本帖最后由 神迹般存在 于 2015-3-24 16:55 编辑
————————————————————
[mw_shl_code=css,true]24.03.2015 16.35.47;自定义扫描;未检测到威胁;0;0;0;今天, 2015/3/24, 0:22;13 秒;今天, 2015/3/24, 16:36
[/mw_shl_code]
卡巴斯基安全软件检测为安全,已上报(附图)!
————————————————————
[mw_shl_code=css,true]基本信息
文件名称:
TorchMusicSetup.exe
MD5: 7f32647eea8c4e6a812146f04c0e1aa4
文件类型: Nsis
上传时间: 2015-03-24 16:52:42
出品公司: Torch Media Inc
版本: 1.0.0.1675---1.0.0.1675
壳或编译器信息: N/A
关键行为
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,Button]
[Window,Class] = [,Static]
[Window,Class] = [ ,Static]
[Window,Class] = [,Internet Explorer_Server]
文件行为
行为描述: 写权限映射文件
详情信息:
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\!PrivacIE!SharedMem!Counter
Local\UrlZonesSM_Administrator
MSCTF.MarshalInterface.FileMap.ANJ..JHKGF
MSCTF.MarshalInterface.FileMap.ANJ.B.JIKGF
MSCTF.MarshalInterface.FileMap.ANJ.C.JIKGF
MSCTF.MarshalInterface.FileMap.ANJ.D.JIKGF
MSCTF.MarshalInterface.FileMap.ANJ.E.JIKGF
MSCTF.MarshalInterface.FileMap.ANJ.F.HMKGF
MSCTF.MarshalInterface.FileMap.ANJ.G.HNKGF
\WINDOWS\system32\zh-cn\jscript.dll.mui
\WINDOWS\system32\zh-cn\mshtml.dll.mui
MSCTF.Shared.SFM.ANJ
行为描述: 创建可执行文件
详情信息:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3.tmp\registry.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3.tmp\UserInfo.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3.tmp\UAC.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3\apphelp.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3\soffer.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3\Uninstall.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3.tmp\nsDialogs.dll
行为描述: 修改文件内容
详情信息:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3.tmp\modern-header.bmp---> Offset = 65536
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3\Banner0.jpg---> Offset = 49517
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3\Banner1.jpg---> Offset = 49489
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3\Banner2.jpg---> Offset = 49521
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\init_container[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\dnserrordiagoff_webOC[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[3]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\info_48[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\bullet[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\down[2]---> Offset = 0
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
网络行为
行为描述: 连接指定站点
详情信息:
InternetConnectA: ServerName = www.secondofferdelivery.com, PORT = 80
行为描述: 建立到一个指定的套接字连接
详情信息:
127.0.0.1:1032
行为描述: 打开HTTP请求
详情信息:
HttpOpenRequestA: www.secondofferdelivery.com:80/w ... hp?brand_name=torch music&brand_host=torchmusic.fm&offer_index=1&offer_id=51&sysid=485&appid=0&ln=en&ab=ie&db=ie&osver=5.1&ostype=win32&osl=zh-cn&pver=&ptype=n, hConnect = 0x00000374
HttpOpenRequestA: www.secondofferdelivery.com:80/w ... hp?brand_name=torch music&brand_host=torchmusic.fm&offer_index=1&offer_id=51&sysid=485&appid=0&ln=en&ab=ie&db=ie&osver=5.1&ostype=win32&osl=zh-cn&pver=&ptype=n, hConnect = 0x00000388
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\sample.exe\IsHostApp
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述: 删除注册表键值_IE连接设置
详情信息:
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述: 创建互斥体
详情信息:
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
oleacc-msaa-loaded
Local\!PrivacIE!SharedMemory!Mutex
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.ANJ
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,Button]
[Window,Class] = [,Static]
[Window,Class] = [ ,Static]
[Window,Class] = [,Internet Explorer_Server]
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述: 获取系统权限
详情信息:
SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
行为描述: 窗口信息
详情信息:
Pid = 2508, Hwnd=0x10362, Text = , ClassName = Static.
Pid = 2508, Hwnd=0x10364, Text = , ClassName = Static.
Pid = 2508, Hwnd=0x10386, Text = Welcome to Torch Music!, ClassName = Static.
Pid = 2508, Hwnd=0x10388, Text = Enjoy millions of albums, discover new tunes and Share your music with friends for FREE., ClassName = Static.
Pid = 2508, Hwnd=0x1038a, Text = By clicking "Next" you agree to install Torch Music and agree to the, ClassName = Static.
Pid = 2508, Hwnd=0x10392, Text = End User, ClassName = Button.
Pid = 2508, Hwnd=0x10394, Text = License Agreement, ClassName = Button.
Pid = 2508, Hwnd=0x10396, Text = and, ClassName = Static.
Pid = 2508, Hwnd=0x1039c, Text = Privacy Policy, ClassName = Button.
Pid = 2508, Hwnd=0x1039e, Text = . Requires installation of Music App by Ask., ClassName = Static.
Pid = 2508, Hwnd=0x103a2, Text = ButtonsLine, ClassName = Static.
Pid = 2508, Hwnd=0x103a4, Text = Cancel, ClassName = Button.
Pid = 2508, Hwnd=0x103a6, Text = Next, ClassName = Button.
Pid = 2508, Hwnd=0x103a8, Text = Distributed by Torch Media Inc., ClassName = Static.
Pid = 2508, Hwnd=0x1034e, Text = Torch Music Installation, ClassName = #32770.
行为描述: 打开图片文件
详情信息:
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3.tmp\modern-header.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3\Banner0.jpg
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3\Banner1.jpg
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsn3\Banner2.jpg[/mw_shl_code]
运行截图
 |
发表于 2015-3-24 16:22:47
