ommand Line: C:\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\2VMP~1.EXE
   rocess-status at analysis end: dead
   xit Code: -1073741819
  
  Load-time Dlls
  
  Run-time Dlls
  
 .a) 2VMP~1.EXE - Registry Activities
    Registry Values Read:
  
 .b) 2VMP~1.EXE - File Activities
    Files Created:
   :\DOCUME~1\andy\LOCALS~1\Temp\c23a_appcompat.txt

  Files Read:
   IPE\lsarpc

  Files Modified:
   :\DOCUME~1\andy\LOCALS~1\Temp\c23a_appcompat.txt
 IPE\lsarpc

  File System Control Communication:
   ile Control Code Times
 IPE\lsarpc  0x0011C017  6
  
  Device Control Communication:
   ile Control Code Times
 Device\KsecDD  0x3735560  1
  
  Memory Mapped Files:
   ile Name
 :\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\2VMP~1.EXE
 :\Documents and Settings\andy\Local Settings\Temp\IXP000.TMP\2VMP~1.EXE
 :\WINDOWS\system32\kernel32.dll

 .c) 2VMP~1.EXE - Process Activities
    Processes Created:
   xecutable Command Line
 :\WINDOWS\system32\dwwin.exe -x -s 152
   :\WINDOWS\system32\drwtsn32 -p 480 -e 116 -g
  
  Thread Overview:
   ime Number of threads
 fter 34 seconds 0
  
 .d) 2VMP~1.EXE - Other Activities
    Windows SEH exceptions:
  
 . dwwin.exe
    General information about this executable
   nalysis Reason: Started by 2VMP~1.EXE
   ilename: dwwin.exe
   D5: 7c25440617eee6f69709aa8c915d2c32
   HA-1: 40747172146706013a3334d475b5df0116c56643
   ile Size: 180224 Bytes
 ommand Line: C:\WINDOWS\system32\dwwin.exe -x -s 152
   rocess-status at analysis end: dead
   xit Code: 0
  
  Load-time Dlls
  
  Run-time Dlls
  
  Popups
   indow Name Window Text
 VMP~1.EXE  &Don't Send 2VMP~1.EXE has encountered a problem and needs to close.
 e are sorry for the inconvenience. 2VMP~1.EXE has encountered a problem and
 eeds to close. We are sorry for the inconvenience. If you were in the middle of
 omething, the information you were working on might be lost. Please tell
 icrosoft about this problem. We have created an error report that you can send
 o us. We will treat this report as confidential and anonymous. To see what data
 his error report contains, Details &Send Error Report
  
 .a) dwwin.exe - Registry Activities
    Registry Values Modified:
  
  Registry Values Read:
  
  Monitored Registry Keys:
   ey Name Watch subtree Notify Filter Count
 KLM\​Software\​Microsoft\​Tracing\​RASAPI32  0  Attributes Change,Value Change,Security
 escriptor Change  2
  
 .b) dwwin.exe - File Activities
    Files Deleted:
   :\DOCUME~1\andy\LOCALS~1\Temp\7D2EE.dmp
 :\DOCUME~1\andy\LOCALS~1\Temp\c23a_appcompat.txt

  Files Created:
   :\DOCUME~1\andy\LOCALS~1\Temp\7D2EE.dmp

  Files Read:
   :\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\2VMP~1.EXE
 :\WINDOWS\win.ini
 IPE\lsarpc
 :\autoexec.bat

  Files Modified:
   IPE\lsarpc

  File System Control Communication:
   ile Control Code Times
 IPE\lsarpc  0x0011C017  16
  
  Device Control Communication:
   ile Control Code Times
 nnamed file  0x3735560  7
  
  Memory Mapped Files:
  
 .c) dwwin.exe - Process Activities
    Thread Overview:
   ime Number of threads
 fter 20 seconds 1
   fter 30 seconds 0
  
  Foreign Memory Regions Read:
   rocess: C:\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\2VMP~1.EXE

 . drwtsn32.exe
    General information about this executable
   nalysis Reason: Started by 2VMP~1.EXE
   ilename: drwtsn32.exe
   D5: c9f5e1de6da983e89e714ed80c11f000
   HA-1: 1717b633478fb107d3c26344f710328b93ae550c
   ile Size: 45568 Bytes
 ommand Line: C:\WINDOWS\system32\drwtsn32 -p 480 -e 116 -g
   rocess-status at analysis end: dead
   xit Code: 0
  
