自己在虚拟机上测试了个小病毒。大家来看看EQ的报告！

显示全部楼层 · 发表于 2008-1-30 08:51:35

搞了半天，终于用EQ监测到了一点东东，现在发上来，给大家过目！像我这样只会用EQ检测到一点东东，希望那位高手看到，再给个监测软件！
测试病毒：最近流行的ｑｑ尾巴: http://fakeid.8800.org/lxh.exe
测试环境：VMWARE6+DEEPIN 精简xp+eq+dr.web中文免费版
进程路径:C:\WINDOWS\Explorer.EXE
文件路径:C:\Documents and Settings\Administrator\桌面\lxh.exe
触发规则:所有程序规则->*

2008-01-29 21:45:55 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\lxh.exe
文件路径:C:\WINDOWS\system32\winsys16_071012.dll
触发规则:所有程序规则->系统文件->%WinDir%\system32\*.dll

2008-01-29 21:46:00 创建注册表值    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\lxh.exe
注册表路径:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
注册表名称:Userinit
注册表数据:rundll32.exe C:\WINDOWS\system32\winsys16_071012.dll start
触发规则:所有程序规则->系统自动运行->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

2008-01-29 21:46:02 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\lxh.exe
文件路径:C:\WINDOWS\system32\rundll32.exe
命令行:C:\WINDOWS\system32\winsys16_071012.dll start
触发规则:所有程序规则->*

2008-01-29 21:46:41 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\lxh.exe
文件路径:C:\myDelm.bat
触发规则:所有程序规则->系统文件->%SystemDrive%\*

2008-01-29 21:46:42 创建文件    操作:允许
进程路径:C:\WINDOWS\system32\rundll32.exe
文件路径:C:\mycj.bat
触发规则:所有程序规则->系统文件->%SystemDrive%\*

2008-01-29 21:46:43 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\lxh.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c c:\myDelm.bat
触发规则:所有程序规则->*

2008-01-29 21:46:45 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\rundll32.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c c:\mycj.bat
触发规则:所有程序规则->*

2008-01-29 21:47:00 运行应用程序    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\WINDOWS\system32\conime.exe

2008-01-29 21:47:01 运行应用程序    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\WINDOWS\system32\ping.exe
命令行:127.0.0.1

2008-01-29 21:47:17 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\WINDOWS\system\AlxRes071012.exe
命令行:i
触发规则:所有程序规则->*

2008-01-29 21:47:22 删除文件    操作:允许
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\myDelm.bat
触发规则:所有程序规则->系统文件->%SystemDrive%\*

2008-01-29 21:47:23 删除文件    操作:允许
进程路径:C:\WINDOWS\system\AlxRes071012.exe
文件路径:C:\WINDOWS\system32\winsys32_071012.dll
触发规则:所有程序规则->系统文件->%WinDir%\system32\*.dll

2008-01-29 21:47:29 创建文件    操作:允许
进程路径:C:\WINDOWS\system\AlxRes071012.exe
文件路径:C:\WINDOWS\system32\winsys32_071012.dll
触发规则:所有程序规则->系统文件->%WinDir%\system32\*.dll

2008-01-29 21:47:33 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system\AlxRes071012.exe
文件路径:C:\program files\internet explorer\iexplore.exe
触发规则:所有程序规则->*

2008-01-29 21:47:38 修改其它进程内存    操作:允许
进程路径:C:\WINDOWS\system\AlxRes071012.exe
目标进程:C:\program files\internet explorer\iexplore.exe
触发规则:所有程序规则->*

2008-01-29 21:47:46 修改其它进程内存    操作:允许
进程路径:C:\WINDOWS\system\AlxRes071012.exe
目标进程:C:\program files\internet explorer\iexplore.exe
触发规则:所有程序规则->*

2008-01-29 21:47:47 修改其它进程内存    操作:允许
进程路径:C:\WINDOWS\system\AlxRes071012.exe
目标进程:C:\program files\internet explorer\iexplore.exe
触发规则:所有程序规则->*

