收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 不可思议:多引擎报一键ghost文件有毒?在线等确认
12下一页
返回列表 发新帖
查看: 6513|回复: 11
收起左侧

[可疑文件] 不可思议:多引擎报一键ghost文件有毒?在线等确认

[复制链接]
aphorism
发表于 2015-7-15 10:10:11 | 显示全部楼层 |阅读模式

http://r.virscan.org/report/bcc88e9939a88bfe1db417ad6395ce69

但是我新安装的,所以让大家看看

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

aboringman
发表于 2015-7-15 10:11:58 | 显示全部楼层
本帖最后由 aboringman 于 2015-7-15 10:19 编辑

卡巴不杀,云信誉为可信
文件安全,楼主可放心使用
回复

举报

230f4
发表于 2015-7-15 10:13:54 来自手机 | 显示全部楼层
编辑掉
回复

举报

aphorism
 楼主| 发表于 2015-7-15 10:21:56 | 显示全部楼层
aboringman 发表于 2015-7-15 10:11
卡巴不杀,云信誉为可信
文件安全,楼主可放心使用

nod32,avast,gdata等九款杀软报毒
回复

举报

aboringman
发表于 2015-7-15 10:27:48 | 显示全部楼层
aphorism 发表于 2015-7-15 10:21
nod32,avast,gdata等九款杀软报毒

