过江民的～～～

鱼是一只我

原帖由 jiffy 于 2008-1-28 12:21 发表
江民居然没有反应。。。。。。。。。

....

看标题

wolffshen

FS 2008-01-27_04 全杀

xlys

对象: 样本 014(1).exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本 14.exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本 bf(1).exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本 bf.exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本 g.exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本 lz.exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本 pps(1).exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本 pps.exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本 q.exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本 rl.exe
        在压缩档案里: D:\Documents\桌面\样本.rar
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (KAV 引擎)
对象: 样本.rar
        路径: D:\Documents\桌面
        状态: 已发现病毒
        病毒: Trojan-PSW.Win32.OnLineGames.ode (10x) (KAV 引擎)
分析完成: 2008-1-28 12:42
    已扫描 1 个文件
    已发现 1 个染毒文件
    发现 0 个可疑文件

gho

C:\Documents and Settings\gho\桌面\样本\014(1).exe        New Malware.aq (Trojan)
2008-1-28        13:02:25        Moved (Clean failed because the file isn't cleanable)         WHUT-D9193C067E\gho        WinRAR.exe        C:\Documents and Settings\gho\桌面\样本\14.exe        New Malware.aq (Trojan)
2008-1-28        13:02:25        Moved (Clean failed because the file isn't cleanable)         WHUT-D9193C067E\gho        WinRAR.exe        C:\Documents and Settings\gho\桌面\样本\bf(1).exe        New Malware.aq (Trojan)
2008-1-28        13:02:25        Moved (Clean failed because the file isn't cleanable)         WHUT-D9193C067E\gho        WinRAR.exe        C:\Documents and Settings\gho\桌面\样本\bf.exe        New Malware.aq (Trojan)
2008-1-28        13:02:25        Moved (Clean failed because the file isn't cleanable)         WHUT-D9193C067E\gho        WinRAR.exe        C:\Documents and Settings\gho\桌面\样本\g.exe        New Malware.aq (Trojan)
2008-1-28        13:02:25        Moved (Clean failed because the file isn't cleanable)         WHUT-D9193C067E\gho        WinRAR.exe        C:\Documents and Settings\gho\桌面\样本\lz.exe        New Malware.aq (Trojan)
2008-1-28        13:02:25        Moved (Clean failed because the file isn't cleanable)         WHUT-D9193C067E\gho        WinRAR.exe        C:\Documents and Settings\gho\桌面\样本\pps(1).exe        New Malware.aq (Trojan)
2008-1-28        13:02:25        Moved (Clean failed because the file isn't cleanable)         WHUT-D9193C067E\gho        WinRAR.exe        C:\Documents and Settings\gho\桌面\样本\pps.exe        New Malware.aq (Trojan)
2008-1-28        13:02:26        Moved (Clean failed because the file isn't cleanable)         WHUT-D9193C067E\gho        WinRAR.exe        C:\Documents and Settings\gho\桌面\样本\q.exe        New Malware.aq (Trojan)
2008-1-28        13:02:26        Moved (Clean failed because the file isn't cleanable)         WHUT-D9193C067E\gho        WinRAR.exe        C:\Documents and Settings\gho\桌面\样本\rl.exe        New Malware.aq (Trojan)

398566384

panda2008 all pass

zwl2828

  Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-PSW.OnLineGames!sd5	Trojan-PSW.OnLineGames!sd5 is a malicious application that attempts to steal passwords, login details, and other confidential information.

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File MD5	Alias
1	%Temp%\tmp1.tmp %Temp%\tmp2.tmp	10,240 bytes	0x89FBB0B54C7FA459AA991F9FD04D09FA	Trojan-PSW.OnLineGames!sd5 [PCTools] Trojan-PSW.Win32.OnLineGames.ode [Kaspersky Lab]
2	%System%\drivers\phy.sys	1,536 bytes	0xB0A5782F076F4D5F5B71C0AF42AD9C45	Generic PWS.o [McAfee] TSPY_ONLINEG.DGD [Trend Micro]
3	[file and pathname of the sample #1]	23,886 bytes	0xFCF1B73AE02598F1613C14184AF749B8	Packed/NSPack [PCTools] Trojan-PSW.Win32.OnLineGames.ode [Kaspersky Lab] New Malware.aq [McAfee] TSPY_ONLINEG.DUC [Trend Micro]

• Notes:
  • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
  • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	114,688 bytes
tmp1.tmp	%Temp%\tmp1.tmp	20,480 bytes

• There was a new kernel-mode driver installed in the system:

Driver Name	Driver Filename
phy	%System%\DRIVERS\phy.sys

Registry Modifications

• The following Registry Keys were created:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PHY
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PHY\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PHY\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\phy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\phy\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\phy\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PHY
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PHY\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PHY\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\phy
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\phy\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\phy\Enum

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PHY\0000\Control]
    • *NewlyCreated* = 0x00000000
    • ActiveService = "phy"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PHY\0000]
    • Service = "phy"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "phy"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PHY]
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\phy\Enum]
    • 0 = "Root\LEGACY_PHY\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\phy\Security]
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\phy]
    • Type = 0x00000001
    • Start = 0x00000003
    • ErrorControl = 0x00000001
    • ImagePath = "%System%\DRIVERS\phy.sys"
    • DisplayName = "phy"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PHY\0000\Control]
    • *NewlyCreated* = 0x00000000
    • ActiveService = "phy"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PHY\0000]
    • Service = "phy"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "phy"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PHY]
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\phy\Enum]
    • 0 = "Root\LEGACY_PHY\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\phy\Security]
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\phy]
    • Type = 0x00000001
    • Start = 0x00000003
    • ErrorControl = 0x00000001
    • ImagePath = "%System%\DRIVERS\phy.sys"
    • DisplayName = "phy"

Other details

• To mark the presence in the system, the following Mutex object was created:
  • DBWinMutex

• The following Internet download was started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://udd.yooosky.com/flash.txt	t

qigang

40/20

瑞星病毒查杀结果报告

清除病毒种类列表：

病毒： Trojan.DL.Win32.Undef.w  
病毒： RootKit.Win32.Mnless.gp  

MAC 地址：00:11:5B:F3:6D:69

用户来源：互联网

软件版本：20.29.02