2008-01-29 21:47:48 修改其它进程内存    操作:允许
进程路径:C:\WINDOWS\system\AlxRes071012.exe
目标进程:C:\program files\internet explorer\iexplore.exe
触发规则:所有程序规则->*

2008-01-29 21:47:48 创建远程线程    操作:允许
进程路径:C:\WINDOWS\system\AlxRes071012.exe
目标进程:C:\program files\internet explorer\iexplore.exe
触发规则:所有程序规则->*

2008-01-29 21:47:50 删除文件    操作:允许
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\mycj.bat
触发规则:所有程序规则->系统文件->%SystemDrive%\*

2008-01-29 21:48:13 运行应用程序    操作:允许
进程路径:C:\WINDOWS\Explorer.EXE
文件路径:C:\Documents and Settings\Administrator\桌面\SysinternalsSuite\procexp.exe
触发规则:所有程序规则->*

2008-01-29 21:48:26 结束/挂起进程    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\SysinternalsSuite\procexp.exe
目标进程:C:\program files\internet explorer\iexplore.exe
触发规则:所有程序规则->*

2008-01-29 21:48:31 结束/挂起进程    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\SysinternalsSuite\procexp.exe
目标进程:C:\WINDOWS\system32\rundll32.exe
触发规则:所有程序规则->*

2008-01-29 21:48:42 结束/挂起进程    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\SysinternalsSuite\procexp.exe
目标进程:C:\WINDOWS\system32\conime.exe
触发规则:所有程序规则->*

2008-01-29 21:48:52 运行应用程序    操作:允许
进程路径:C:\WINDOWS\Explorer.EXE
文件路径:C:\Documents and Settings\Administrator\桌面\cureit.exe
触发规则:所有程序规则->*

2008-01-29 21:49:13 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\cureit.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\_start.exe
触发规则:所有程序规则->*

2008-01-29 21:49:47 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\_start.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\setup.exe
命令行:/lng:zh-cn-cureit.dwl /ini:setup_XP.ini
触发规则:所有程序规则->*

2008-01-29 21:49:51 加载驱动程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\setup.exe
驱动名称:DwShield
触发规则:所有程序规则->*

2008-01-29 21:54:57 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\setup.exe
文件路径:C:\windows\system32\winsys16_071012.dll
触发规则:所有程序规则->系统文件->%WinDir%\system32\*.dll

2008-01-29 21:55:03 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\setup.exe
文件路径:C:\windows\system32\winsys16_071012.dll
触发规则:所有程序规则->系统文件->%WinDir%\system32\*.dll

2008-01-29 21:55:52 关闭/重启系统    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\setup.exe

