恶意删除软件，静默后台运行 360没反应

显示全部楼层 · 发表于 2014-8-27 20:52:48

月神啪啪啪

显示全部楼层 · 发表于 2014-8-27 21:10:59

本帖最后由 benteng302 于 2014-8-27 21:12 编辑

简单分析了一下这个文件，内容很简单就是一把一个批处理文件转换成了.exe文件。
不过这个批处理的编写者太恶毒了，删除所有盘的东西，然后格式化所除了C盘外的所有盘。

显示全部楼层 · 发表于 2014-8-27 23:22:01

星野初发表于 2014-8-27 10:44
to kingsoft
调用cmd

岛国版本？？

显示全部楼层 · 发表于 2014-8-28 01:08:02

电脑管家直接报毒

显示全部楼层 · 发表于 2014-8-28 08:47:14

管家直接删除！

显示全部楼层 · 发表于 2014-8-28 09:05:47

黑牌児丶棒棒糖发表于 2014-8-27 23:22
岛国版本？？

BINGO~

显示全部楼层 · 发表于 2014-8-28 09:23:18

看了32L，这毒的作者太狠了……

显示全部楼层 · 发表于 2014-8-28 10:36:07

该死，这是铁壳不杀的系列

显示全部楼层 · 发表于 2014-8-28 11:57:42

fuzhk 发表于 2014-8-28 10:36
该死，这是铁壳不杀的系列

卸载了两软件SONAR才反应过来

Filename: 163.exe
Threat name: SONAR.Heuristic.120Full Path: Not Available

____________________________

____________________________

____________________________

163.exe Threat name: SONAR.Heuristic.120
Locate

Unknown
It is unknown how many users in the Norton Community have used this file.

Unknown
This file release is currently not known.

High
This file risk is high.

____________________________

Source: External Media

____________________________

File Actions

File: c:\documents and settings\administrator\桌面\ 163.exe No Action Required
File: c:\documents and settings\administrator\local settings\temp\ bt8316.bat Threat Removed
____________________________

Startup Actions

Event: Operating system change: c:\ CONFIG.SYS (Performed by c:\documents and settings\administrator\桌面\163.exe, PID:1920) No action taken
____________________________

System Settings Actions

Event: Process start (Performed by c:\documents and settings\administrator\桌面\163.exe, PID:1920) No action taken
Event: Process start: c:\WINDOWS\system32\ cmd.exe, PID:2776 (Performed by c:\documents and settings\administrator\桌面\163.exe, PID:1920) No action taken
(Performed by c:\documents and settings\administrator\桌面\163.exe, PID:1920) No action taken
Event: Process start: c:\WINDOWS\system32\ conime.exe, PID:2292 (Performed by c:\documents and settings\administrator\桌面\163.exe, PID:1920) No action taken
Event: Process start: c:\documents and settings\administrator\桌面\ 163.exe, PID:1920 (Performed by c:\documents and settings\administrator\桌面\163.exe, PID:1920) No action taken
____________________________

File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available

显示全部楼层 · 发表于 2014-8-28 12:00:00

SUNKESS 发表于 2014-8-28 11:57
卸载了两软件SONAR才反应过来

Filename: 163.exe

病毒创建还能删除，软件删除了没法回滚，还好没运行

[病毒样本] 恶意删除软件，静默后台运行 360没反应

本帖子中包含更多资源

浏览过的版块