刚刚找图标找到的..

jimmyleo

44a8a722802ab5b8676c84c48693bec0 *5[1].gif
14c5dd52151ac65f82650c10795a25f1 *pps.exe

gif伪 按数据流读取..
5.gif
-->Malzilla-->FreShow-->
pps.exe

这回mcafee的obscured不叫了...

鱼是一只我

kv2008
～～

woai_jolin

zwl2828

C:\Users\Wesley\Downloads\pack.rar
  [0] Archive type: RAR
  --> 5[1].gif
      [DETECTION] Contains suspicious code HEUR/Exploit.HTML
  --> pps.exe
      [DETECTION] Contains suspicious code HEUR/Malware

winxp0286

红伞终于杀了。。晕。。。。

gho

mcafee miss

hj5abc

pps.exe : Not detected by Sandbox (Signature: W32/Suspicious_U.gen)


[ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: W32/Suspicious_U.gen
    * Compressed: YES
    * TLS hooks: NO
    * Executable type: Application
    * Executable file structure: OK

[ General information ]
    * Accesses executable file from resource section.
    * Creating several executable files on hard-drive.
    * **Locates window "Windows Îļþ±£»¤ [class #32770]" on desktop.
    * File length:         7368 bytes.
    * MD5 hash: 14c5dd52151ac65f82650c10795a25f1.

[ Changes to filesystem ]
    * Creates file C:\WINDOWS\TEMP\tmp8099.tmp.
    * Deletes file C:\WINDOWS\TEMP\tmp8099.tmp.
    * Creates file C:\WINDOWS\TEMP\TMPFILE.TMP.
    * Deletes file C:\WINDOWS\TEMP\~esace.
    * Creates file C:\WINDOWS\TEMP\~esace.
    * Deletes file C:\WINDOWS\TEMP\TMPFILE.TMP.

[ Changes to registry ]
    * Creates key "HKLM\System\CurrentControlSet\Services\pop".
    * Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\DRIVERS\pop.sys" in key "HKLM\System\CurrentControlSet\Services\pop".
    * Sets value "DisplayName"="pop" in key "HKLM\System\CurrentControlSet\Services\pop".

[ Network services ]
    * Downloads file from http://down.malasc.cn/downlist.txt as cache file.
    * Connects to "down.malasc.cn" on port 80.
    * Opens URL: down.malasc.cn/downlist.txt.

[ Process/window information ]
    * Creates process "C:\WINDOWS\TEMP\tmp8099.tmp".
    * Creates a mutex ~wupcai.
    * Attempts to access service "pop".
    * Creates service "pop (pop)" as "C:\WINDOWS\SYSTEM32\DRIVERS\pop.sys".
    * Enumerates running processes.
    * Enumerates running processes several parses....

kiki

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\pack.rar'
C:\Documents and Settings\Administrator\桌面\pack.rar
  [0] Archive type: RAR
  --> 5[1].gif
      [DETECTION] Contains suspicious code HEUR/Exploit.HTML
  --> pps.exe
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was deleted!

leonfg

ESET
C:\Documents and Settings\GUNDAM\桌面\pack.rar » RAR » pps.exe - probably a variant of Win32/TrojanDownloader.Small.NZK trojan

卡江东N

Trend: find
symantec:pass