VT Detection ratio: 1 / 50 143592.exe 挂马 我大越南杀软V5 灭之

275751198

此网站为何如此吊，黑客做的，一天到晚挂这么多马

wqcaokeyinwq

saga3721 发表于 2014-3-14 19:32
可能反虚拟机，或者跟我没等多久有关

可能是虚拟机的环境不同！


双击后，防火墙拦截，拒绝后，驻留内存


放行后，后台有少量流量，之后每隔大约50秒左右就上传数据！


同时加载JERLOBW.DLL动态库文件，此DLL文件以注册表的方式加入开机启动项！

saga3721

wqcaokeyinwq 发表于 2014-3-15 17:26
可能是虚拟机的环境不同！

我就说这种仅仅改注册表的东西是不可能突破任何防火墙的
看来墨家小娘是白激动了

墨家小子

275751198 发表于 2014-3-15 16:48
此网站为何如此吊，黑客做的，一天到晚挂这么多马

不过质量一般般 没有极品

墨家小子

saga3721 发表于 2014-3-15 17:28
我就说这种仅仅改注册表的东西是不可能突破任何防火墙的
看来墨家小娘是白激动了

得瑟，不用查杀，双击试试看，搞死你



2014-3-15 18:43:05,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))

2014-3-15 18:43:18,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:20,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:21,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:22,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:22,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:23,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:24,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:24,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:25,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:26,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:26,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:27,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:28,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:28,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:29,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:30,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:30,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:30,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:31,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:31,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:31,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))
2014-3-15 18:43:33,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (iexplore.exe(pid=2628))

2014-3-15 18:43:33,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,36,Allowed ;Injecting dll (iexplore.exe(pid=2628))

2014-3-15 18:43:34,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,29,Allowed ;Modifing process memory (svchost.exe(pid=3408))
2014-3-15 18:43:34,C:\Documents and Settings\Administrator\桌面\3.12\Pro.exe,30,Allowed ;Creating remote thread (svchost.exe(pid=3408))

2014-3-15 18:43:41,C:\Program Files\Internet Explorer\iexplore.exe,29,Allowed ;Modifing process memory (svchost.exe(pid=2576))

2014-3-15 18:43:46,C:\WINDOWS\system32\notepad.exe,11,Blocked ;Recording keyboard input

2014-3-15 18:43:48,C:\WINDOWS\system32\svchost.exe,26,Blocked ;Modifying protected registry key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,HKLM)

2014-3-15 18:43:51,C:\Program Files\Internet Explorer\iexplore.exe,29,Allowed ;Modifing process memory (svchost.exe(pid=2576))

2014-3-15 18:43:53,C:\WINDOWS\system32\notepad.exe,24,Blocked ;Monitoring clipboard changes

2014-3-15 18:43:58,C:\WINDOWS\system32\svchost.exe,26,Blocked ;Modifying protected registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run,HKCU)

2014-3-15 18:44:01,C:\Program Files\Internet Explorer\iexplore.exe,29,Allowed ;Modifing process memory (svchost.exe(pid=2576))

2014-3-15 18:44:04,C:\WINDOWS\system32\svchost.exe,26,Blocked ;Modifying protected registry key (HKLM\Software\Microsoft\Active Setup\Installed Components\{Q74711R2-I784-OF3E-0MB4-VH42KYQJ4D83})

2014-3-15 18:44:06,C:\Program Files\Internet Explorer\iexplore.exe,30,Allowed ;Creating remote thread (svchost.exe(pid=2576))

2014-3-15 18:44:09,C:\WINDOWS\system32\svchost.exe,26,Blocked ;Modifying protected registry key (HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components)

2014-3-15 18:44:10,C:\Program Files\Internet Explorer\iexplore.exe,29,Allowed ;Modifing process memory (notepad.exe(pid=1604))
2014-3-15 18:44:17,C:\Program Files\Internet Explorer\iexplore.exe,29,Allowed ;Modifing process memory (notepad.exe(pid=1604))

2014-3-15 18:44:19,C:\WINDOWS\system32\svchost.exe,26,Blocked ;Modifying protected registry key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,HKLM)

2014-3-15 18:44:22,C:\Program Files\Internet Explorer\iexplore.exe,29,Allowed ;Modifing process memory (notepad.exe(pid=1604))

2014-3-15 18:44:24,C:\WINDOWS\system32\svchost.exe,26,Blocked ;Modifying protected registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run,HKCU)

2014-3-15 18:44:28,C:\Program Files\Internet Explorer\iexplore.exe,30,Allowed ;Creating remote thread (notepad.exe(pid=1604))

2014-3-15 18:44:33,C:\WINDOWS\system32\svchost.exe,26,Blocked ;Modifying protected registry key (HKLM\Software\Microsoft\Active Setup\Installed Components\{Q74711R2-I784-OF3E-0MB4-VH42KYQJ4D83})

2014-3-15 18:44:34,C:\WINDOWS\system32\svchost.exe,26,Blocked ;Modifying protected registry key (HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components)

2014-3-15 18:44:42,C:\WINDOWS\system32\svchost.exe,26,Terminated ;Modifying protected registry key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,HKLM)

saga3721

墨家小子 发表于 2014-3-15 18:57
得瑟，不用查杀，双击试试看，搞死你

“TR/Crypt.XPACK.Gen7 [trojan]”
实机红伞虚拟机微点，所有软件先上报后在虚拟机中试用最后搬进实机

墨家小子

saga3721 发表于 2014-3-15 19:13
“TR/Crypt.XPACK.Gen7 [trojan]”
实机红伞虚拟机微点，所有软件先上报后在虚拟机中试用最后搬进实机[: ...

就用系统进程搞你，你的神点防得住么

saga3721

墨家小子 发表于 2014-3-15 19:16
就用系统进程搞你，你的神点防得住么

我当是谁，不过就是个管桃园的猴头
删除重启后系统没啥问题嘛
程序：
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\PRO.EXE
是否删除木马程序及其衍生物?

驭龙

我已无官一身轻，明后天有机会就开始SCEP 4.5双击大爆发

瓜g

墨家小子 发表于 2014-3-15 18:57
得瑟，不用查杀，双击试试看，搞死你