刚刚要到的样本，双击党们快来，是时候来秀一波了！！！

杀软神马

B G双击
test.exe

风险： 高
路径： C:\Users\沙勇军\Desktop\test.exe

详细信息
•    test.exe 程序试图修改敏感的系统资源。

修改的文件
•    C:\SANDBOX\沙勇军\DEFAULTBOX\DRIVE (created)
•    C:\SANDBOX\沙勇军\DEFAULTBOX\DRIVE\C (created)
•    C:\SANDBOX\沙勇军\DEFAULTBOX\DRIVE\C\WINDOWS (created)
•    C:\SANDBOX\沙勇军\DEFAULTBOX\DRIVE\C\WINDOWS\WIN7.EXE (created)
•    C:\SANDBOX\沙勇军\DEFAULTBOX\DRIVE\C\WINDOWS\WIN7.EXE:ZONE.IDENTIFIER (created)
•    C:\SANDBOX\沙勇军\DEFAULTBOX\USER\CURRENT\APPDATA\LOCAL\GDIPFONTCACHEV1.DAT (created)
•    C:\Users\沙勇军\Desktop\test.exe

修改的注册表
•    \REGISTRY\USER\SANDBOX_沙勇军_DEFAULTBOX\USER\CURRENT\EUDC\936:SystemDefaultEUDCFont (modified: old_value=, new_value =%WinDir%\Fonts\EUDC.TTE
•    \REGISTRY\USER\SANDBOX_沙勇军_DEFAULTBOX\USER\CURRENT\SOFTWARE\DOVE\TEMP:beforeFullName (modified: old_value=, new_value =C:\Users\沙勇军\Desktop\test.exe
•    \REGISTRY\USER\SANDBOX_沙勇军_DEFAULTBOX\USER\CURRENT\SOFTWARE\MICROSOFT\KUNLUNINPUT:StatusBarPos (modified: old_value=, new_value =0x4100780 (68159360))
•    \REGISTRY\USER\SANDBOX_沙勇军_DEFAULTBOX\USER\CURRENT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP:AutoDetect (modified: old_value=, new_value =0x1 (1))
•    \REGISTRY\USER\SANDBOX_沙勇军_DEFAULTBOX\USER\CURRENT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP:UNCAsIntranet (modified: old_value=, new_value =0x0 (0))
•    \REGISTRY\USER\SANDBOX_沙勇军_DEFAULTBOX\USER\CURRENT_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE:C:\Users\沙勇军\Desktop\test.exe (modified: old_value=, new_value =win7

pal家族

Kaspersky 双击 拦截+回滚

15.01.2016 19.53.16;Actions of malicious program rolled back;PDM:Trojan.Win32.Generic;win7;d:\360安全浏览器下载\test\test.exe;01/15/2016 19:53:16
15.01.2016 19.53.16;Actions of malicious program rolled back;PDM:Trojan.Win32.Generic;win7;c:\windows\win7.exe;01/15/2016 19:53:16

15.01.2016 19.53.16;Registry value restored when rolling back actions of malicious program;HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\enablelua;HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\enablelua;win7;d:\360安全浏览器下载\test\test.exe;01/15/2016 19:53:16
15.01.2016 19.53.16;Registry value restored when rolling back actions of malicious program;HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\enablelua;HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\enablelua;win7;d:\360安全浏览器下载\test\test.exe;01/15/2016 19:53:16
15.01.2016 19.53.02;Malicious program deleted;PDM:Trojan.Win32.Generic;win7;c:\windows\win7.exe;01/15/2016 19:53:02
15.01.2016 19.53.02;Malicious program deleted;PDM:Trojan.Win32.Generic;win7;d:\360安全浏览器下载\test\test.exe;01/15/2016 19:53:02
15.01.2016 19.52.52;Malicious program deleted;PDM:Trojan.Win32.Generic;win7;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost;01/15/2016 19:52:52
15.01.2016 19.52.51;Malicious program terminated;PDM:Trojan.Win32.Generic;win7;C:\Windows\win7.exe;01/15/2016 19:52:51
15.01.2016 19.52.51;Malicious program detected;PDM:Trojan.Win32.Generic;win7;c:\windows\win7.exe;01/15/2016 19:52:51


完整检测+回滚记录

windows7爱好者

猥琐大叔 发表于 2016-1-15 19:47
我双击之后立即断网了，怕一大堆流氓软件，所以有拦截不全的可能？

这可不是流氓下载器

pal家族

230f4 发表于 2016-1-15 19:34
这个有上次那个“过卡巴”强吗？楼主你自己试过没？

哈哈，实际上两次都可以拦截。

230f4

pal家族 发表于 2016-1-15 20:11
哈哈，实际上两次都可以拦截。

那个帖子标题如此，别介意哈。

pal家族

230f4 发表于 2016-1-15 20:25
那个帖子标题如此，别介意哈。

哪里~~都是玩笑话嘛~~

230f4

The analysis of the file / website has been completed:

The sample is malicious and detection will be available in a few updates.

File test_exe[7eb0ae48ed9e29028e71e4f904f75c16] declared INFECTED

Please do not hesitate to contact us should you have any other inquiries in the future.

Have a great day.

Best regards,
Cristina POTERASU
Bitdefender Partner Technical Support Specialist

windows7爱好者

230f4 发表于 2016-1-15 20:45
这个样本貌似很厉害的样子，40分收到人工回复，样本已经被送到Bitdefender Virus Lab，而平时很少出现这种 ...

上次我卡巴是MR0，家族是MR1，当然不排除我卡巴抽风了的可能，另外，我要看ATC双击

HEMM

胆子小不双击，MA无聊杀。

230f4

windows7爱好者 发表于 2016-1-15 21:33
上次我卡巴是MR0，家族是MR1，当然不排除我卡巴抽风了的可能，另外，我要看ATC双击

咳咳！

没找到衍生物，启动项正常