显示全部楼层 · 发表于 2008-1-30 08:52:27

1       0.00007683       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
2       0.00015589       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\Abiosdsk       SUCCESS       Access: 0x20019
3       0.00022014       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
4       0.00025338       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\Abiosdsk\ObjectName       NOT FOUND
5       0.00027937       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\Abiosdsk       SUCCESS
6       0.00063053       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
7       0.00066461       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\abp480n5       SUCCESS       Access: 0x20019
8       0.00070735       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
9       0.00073222       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\abp480n5\ObjectName
10       0.00075484       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\abp480n5       SUCCESS
11       0.00096241       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
12       0.00099342       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\ACPIEC       SUCCESS       Access: 0x20019
13       0.00102499       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
14       0.00104790       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\ACPIEC\ObjectName
15       0.00107081       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\ACPIEC       SUCCESS
16       0.00119987       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
17       0.00122921       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\adpu160m       SUCCESS       Access: 0x20019
18       0.00125938       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
19       0.00128201       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\adpu160m\ObjectName       NOT FOUND
20       0.00130491       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\adpu160m       SUCCESS
21       0.00142728       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
22       0.00145577       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\aec       SUCCESS       Access: 0x20019
23       0.00148594       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
24       0.00150745       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\aec\ObjectName       NOT FOUND
25       0.00153036       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\aec       SUCCESS
26       0.00175665       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
27       0.00178766       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\Aha154x       SUCCESS       Access: 0x20019
28       0.00188488       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
29       0.00190974       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\Aha154x\ObjectName       NOT FOUND
30       0.00193544       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\Aha154x       SUCCESS
31       0.00208909       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
32       0.00211843       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\aic78u2       SUCCESS       Access: 0x20019
33       0.00924140       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
34       0.00926626       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\aic78u2\ObjectName       NOT FOUND
35       0.00928945       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\aic78u2       SUCCESS
36       0.00946182       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
37       0.00949283       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\aic78xx       SUCCESS       Access: 0x20019
38       0.00952747       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
39       0.00968140       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\aic78xx\ObjectName       NOT FOUND
40       0.00971213       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\aic78xx       SUCCESS
41       0.00987360       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
42       0.00990377       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\AliIde       SUCCESS       Access: 0x20019
43       0.00993702       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
44       0.00995881       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\AliIde\ObjectName       NOT FOUND
45       0.00998144       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\AliIde       SUCCESS
46       0.01011330       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
47       0.01014263       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\amsint       SUCCESS       Access: 0x20019
48       0.01017224       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
49       0.01019375       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\amsint\ObjectName       NOT FOUND
50       0.01021610       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\amsint       SUCCESS
51       0.01033455       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
52       0.01036333       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\asc       SUCCESS       Access: 0x20019
53       0.01039182       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
54       0.01041780       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\asc\ObjectName       NOT FOUND
55       0.01044043       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\asc       SUCCESS
56       0.01055665       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
57       0.01058654       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\asc3350p       SUCCESS       Access: 0x20019
58       0.01061671       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
59       0.01063822       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\asc3350p\ObjectName       NOT FOUND
60       0.01066113       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\asc3350p       SUCCESS
61       0.01091843       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
62       0.01094972       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\asc3550       SUCCESS       Access: 0x20019
63       0.01098631       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
64       0.01100894       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\asc3550\ObjectName       NOT FOUND
65       0.01103185       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\asc3550       SUCCESS
66       0.01116958       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
67       0.01119863       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\AsyncMac       SUCCESS       Access: 0x20019
68       0.01123020       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services       SUCCESS
69       0.01125143       services.exe:684       QueryValue       HKLM\System\CurrentControlSet\Services\AsyncMac\ObjectName       NOT FOUND
70       0.01127378       services.exe:684       CloseKey       HKLM\System\CurrentControlSet\Services\AsyncMac       SUCCESS
71       0.01145369       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services       SUCCESS       Access: 0x20019
72       0.01148917       services.exe:684       OpenKey       HKLM\System\CurrentControlSet\Services\Atdisk       SUCCESS

显示全部楼层 · 发表于 2008-1-30 10:19:08

显示全部楼层 · 发表于 2008-1-30 10:23:28

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\My Documents\lxh.rar'
C:\Documents and Settings\Administrator\My Documents\
  lxh.rar
[0] Archive type: RAR
--> lxh.exe
      [DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [WARNING] Infected files in archives cannot be repaired!
      [WARNING] The file was ignored!

显示全部楼层 · 发表于 2008-1-30 10:27:28

eq是什么东东？

显示全部楼层 · 发表于 2008-1-30 10:31:24

eqsecure

显示全部楼层 · 发表于 2008-1-30 11:15:27

微点砍掉

显示全部楼层 · 发表于 2008-1-30 11:21:33

想下下来都难!

显示全部楼层 · 发表于 2008-1-30 11:26:33

怎么看不懂了？不就是注册表打开键值关闭键值的东西么

显示全部楼层 · 发表于 2008-1-30 11:27:51

原帖由 fengzi55 于 2008-1-30 08:52 发表
1 0.00007683 services.exe:684 OpenKey HKLM\System\CurrentControlSet\Services SUCCESS Access: 0x20019
2 0.00015589 services.exe:684 ...

很容易看懂的啊

[病毒样本] 自己在虚拟机上测试了个小病毒。大家来看看EQ的报告！

还有用Regmon.exe监测到了，一大堆看不懂的东西！

本帖子中包含更多资源

本帖子中包含更多资源

回复 5楼 fengxing 的帖子

本帖子中包含更多资源

本帖子中包含更多资源

回复 2楼 fengzi55 的帖子

浏览过的版块