  Load-time Dlls
  
  Run-time Dlls
  
 .a) drwtsn32.exe - Registry Activities
    Registry Values Modified:
  
  Registry Values Read:
  
 .b) drwtsn32.exe - File Activities
    Files Created:
   :\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
 :\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

  Files Read:
   :\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\2VMP~1.EXE
 :\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
 IPE\lsarpc

  Files Modified:
   IPE\lsarpc

  Directories Created:
   :\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

  File System Control Communication:
   ile Control Code Times
 IPE\lsarpc  0x0011C017  3
  
  Device Control Communication:
   ile Control Code Times
 nnamed file  0x3735560  7
  
  Memory Mapped Files:
  
 .c) drwtsn32.exe - Process Activities
    Remote Threads Created:
   ffected Process
 :\DOCUME~1\andy\LOCALS~1\Temp\IXP000.TMP\2VMP~1.EXE

  Thread Overview:
   ime Number of threads
 fter 32 seconds 1
   fter 34 seconds 0
   fter 35 seconds 0
  

[ 本帖最后由 lanvin 于 2007-11-11 21:17 编辑 ]

nosferatu

avira pass

Nerazzurri

Hello,

sample.exek - Trojan.Win32.Pakes.box

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Vladimir Krylov
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

[ 本帖最后由 Kav6.0 于 2007-11-11 22:03 编辑 ]

9998053

kv2008 pass

无尽藏海

过红伞
A-Squared  Found nothing
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found Win32/PolyCrypt  
BitDefender  Found nothing
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
Panda Antivirus  Found nothing
Rising Antivirus  Found nothing
Sophos Antivirus  Found nothing
VirusBuster  Found nothing
VBA32  Found Backdoor.XiaoBird.226 (paranoid heuristics)

平淡

qigang

很多没报，真是够毒。。

BING126

文件 sample.EXE 接收于 2007.11.11 15:45:57 (CET)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2007.11.10.0	2007.11.09	-
AntiVir	7.6.0.34	2007.11.09	-
Authentium	4.93.8	2007.11.10	-
Avast	4.7.1074.0	2007.11.10	-
AVG	7.5.0.503	2007.11.11	Win32/PolyCrypt
BitDefender	7.2	2007.11.11	-
CAT-QuickHeal	9.00	2007.11.10	-
ClamAV	0.91.2	2007.11.11	-
DrWeb	4.44.0.09170	2007.11.11	-
eSafe	7.0.15.0	2007.11.08	-
eTrust-Vet	31.2.5284	2007.11.09	-
Ewido	4.0	2007.11.11	-
FileAdvisor	1	2007.11.11	-
Fortinet	3.11.0.0	2007.10.19	-
F-Prot	4.4.2.54	2007.11.10	-
F-Secure	6.70.13030.0	2007.11.10	-
Ikarus	T3.1.1.12	2007.11.11	Trojan-Downloader.Win32.Delf.asz
Kaspersky	7.0.0.125	2007.11.11	-
McAfee	5160	2007.11.09	-
Microsoft	1.3007	2007.11.11	-
NOD32v2	2652	2007.11.11	-
Norman	5.80.02	2007.11.09	-
Panda	9.0.0.4	2007.11.10	-
Rising	20.17.62.00	2007.11.11	-
Sophos	4.23.0	2007.11.11	-
Sunbelt	2.2.907.0	2007.11.09	-
Symantec	10	2007.11.11	-
TheHacker	6.2.9.123	2007.11.10	-
VBA32	3.12.2.4	2007.11.11	suspected of Backdoor.XiaoBird.226 (paranoid heuristics)
VirusBuster	4.3.26:9	2007.11.11	-
Webwasher-Gateway	6.0.1	2007.11.11	Trojan.Hupigon.Gen

cy6266812

AVAST没报

uhthn2002

Uhthn Anti-Spyware V3 Alpha
Version - 3.0.0
Standard Database - 850
Paranoia Database - 48663
Heuristics Analysis - Excessive
Scan in - C:\Documents and Settings\Uhthn\Desktop\sample.EXE

C:\Documents and Settings\Uhthn\Desktop\sample.EXE - Infected BACKDOOR.PCCLIENT.1 - Deleted

1 Files scanned
1 Infected files found
0 Suspected files found
0 Files disinfected
1 Files deleted