易语言。。。。。。
G-DATA是B引擎报的
ESET很喜欢杀
回复

举报

尘梦幽然
发表于 2015-7-15 10:28:55 | 显示全部楼层
本来就是莫名其妙的盗版软件,还有一堆可疑行为,自动分析系统肯定要报
回复

举报

狐狸糊涂
发表于 2015-7-15 10:35:52 | 显示全部楼层
BD扫描安全
回复

举报

神迹般存在
发表于 2015-7-15 11:16:06 | 显示全部楼层
本帖最后由 神迹般存在 于 2015-7-15 11:19 编辑

BAV missed
HOB文件分析系统分析:(安全评分:74,未发现风险)
[mw_shl_code=css,true]基本信息
文件名称:       
gho_run.exe
MD5:        af8857e4808ba4c7f071ba93e8b9d8e0
文件类型:        EXE
上传时间:        2015-07-15 11:15:34
出品公司:        DOS之家
版本:        11.2.2014.1718---11.2.2014.1718
壳或编译器信息:        PACKER:ASPack 2.12 -> Alexey Solodovnikov
子文件信息:        详情
关键行为
行为描述:        写权限映射文件
详情信息:       
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.MDI..LPFIG
MSCTF.MarshalInterface.FileMap.MDI.B.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.C.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.D.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.E.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.F.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.G.LAGIG
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Internet Explorer Immutable Application State (00000CB0-0000-0000-0000-000000000000)
ie_lcie_main_cb0
Isolation Process Registry (D0EBC66D-2A9F-11E5-91B9-0800277A0DD3)
Isolation Signal Registry (D0EBC66D-2A9F-11E5-91B9-0800277A0DD3, 0)
ie_lcie_LogonMedium
Local\IEFrame!GetAsyncKeyStateSharedMem!3248
行为描述:        设置特殊文件夹属性
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
行为描述:        隐藏指定窗口
详情信息:       
[Window,Class] = [,tooltips_class32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,Afx:10000000:8:10011:1900015:0]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [,AddressDisplay Control]
[Window,Class] = [,CtrlNotifySink]
[Window,Class] = [缩放级别,ToolbarWindow32]
行为描述:        设置消息钩子
详情信息:       
C:\WINDOWS\system32\IEFRAME.dll
行为描述:        按名称获取主机地址
详情信息:       
wpad
进程行为
行为描述:        隐藏窗口创建进程
详情信息:       
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c ren c:\dosh\ghos\del_gho.exe del_gho
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c ren c:\dosh\ghos\fi.exe fi
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c ren c:\dosh\ghos\fr.exe fr
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c ren c:\dosh\ghos\ft.exe ft
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c ren c:\dosh\ghos\md5.exe md5
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c start http://doshome.com/down_1kg.htm
行为描述:        创建进程
详情信息:       
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ren c:\dosh\ghos\del_gho.exe del_gho
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ren c:\dosh\ghos\fi.exe fi
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ren c:\dosh\ghos\fr.exe fr
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ren c:\dosh\ghos\ft.exe ft
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ren c:\dosh\ghos\md5.exe md5
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c start http://doshome.com/down_1KG.htm
ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3248 CREDAT:79873
行为描述:        创建新文件进程
详情信息:       
ImagePath = c:\%temp%\1436930229.767438.exe, CmdLine = c:\%temp%\1436930229.767438.exe
文件行为
行为描述:        写权限映射文件
详情信息:       
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.MDI..LPFIG
MSCTF.MarshalInterface.FileMap.MDI.B.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.C.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.D.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.E.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.F.LAGIG
MSCTF.MarshalInterface.FileMap.MDI.G.LAGIG
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Internet Explorer Immutable Application State (00000CB0-0000-0000-0000-000000000000)
ie_lcie_main_cb0
Isolation Process Registry (D0EBC66D-2A9F-11E5-91B9-0800277A0DD3)
Isolation Signal Registry (D0EBC66D-2A9F-11E5-91B9-0800277A0DD3, 0)
ie_lcie_LogonMedium
Local\IEFrame!GetAsyncKeyStateSharedMem!3248
行为描述:        设置特殊文件夹属性
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
行为描述:        修改文件内容
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\dnserrordiagoff[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\errorPageStrings[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\noConnect[3]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\bullet[3]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\down[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\favcenter[3]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\tools[1]---> Offset = 0
网络行为
行为描述:        连接指定站点
详情信息:       
InternetConnectA: ServerName = doshome.com, PORT = 80
行为描述:        建立到一个指定的套接字连接
详情信息:       
127.0.0.1:1034
行为描述:        打开HTTP请求
详情信息:       
HttpOpenRequestA: doshome.com:80/down_1kg.htm, hConnect = 0x000004c0
行为描述:        下载文件
详情信息:       
URLDownloadToFileW: http://www.live.com/favicon.ico ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
URLDownloadToFileW: https://go.microsoft.com/fwlink/?LinkId=141260 ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Kno3.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Kno3.tmp
行为描述:        按名称获取主机地址
详情信息:       
wpad
注册表行为
行为描述:        修改注册表
详情信息:       
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\Recovery\Active\{D0EBC670-2A9F-11E5-91B9-0800277A0DD3}
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\Enable
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTime
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeCount
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\SearchScopes\Version
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayName
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\ErrorState
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayMask
行为描述:        删除注册表键
详情信息:       
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}
行为描述:        删除注册表键值_IE连接设置
详情信息:       
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
行为描述:        删除注册表键值
详情信息:       
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Expiration
其他行为
行为描述:        创建互斥体
详情信息:       
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
SHIMLIB_LOG_MUTEX
MSCTF.Shared.MUTEX.AEH
Local\!BrowserEmulation!SharedMemory!Mutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
ConnHashTable<3248>_HashTable_Mutex
oleacc-msaa-loaded
行为描述:        隐藏指定窗口
详情信息:       
[Window,Class] = [,tooltips_class32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,Afx:10000000:8:10011:1900015:0]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [,AddressDisplay Control]
[Window,Class] = [,CtrlNotifySink]
[Window,Class] = [缩放级别,ToolbarWindow32]
行为描述:        设置消息钩子
详情信息:       
C:\WINDOWS\system32\IEFRAME.dll
行为描述:        查找指定窗口
详情信息:       
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [IEFrame,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Static,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:        获取系统权限
详情信息:       
SE_LOAD_DRIVER_PRIVILEGE
行为描述:        窗口信息
详情信息:       
Pid = 2104, Hwnd=0x40250, Text = 确定, ClassName = Button.
Pid = 2104, Hwnd=0x50230, Text = c:\dosh\ghos\fi 不存在,请重新安装本软件!, ClassName = Static.
Pid = 2104, Hwnd=0x501ba, Text = 信息:, ClassName = #32770.
Pid = 2104, Hwnd=0x301e6, Text = 稍等, ClassName = Button.
Pid = 2104, Hwnd=0x30228, Text = 取消, ClassName = Button.
Pid = 2104, Hwnd=0x301c0, Text = 正在初始化。。。请稍等。。。, ClassName = Afx:10000000:b:10011:1900015:0.
Pid = 2104, Hwnd=0x301be, Text = DOS工具箱, ClassName = Button(RadioButton).
Pid = 2104, Hwnd=0x40252, Text = GHOST, ClassName = Button(RadioButton).
Pid = 2104, Hwnd=0x40248, Text = 中文向导, ClassName = Button(RadioButton).
Pid = 2104, Hwnd=0x60240, Text = 一键恢复系统, ClassName = Button(RadioButton).
Pid = 2104, Hwnd=0x70196, Text = 一键备份系统, ClassName = Button(RadioButton).
Pid = 2104, Hwnd=0x401ce, Text = 一键GHOST v2014.07.18, ClassName = Afx:10000000:b:10011:1900015:0.
Pid = 2104, Hwnd=0x4020e, Text = 一键GHOST [ DOS之家 http://doshome.com ], ClassName = WTWindow.
Pid = 3248, Hwnd=0x501e4, Text = 导航栏, ClassName = WorkerW.
Pid = 3248, Hwnd=0x60230, Text = 地址组合控制, ClassName = ToolbarWindow32.
行为描述:        内联HOOK
详情信息:       
C:\WINDOWS\system32\USER32.dll--->CreateWindowExW Offset = 0x0
C:\WINDOWS\system32\comdlg32.dll--->PageSetupDlgW Offset = 0x0
C:\WINDOWS\system32\OLEAUT32.dll--->OleCreatePropertyFrameIndirect Offset = 0x0
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll--->PropertySheet Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->DialogBoxIndirectParamA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->DialogBoxIndirectParamW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->DialogBoxParamA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->DialogBoxParamW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->MessageBoxIndirectA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->MessageBoxIndirectW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->MessageBoxExA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->CallNextHookEx Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->UnhookWindowsHookEx Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetWindowsHookExW Offset = 0x0
C:\WINDOWS\system32\ole32.dll--->CoCreateInstance Offset = 0x0[/mw_shl_code]
运行截图
回复

举报

开开心心卖手机
发表于 2015-7-15 13:54:44 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

zl181503
发表于 2015-7-15 14:10:05 | 显示全部楼层
过毒霸
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-22 15:11 , Processed in 0.238576 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表