查看: 3898|回复: 27
收起左侧

[病毒样本] 惡意軟體-iLividSetup-r0-n

[复制链接]
fireold
发表于 2015-3-24 20:20:40 | 显示全部楼层 |阅读模式
本帖最后由 fireold 于 2015-3-25 06:40 编辑






[mw_shl_code=css,true]已刪除 Generic.F55(Argon) 已刪除; C:\Users\lan\Downloads\iLividSetup-r0-n.exe
[/mw_shl_code]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
230f4
发表于 2015-3-24 20:25:28 | 显示全部楼层
EAV8收拾

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
442633310
发表于 2015-3-24 20:45:51 | 显示全部楼层
过360TS,不知道怎么上报
神迹般存在
发表于 2015-3-24 21:07:55 | 显示全部楼层

————————————————————
[mw_shl_code=css,true]24.03.2015 21.03.48;自定义扫描;未检测到威胁;0;0;0;今天, 2015/3/24, 7:45;0 秒;03/24/2015 21:03:48
[/mw_shl_code]
过卡巴,已上报!


————————————————————
[mw_shl_code=css,true]基本信息
文件名称:       
iLividSetup-r0-n.exe
MD5:        26eb52d130f5556b15bc50af8f90a002
文件类型:        Nsis
上传时间:        2015-03-24 21:05:47
出品公司:        Bandoo Media Inc
版本:        5.0.2.4813---5.0.2.4813
壳或编译器信息:        N/A
子文件信息:        详情
关键行为
行为描述:        设置特殊文件夹属性
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:        隐藏指定窗口
详情信息:       
[Window,Class] = [,Button]
[Window,Class] = [,Static]
[Window,Class] = [ ,Static]
[Window,Class] = [,Internet Explorer_Server]
文件行为
行为描述:        写权限映射文件
详情信息:       
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\!PrivacIE!SharedMem!Counter
Local\UrlZonesSM_Administrator
MSCTF.MarshalInterface.FileMap.IPL..JFFGF
MSCTF.MarshalInterface.FileMap.IPL.B.IGFGF
MSCTF.MarshalInterface.FileMap.IPL.C.IGFGF
MSCTF.MarshalInterface.FileMap.IPL.D.IHFGF
MSCTF.MarshalInterface.FileMap.IPL.E.HIFGF
MSCTF.MarshalInterface.FileMap.IPL.F.GMFGF
MSCTF.MarshalInterface.FileMap.IPL.G.GNFGF
\WINDOWS\system32\zh-cn\jscript.dll.mui
\WINDOWS\system32\zh-cn\mshtml.dll.mui
MSCTF.Shared.SFM.IPL
行为描述:        创建可执行文件
详情信息:       
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\registry.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\UserInfo.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\UAC.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5\apphelp.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5\soffer.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5\Uninstall.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\nsDialogs.dll
行为描述:        修改文件内容
详情信息:       
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\modern-header.bmp---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\init_container[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\dnserrordiagoff_webOC[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[3]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\info_48[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\bullet[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\down[2]---> Offset = 0
行为描述:        设置特殊文件夹属性
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
网络行为
行为描述:        连接指定站点
详情信息:       
InternetConnectA: ServerName = www.secondofferdelivery.com, PORT = 80
行为描述:        建立到一个指定的套接字连接
详情信息:       
127.0.0.1:1032
行为描述:        打开HTTP请求
详情信息:       
HttpOpenRequestA: www.secondofferdelivery.com:80/w ... p;pver=&ptype=n, hConnect = 0x00000394
HttpOpenRequestA: www.secondofferdelivery.com:80/w ... p;pver=&ptype=n, hConnect = 0x0000037c
注册表行为
行为描述:        修改注册表
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\sample.exe\IsHostApp
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述:        删除注册表键值_IE连接设置
详情信息:       
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述:        创建互斥体
详情信息:       
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
oleacc-msaa-loaded
Local\!PrivacIE!SharedMemory!Mutex
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.IPL
行为描述:        隐藏指定窗口
详情信息:       
[Window,Class] = [,Button]
[Window,Class] = [,Static]
[Window,Class] = [ ,Static]
[Window,Class] = [,Internet Explorer_Server]
行为描述:        查找指定窗口
详情信息:       
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:        获取系统权限
详情信息:       
SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
行为描述:        窗口信息
详情信息:       
Pid = 3060, Hwnd=0x10362, Text = , ClassName = Static.
Pid = 3060, Hwnd=0x10364, Text = , ClassName = Static.
Pid = 3060, Hwnd=0x10386, Text = Welcome to iLivid!, ClassName = Static.
Pid = 3060, Hwnd=0x10388, Text = Experience faster downloading and immediate viewing, with the best free download manager., ClassName = Static.
Pid = 3060, Hwnd=0x1038a, Text = By clicking "Next" you agree to install iLivid and agree to the, ClassName = Static.
Pid = 3060, Hwnd=0x10392, Text = End User License, ClassName = Button.
Pid = 3060, Hwnd=0x10398, Text = Agreement, ClassName = Button.
Pid = 3060, Hwnd=0x1039a, Text = and, ClassName = Static.
Pid = 3060, Hwnd=0x1039e, Text = Privacy Policy, ClassName = Button.
Pid = 3060, Hwnd=0x203a0, Text = . Requires installation of Movies App by Ask., ClassName = Static.
Pid = 3060, Hwnd=0x103a4, Text = ButtonsLine, ClassName = Static.
Pid = 3060, Hwnd=0x103a6, Text = Cancel, ClassName = Button.
Pid = 3060, Hwnd=0x103a8, Text = Next, ClassName = Button.
Pid = 3060, Hwnd=0x103aa, Text = Distributed by Bandoo Media Inc., ClassName = Static.
Pid = 3060, Hwnd=0x1034e, Text = iLivid Installation, ClassName = #32770.
行为描述:        打开图片文件
详情信息:       
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\modern-header.bmp[/mw_shl_code]
运行截图
paul_guo
发表于 2015-3-24 21:08:48 | 显示全部楼层
paul_guo
发表于 2015-3-24 21:10:08 | 显示全部楼层
442633310 发表于 2015-3-24 20:45
过360TS,不知道怎么上报

另外360云鉴定杀之
XywCloud
发表于 2015-3-24 21:28:30 | 显示全部楼层
Adware
SUD to BAV
开开心心卖手机
发表于 2015-3-24 21:46:07 | 显示全部楼层
AVG杀!(蛋挞在我这防火墙经常失效已经被我换掉了

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
为你心碎
发表于 2015-3-24 21:59:38 | 显示全部楼层
AVAST

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
欧阳宣
头像被屏蔽
发表于 2015-3-24 22:19:43 | 显示全部楼层
开开心心卖手机 发表于 2015-3-24 21:46
AVG杀!(蛋挞在我这防火墙经常失效已经被我换掉了)

没事,以后我来测gd
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-2 12:02 , Processed in 0.204110 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表