======一个极其厉害的病毒，请各位高手帮===========忙

显示全部楼层 · 发表于 2006-11-17 17:17:52

附件为病毒，AVP杀毒结果为正常，没有任何病毒，但是瑞星可以查出来结果为Worm.Pabug.ba。装了以后会自动把此软件发到所有QQ群共享中，然后自动在群里面发信息，还有AVP无法在打开（具体说为隐藏在后台运行），我们学校短短一日中有50多人中毒，最后我还是重装了系统才解决这个问题，菜鸟勿试，极其危险！

[ 本帖最后由 ALEXBLAIR 于 2007-1-8 19:09 编辑 ]

显示全部楼层 · 发表于 2006-11-17 17:19:57

下载下来研究下。。。

显示全部楼层 · 发表于 2006-11-17 17:22:13

这个病毒极其难缠大家最好有心理准备。。。。。。

显示全部楼层 · 发表于 2006-11-17 17:24:39

我不怕死的.大不了重新恢复系统.下来看看

显示全部楼层 · 发表于 2006-11-17 17:27:18

NOD的说明：

显示全部楼层 · 发表于 2006-11-17 17:30:51

立即上报官方，应该很快就解决。。。

显示全部楼层 · 发表于 2006-11-17 17:35:35

晕,还真的试不出来.查完了没查出病毒.

显示全部楼层 · 发表于 2006-11-17 17:36:19

病毒行为分析

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 1 (c:\temp\e58e511910215bec5b7e2c7b51a01e0f.exe MD5: [e58e511910215bec5b7e2c7b51a01e0f], PID 192, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
InfectedGeneric.PWStealer.201B9F57NtVdmControl

==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\system32\ntvdm.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll)
Loaded DLL - DLL: (WINMM.DLL)
Loaded DLL - DLL: (NTVDMD.DLL)
Loaded DLL - DLL: (Userenv.dll)
Loaded DLL - DLL: (.\UxTheme.dll)

==============================================================================
Filesystem Changes
==============================================================================
Find File: C:\MSDOS.SYS
Find File: C:\IO.SYS
Delete File: C:\WINDOWS\TEMP\scs5.tmp
Delete File: C:\WINDOWS\TEMP\scs7.tmp
Open File: \DosDevices\A: (), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \DosDevices\B: (), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\ntio.sys (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\ntdos.sys (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\CONFIG.NT (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\TEMP\SCS5.TMP (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\HIMEM.SYS (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\HIMEM.SYS (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\COUNTRY.SYS (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \DosDevices\C: (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY,FILE_READ_ATTRIBUTES), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\COMMAND.COM (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\COMMAND.COM (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32 (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\AUTOEXEC.NT (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\TEMP\SCS7.TMP (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\MSCDEXNT.EXE (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\MSCDEXNT.EXE (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\REDIR.??? (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\REDIR.EXE (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\DOSX.??? (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\DOSX.EXE (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM.INI (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: c:\TEMP\E58E51~1.EXE (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Create/Open File: C:\WINDOWS\TEMP\scs5.tmp (OPEN_ALWAYS), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_TEMPORARY,SECURITY_ANONYMOUS)
Create/Open File: C:\WINDOWS\TEMP\scs7.tmp (OPEN_ALWAYS), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_TEMPORARY,SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\_default.pif Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\SYSTEM32\SYSTEM.INI Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\SYSTEM.INI Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\SYSTEM.INI Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\SYSTEM32\KRNL386.EXE Flags: (SECURITY_ANONYMOUS)

==============================================================================
Registry Changes
==============================================================================
Create or Open:

Registry Changes:

Registry Reads:
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\ "Identifier"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW\ "RomFontPointers"
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\ "Configuration Data"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers\ "VDD"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\ "BootDir"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\ "RootDrive"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ "Compositing"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Control Panel\Desktop\ "LameButtonText"

Registry Enums:

==============================================================================
System Info
==============================================================================
Get System Directory
Get Windows Directory
Get System Time

显示全部楼层 · 发表于 2006-11-17 20:36:39

微点拦截！

显示全部楼层 · 发表于 2006-11-18 13:02:03

AVG 飞塔 nod 均报可疑

[病毒样本] ======一个极其厉害的病毒，请各位高手帮===========忙

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源