磁碟机变种衍生物

显示全部楼层 · 发表于 2007-12-28 15:51:31

LSASS.EXE SMSS.EXE netcfg.dll netcfg.000 这几个就不发了

发之前没人发过的几个
dnsq.dll（卡巴中有个dll名字和这个一样）注入explorer.exe等进程监视进程LSASS.EXE是否存在一旦不在就启动LSASS.EXE
ntfsus.exe 会释放一个 netapi00.sys 并注册为服务重置SSDT 挂掉绝大多数杀软和部分安全软件（例如冰刃）的hook 使得主动防御失效~
AntiTool.exe是磁碟机变种下载的，会释放一个alg.exe到drivers目录，这个alg.exe似乎是个ARP病毒一旦运行，全局域网QQ不久就会全掉线…

[ 本帖最后由 yimike 于 2007-12-28 15:53 编辑 ]

显示全部楼层 · 发表于 2007-12-28 15:54:13

沙发先坐好

显示全部楼层 · 发表于 2007-12-28 15:55:28

这次给红伞干掉了
--> ntfsus.exe
   [DETECTION] Contains detection pattern of the dropper DR/Agent.dfe.1
  --> dnsq.dll
   [DETECTION] Is the Trojan horse TR/Shutdown.Q
  --> NetApi00.sys
   [DETECTION] Contains detection pattern of the rootkit RKIT/Agent.QW
   [INFO]    The file was moved to '47e1ac22.qua'!

[ 本帖最后由 saga3721 于 2007-12-28 15:57 编辑 ]

显示全部楼层 · 发表于 2007-12-28 15:58:42

nod32 all kill

Scanning Log
NOD32 version 2751 (20071227) NT
Command line: C:\Documents and Settings\Owner\桌面\Sample.rar
Checking CRC of NOD32.EXE: Status OK
C:\Program Files\Eset\nod32.exe - is OK
Operating memory is OK.
MBR sector of the 1. physical disk is OK.
Active boot sector of the 1. physical disk is OK.
Date: 28.12.2007 Time: 15:56:20
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\Owner\桌面\Sample.rar
C:\Documents and Settings\Owner\桌面\Sample.rar ?RAR ?ntfsus.exe - Win32/Xorer.CP virus
C:\Documents and Settings\Owner\桌面\Sample.rar ?RAR ?alg.exe - a variant of Win32/Xorer virus
C:\Documents and Settings\Owner\桌面\Sample.rar ?RAR ?AntiTool.exe - a variant of Win32/Xorer virus
C:\Documents and Settings\Owner\桌面\Sample.rar ?RAR ?dnsq.dll - Win32/Xorer.CP virus
C:\Documents and Settings\Owner\桌面\Sample.rar ?RAR ?NetApi00.sys - Win32/Xorer.CP virus
C:\Documents and Settings\Owner\桌面\Sample.rar:Zone.Identifier - is OK
Number of scanned files: 6
Number of threats found: 5
Time of completion: 15:56:21 Total scanning time: 1 sec (00:00:01)

显示全部楼层 · 发表于 2007-12-28 16:00:08

和主防较量上了走的比微点还快

发现病毒
病毒名称:Virus.Win32.Xorer.cc
程序:
E:\TDDOWNLOAD\NTFSUS.EXE
是病毒程序!
已成功阻止其运行,是否要删除此文件?

显示全部楼层 · 发表于 2007-12-28 16:05:18

2007-12-28 16:04:30,W32.Xorer.cpb,病毒C:\Documents and Settings\dell\桌面\Sample.rar>>ntfsus.exe,Manual scan
2007-12-28 16:04:30,Trojan.Agent.aazd.fxqcdll,木马,,C:\Documents and Settings\dell\桌面\Sample.rar>>dnsq.dll,Manual scan

显示全部楼层 · 发表于 2007-12-28 16:07:01

f-prot all miss

norman 1 virus
C:\Documents and Settings\Owner\桌面\Sample\ntfsus.exe Security Risk Suspicious_F.gen ()

显示全部楼层 · 发表于 2007-12-28 16:31:05

病毒名称:Virus.Win32.Xorer.cc

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\新建文件夹\NTFSUS.EXE
是病毒程序!
已成功阻止其运行,是否要删除此文件?

显示全部楼层 · 发表于 2007-12-28 16:54:05

Filename Result
alg.exe UNDER ANALYSIS

The file 'alg.exe' has been determined to be 'UNDER ANALYSIS'.
Filename Result
AntiTool.exe UNDER ANALYSIS

上报

显示全部楼层 · 发表于 2007-12-28 17:06:51

卡巴

已删除: 病毒 Virus.Win32.Xorer.cp 文件: F:\病毒样本\Sample.rar/ntfsus.exe//FSG
已删除: 木马程序 Trojan-Downloader.Win32.Agent.gwo 文件: F:\病毒样本\Sample.rar/alg.exe//PE_Patch.UPX//UPX
已删除: 木马程序 Trojan-PSW.Win32.OnLineGames.mix 文件: F:\病毒样本\Sample.rar/AntiTool.exe//PE_Patch.UPX//UPX
已删除: 木马程序 Trojan.Win32.Shutdowner.cv 文件: F:\病毒样本\Sample.rar/dnsq.dll

[病毒样本] 磁碟机变种衍生物

本帖子中包含更多资源