12
返回列表 发新帖
楼主: qianwenxiang
收起左侧

[已鉴定] 毒网

 关闭 [复制链接]
深红的雪
发表于 2008-1-26 19:12:09 | 显示全部楼层
应该就是这两个
vertuslkj.com/check/vers55.php?q=1
vertuslkj.com/check/vers55.php?q=2
可惜是0字节的东西
ieupdr.exe是后来的动作生成的,不是原文件。

小菜的见解:
网马的原意是下载后再利用Adodb.Stream对象的savetofile 方法存为ieupdr.exe文件的。
利用数据流而下载的病毒文件可以是任意后缀,甚至可以没有后缀,只要下载后再存为可执行格式就够了。

另外 vertuslkj.com/check/tpktskr2.php里面有几个,明文的
http://58.65.239.42/gwer234/u_f1_v34_72_u.exe
http://58.65.239.42/gwer234/kraba.exe
http://85.255.121.162/download/1011.exe
http://58.65.239.42/gwer234/0901a.exe
http://58.65.239.42/gwer234/ldig006.exe
http://58.65.239.42/gwer234/severa.exe
jimmyleo
发表于 2008-1-26 19:26:23 | 显示全部楼层

回复 11楼 rappar 的帖子

rapper正解~..
它甚至可以随机其文件名
adobe流也是个被用烂了的东东..
然后就ShellExecute执行那个已经下载的毒物..''
jimmyleo
发表于 2008-1-26 19:37:51 | 显示全部楼层
至于那几个文件..
另:norman很有看头..
*** Possible virus found ***
*** D:\Download\VirusScan\1011.exe -> Virus W32/Malware ( [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 76288 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\kdzvx.exe.

[ Changes to registry ]
* Sets value "System"="kdzvx.exe" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon".

[ Process/window information ]
* Creates an event called KEBDHORDCZGLTA#.
* Creates an event called PEGFSDGHXCBGTR#.
* Will automatically restart after boot (I'll be back...).
* Terminates AV software.
* Modifies other process memory.
* Modifies execution flow of a remote process.

)
*** D:\Download\VirusScan\kraba.exe -> Virus W32/Malware ( [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 7680 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\kr_done1.

[ Changes to registry ]
* Sets value "kr_done1"="Cs7? in key "HKLM\Software\Microsoft".

[ Changes to system settings ]
* Enumerates RAS connections.

[ Network services ]
* Opens URL: http://traff.justcount.net/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIm8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFw1NWxNhZX1,FUZURQoJH1xOX1YDDmY0LCo1eHZhKSopJDkjOnI1MDU_MQ==/count.htm.

[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 10100.

[ Process/window information ]
* Creates a mutex testkr1234.
* Enumerates running processes.

)
*** D:\Download\VirusScan\ldig006.exe -> Virus W32/DLoader.dam.dropper ( [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* **Locates window "ghjfhjhf0 [class sdflmxcvc904wefodfld]" on desktop.
* Creating several executable files on hard-drive.
* File length: 17920 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\J8dj3jg.dll.
* Creates file C:\WINDOWS\SYSTEM32\Hfkr4g.dll.
* Creates file C:\WINDOWS\TEMP\winlogan.exe.
* Creates file \drivers\etc\hosts.
* Creates file C:\WINDOWS\TEMP\kf5sdm9.tmp.
* Creates file C:\WINDOWS\TEMP\1295153801.exe.
* Deletes file C:\WINDOWS\TEMP\1295153801.exe.
* Deletes file C:\WINDOWS\TEMP\129515385=.exe.
* Creates file C:\WINDOWS\TEMP\1295153916.exe.
* Deletes file C:\WINDOWS\TEMP\1295153916.exe.
* Deletes file C:\WINDOWS\TEMP\1295153974.exe.
* Creates file C:\WINDOWS\TEMP\129515402;.exe.
* Deletes file C:\WINDOWS\TEMP\129515402;.exe.
* Deletes file C:\WINDOWS\TEMP\1295154089.exe.

[ Changes to registry ]
* Creates key "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore".
* Sets value "Disable Config"="" in key "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore".
* Sets value "WINID"="01C641D3E6DC73F0" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer".
* Creates value "jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Looks for an Internet connection.
* Downloads file from http://bestbsd.info/cd/cd.php?id=01C641D3E6DC73F0&ver=ig1 as C:\WINDOWS\TEMP\1295153801.exe.
* Connects to "bestbsd.info" on port 80 (TCP).
* Opens URL: bestbsd.info/cd/cd.php.
* Downloads file from http://rezultsd.info/cd/cd.php?id=01C641D3E6DC73F0&ver=ig1 as C:\WINDOWS\TEMP\1295153916.exe.
)
qianwenxiang
 楼主| 发表于 2008-1-26 19:53:54 | 显示全部楼层
原来如此

PS.我以为那个readme的中文英文写的是相同的东西 就直接拖到中文那儿开始看了
qigang
发表于 2008-1-26 20:28:16 | 显示全部楼层

回复 11楼 rappar 的帖子

7/3

瑞星病毒查杀结果报告

清除病毒种类列表:

病毒: Trojan.DL.Win32.Small.frv
病毒: Trojan.Win32.Undef.bkc   
病毒: Worm.Mail.Win32.Zhelatin.gm

MAC 地址:00:11:5B:F3:6D:69

用户来源:互联网

软件版本:20.28.52
冷冷
发表于 2008-1-26 21:56:52 | 显示全部楼层
原帖由 jimmyleo 于 2008-1-26 19:37 发表
至于那几个文件..
另:norman很有看头..


羡慕已久的norman sandbox

可惜这款软件只能企业能要
深红的雪
发表于 2008-1-26 22:43:22 | 显示全部楼层

回复 13楼 jimmyleo 的帖子

norman的沙盘诱捕果然很有看头

PS:  看到很囧的一句——  (I'll be back...).
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-29 04:38 , Processed in 0.086032 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表