Trj/Ransom.AB

显示全部楼层 · 发表于 2016-2-16 23:50:41

Kaspersky
Internet Security
ACCESS DENIED
The requested URL cannot be provided

Object URL:

https://att.kafan.cn/forum.php?mo ... Dk3NTc3MnwxOTYzMjgz

Reason:

The object is infected by HEUR:Trojan.Win32.Generic
Message generated on: 2016/2/16 23:50:54

显示全部楼层 · 发表于 2016-2-16 23:52:06

看见是后门，双击就不测试试了，肯定又是防火墙君出来打个酱油

显示全部楼层 · 发表于 2016-2-16 23:52:50

显示全部楼层 · 发表于 2016-2-16 23:55:07

本帖最后由 nick20010117 于 2016-2-17 00:25 编辑

行为真多

可疑文件： ckiissoin.exe

风险：高
路径： C:\Users\Administrator\Desktop\新建压缩(zipped)文件夹 (2) (1)\ckiissoin.exe

详细信息
• ckiissoin.exe 程序试图修改 Windows System 目录。此文件 C:\WINDOWS\SYSTEM32\SPYNET\SERVER.EXE 由该进程 created。
• ckiissoin.exe 程序试图修改用于在开机时启动程序的注册表设置 (\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN)。
• ckiissoin.exe 程序试图劫持（伪装执行）另一进程。

修改的文件
• C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\XX--XX--XX.TXT (created)
• C:\Users\Administrator\Desktop\新建压缩(zipped)文件夹 (2) (1)\ckiissoin.exe
• C:\WINDOWS\SYSTEM32\SPYNET\SERVER.EXE (created)

修改的注册表
• \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN:Policies (modified: old_value=, new_value =C:\Windows\system32\spynet\server.exe
• \REGISTRY\USER\S-1-5-21-4035673165-3688820562-1120568024-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\COUNT:{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\gnfxzte.rkr (modified: old_value= 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 000000d5 00000005 00000000 00000000 000000a9 00000048 0000006b 00000000 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 000000ff 000000ff 000000ff 000000ff 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000, new_value = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 000000d6 00000005 00000000 00000000 000000a9 00000048 0000006b 00000000 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 000000ff 000000ff 000000ff 000000ff 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000)
• \REGISTRY\USER\S-1-5-21-4035673165-3688820562-1120568024-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\COUNT:{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr (modified: old_value= 00000000 00000000 00000000 00000000 00000001 00000000 00000000 00000000 0000006d 00000005 00000000 00000000 000000e1 000000ee 000000cf 00000000 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 000000ff 000000ff 000000ff 000000ff 00000070 000000b4 00000020 00000041 000000bc 00000067 000000d1 00000001 00000000 00000000 00000000 00000000, new_value = 00000000 00000000 00000000 00000000 00000001 00000000 00000000 00000000 0000006d 00000005 00000000 00000000 000000ab 000000f4 000000cf 00000000 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 00000000 00000000 00000080 000000bf 000000ff 000000ff 000000ff 000000ff 00000070 000000b4 00000020 00000041 000000bc 00000067 000000d1 00000001 00000000 00000000 00000000 00000000)
• \REGISTRY\USER\S-1-5-21-4035673165-3688820562-1120568024-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN:Policies (modified: old_value=, new_value =C:\Windows\system32\spynet\server.exe
• \REGISTRY\USER\S-1-5-21-4035673165-3688820562-1120568024-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN:HKCU (modified: old_value=, new_value =C:\Windows\system32\spynet\server.exe
• \REGISTRY\USER\S-1-5-21-4035673165-3688820562-1120568024-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (created)

显示全部楼层 · 发表于 2016-2-16 23:57:37

ess9

显示全部楼层 · 发表于 2016-2-16 23:59:57

Avira

ckiissoin.exe
[DETECTION] Contains recognition pattern of the WORM/Rebhip.V worm

显示全部楼层 · 发表于 2016-2-17 00:04:54

windows7爱好者发表于 2016-2-16 23:52
看见是后门，双击就不测试试了，肯定又是防火墙君出来打个酱油

我的图怎么挂了

显示全部楼层 · 发表于 2016-2-17 00:06:00

nick20010117 发表于 2016-2-17 00:04
我的图怎么挂了

感觉论坛有问题，另个帖子我的图也传不上去

显示全部楼层 · 发表于 2016-2-17 00:06:12

AVG：

扫描：killed；

"";"Trojan horse PSW.Generic8.ISF, https://att.kafan.cn/forum.php?mod=attachment&aid=Mjc1NjkwOHxjYzE3NTk5Y3wxNDU1NjM4MTc2fDEwMDA1MDF8MTk2MzI4Mw%3D%3D";"Object was blocked";"URL";"2016/2/16, 23:57:18"

"";"Trojan horse PSW.Generic8.ISF, https://att.kafan.cn/forum.php?mod=attachment&aid=Mjc1NjkwOHxjYzE3NTk5Y3wxNDU1NjM4MTc2fDEwMDA1MDF8MTk2MzI4Mw%3D%3D:\ckiissoin.exe";"Unresolved";"Embedded element in the archive, email attachment, cookie etc.";"2016/2/16, 23:57:18"

双击：关闭监控，实机双击，IDP击杀之（又现Unknown报法）。

"";"Unknown, C:\USERS\KILLER\DESKTOP\CKIISSOIN.EXE";"Deleted";"File or Directory";"2016/2/16, 23:58:45"

"";", C:\Windows\explorer.exe";"Object was blocked";"Process";"2016/2/16, 23:58:45"

"";", D:\360se6\Application\360se.exe";"Object was blocked";"Process";"2016/2/16, 23:58:45"

"";", C:\Windows\System32\spynet\server.exe";"Deleted, Moved to Virus Vault";"File or Directory";"2016/2/16, 23:58:45"

"";", C:\USERS\KILLER\DESKTOP\CKIISSOIN.EXE";"Object was blocked";"Process";"2016/2/16, 23:58:45"

"";", HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\\POLICIES";"Deleted, Moved to Virus Vault";"Registry value";"2016/2/16, 23:58:45"

"";", HKEY_USERS\S-1-5-21-540828005-2055914412-3868506426-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\\POLICIES";"Deleted, Moved to Virus Vault";"Registry value";"2016/2/16, 23:58:45"

"";", HKEY_USERS\S-1-5-21-540828005-2055914412-3868506426-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\HKCU";"Deleted, Moved to Virus Vault";"Registry value";"2016/2/16, 23:58:45"

[病毒样本] Trj/Ransom.AB

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源