好久没发样本了，来一个只有几个杀软报的

显示全部楼层 · 发表于 2007-11-30 10:42:10

新建文件：C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tmp1.CAB
C:\WINDOWS\system32\\ofoxol66.dll
C:\WINDOWS\system32\ll2t.dll
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tmp3.CAB
C:\WINDOWS\system32\\drivers\\ofoxol66.sys
C:\WINDOWS\fn00321.log
C:\WINDOWS\system\DVL
C:\WINDOWS\system32\ofoxol66.dllmmc.pkm
\Device\RasAcd
改变注册表：HKEY_CLASSES_ROOT\sos.sosHlpr.1 "" = sosHlpr Class
HKEY_CLASSES_ROOT\sos.sosHlpr.1\CLSID "" = {00C104F7-0F5C-470C-ABCF-A5B2E70752F1}
HKEY_CLASSES_ROOT\sos.sosHlpr "" = sosHlpr Class
HKEY_CLASSES_ROOT\sos.sosHlpr\CLSID "" = {00C104F7-0F5C-470C-ABCF-A5B2E70752F1}
HKEY_CLASSES_ROOT\sos.sosHlpr\CurVer "" = sos.sosHlpr.1
HKEY_CLASSES_ROOT\CLSID\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1} "" = sosHlpr Class
HKEY_CLASSES_ROOT\CLSID\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1}\ProgID "" = sos.sosHlpr.1
HKEY_CLASSES_ROOT\CLSID\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1}\VersionIndependentProgID "" = sos.sosHlpr
HKEY_CLASSES_ROOT\CLSID\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1}\InprocServer32 "" = C:\WINDOWS\system32\ll2t.dll
HKEY_CLASSES_ROOT\CLSID\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1}\InprocServer32 "ThreadingModel" = Apartment
HKEY_CLASSES_ROOT\CLSID\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1}\TypeLib "" = {DB7F4BCA-E094-44C9-B1F8-B5AC0BC1A972}
HKEY_CLASSES_ROOT\TypeLib\{DB7F4BCA-E094-44C9-B1F8-B5AC0BC1A972}\1.0 "" = Baidu 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{DB7F4BCA-E094-44C9-B1F8-B5AC0BC1A972}\1.0\FLAGS "" = 0
HKEY_CLASSES_ROOT\TypeLib\{DB7F4BCA-E094-44C9-B1F8-B5AC0BC1A972}\1.0\0\win32 "" = C:\WINDOWS\system32\ll2t.dll
HKEY_CLASSES_ROOT\TypeLib\{DB7F4BCA-E094-44C9-B1F8-B5AC0BC1A972}\1.0\HELPDIR "" = C:\WINDOWS\system32\
HKEY_CLASSES_ROOT\Interface\{6EAD366A-19DB-46D6-8D24-337D424111D4} "" = IBaiduHlpr
HKEY_CLASSES_ROOT\Interface\{6EAD366A-19DB-46D6-8D24-337D424111D4}\ProxyStubClsid "" = {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{6EAD366A-19DB-46D6-8D24-337D424111D4}\ProxyStubClsid32 "" = {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{6EAD366A-19DB-46D6-8D24-337D424111D4}\TypeLib "" = {DB7F4BCA-E094-44C9-B1F8-B5AC0BC1A972}
HKEY_CLASSES_ROOT\Interface\{6EAD366A-19DB-46D6-8D24-337D424111D4}\TypeLib "Version" = 1.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Rsskplm" = rundll32.exe C:\WINDOWS\system32\ofoxol66.dll,Start

显示全部楼层 · 发表于 2007-11-30 10:49:53

D:\firefox download\lucky1009.zip ?ZIP ?lucky1009.exe - 可能是 Win32/Agent.ABE 特洛伊木马的变种

显示全部楼层 · 发表于 2007-11-30 11:03:11

Thank you for your submission. Below you can see the current status of the uploaded files.

--------------------------------------------------------------------------------

A listing of files alongside their results can be found below:

File ID  Filename  Size (Byte) Result
2250555  lucky1009.exe  56.86 KB  UNDER ANALYSIS

Please find a detailed report concerning each individual sample below:

Filename Result
lucky1009.exe  UNDER ANALYSIS

The file 'lucky1009.exe' has been determined to be 'UNDER ANALYSIS'.

--------------------------------------------------------------------------------
Please note that you will receive an email which will contain the results shown above. In case the final outcome of the analysis is not yet finished for all files the notification will be sent once ready.

显示全部楼层 · 发表于 2007-11-30 11:07:09

机子上三个杀软（毒霸，瑞星，小红伞）都MISS。

显示全部楼层 · 发表于 2007-11-30 11:14:14

cab解压后就得到这些总的来说衍生物就是这些
AntiVir全杀！

显示全部楼层 · 发表于 2007-11-30 11:30:59

原帖由 EQ2 于 2007-11-30 10:42 发表
新建文件：C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tmp1.CAB
C:\WINDOWS\system32\\ofoxol66.dll
C:\WINDOWS\system32\ll2t.dll
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tmp3.CAB
C:\WINDOWS\system32\\drivers\\ofoxol6 ...

已解毒: 特洛伊木馬程式 Trojan-Clicker.Win32.Agent.oa 檔案: C:\Documents and Settings\kato9096\桌面\164108.zip/lucky1009.exe//#/live.dll

虽然已杀毒,但我开启后也报毒,所以上报

[ 本帖最后由 kato9096 于 2007-11-30 11:40 编辑 ]

显示全部楼层 · 发表于 2007-11-30 11:33:27

原帖由 yimike 于 2007-11-30 11:14 发表
cab解压后就得到这些总的来说衍生物就是这些
AntiVir全杀！

已刪除: 特洛伊木馬程式 Trojan-Clicker.Win32.Agent.oa 檔案: C:\Documents and Settings\kato9096\桌面\v.rar/live.dll

兩個不报，已上报

显示全部楼层 · 发表于 2007-11-30 11:33:28

这个是不是只有7.0才报。。。我的5.0不报。。日了。。

显示全部楼层 · 发表于 2007-11-30 11:34:38

衍生物毒霸还是0人，瑞星1个，红伞三个。

显示全部楼层 · 发表于 2007-11-30 11:35:07

病毒库不一样~

[病毒样本] 好久没发样本了，来一个只有几个杀软报的

本帖子中包含更多资源

附上三个衍生物

本帖子中包含更多资源

回复 8楼 458506 的帖子