[病毒样本] 1+1

显示全部楼层 · 发表于 2008-2-4 12:58:57

2008-2-4 12:48:58 C:\Program Files\Sandboxie\Start.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe (Default) 65 00 78 00 65 00 66 00 69 00 6c 00 65 00 00 未结束的Unicode字符串读检测到
2008-2-4 12:48:58 C:\Program Files\Sandboxie\Start.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32 (Default) shell32.dll 未结束的Unicode字符串读被允许　　
2008-2-4 12:48:58 C:\Program Files\Sandboxie\Start.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32 (Default) shell32.dll 未结束的Unicode字符串读检测到
2008-2-4 12:48:58 C:\Program Files\Sandboxie\Start.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe (Default) 65 00 78 00 65 00 66 00 69 00 6c 00 65 00 00 未结束的Unicode字符串读被允许　　
2008-2-4 12:48:58 C:\Program Files\Sandboxie\Start.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe (Default) 65 00 78 00 65 00 66 00 69 00 6c 00 65 00 00 未结束的Unicode字符串读检测到
2008-2-4 12:48:58 C:\Program Files\Sandboxie\Start.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 (Default) %SystemRoot%\system32\SHELL32.dll 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:48:58 C:\Program Files\Sandboxie\Start.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 (Default) %SystemRoot%\system32\SHELL32.dll 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:48:51 C:\Program Files\Sandboxie\Start.exe HKEY_USERS\SANDBOX_JEHOVAH_KING_DEFAULTBOX\machine\software\microsoft\windows nt\currentversion\winlogon Shell x 未结束的Unicode字符串创建被允许　　
2008-2-4 12:48:51 C:\Program Files\Sandboxie\Start.exe HKEY_USERS\SANDBOX_JEHOVAH_KING_DEFAULTBOX\machine\software\microsoft\windows nt\currentversion\winlogon Shell x 未结束的Unicode字符串创建检测到
2008-2-4 12:50:49 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:49 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:49 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:49 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:49 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:49 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:49 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:49 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon (Default) %SystemRoot%\system32\SHELL32.dll,17 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon (Default) %SystemRoot%\system32\SHELL32.dll,17 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon (Default) %SystemRoot%\system32\SHELL32.dll,17 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon (Default) %SystemRoot%\system32\SHELL32.dll,17 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\d\DefaultIcon (Default) C:\WINDOWS\Resources\Themes\VistaDrv\25.ico 未结束的Unicode字符串读被允许　　
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\d\DefaultIcon (Default) C:\WINDOWS\Resources\Themes\VistaDrv\25.ico 未结束的Unicode字符串读检测到
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\d\DefaultIcon (Default) C:\WINDOWS\Resources\Themes\VistaDrv\25.ico 未结束的Unicode字符串读被允许　　
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\d\DefaultIcon (Default) C:\WINDOWS\Resources\Themes\VistaDrv\25.ico 未结束的Unicode字符串读检测到
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon (Default) C:\WINDOWS\Resources\Themes\VistaDrv\s50.ico 未结束的Unicode字符串读被允许　　
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon (Default) C:\WINDOWS\Resources\Themes\VistaDrv\s50.ico 未结束的Unicode字符串读检测到
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon (Default) C:\WINDOWS\Resources\Themes\VistaDrv\s50.ico 未结束的Unicode字符串读被允许　　
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon (Default) C:\WINDOWS\Resources\Themes\VistaDrv\s50.ico 未结束的Unicode字符串读检测到
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon (Default) %SystemRoot%\Explorer.exe,0 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60664caf-af0d-0004-a300-5c7d25ff22a0}\InProcServer32 (Default) C:\WINDOWS\system32\shgina.dll 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:48 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60664caf-af0d-0004-a300-5c7d25ff22a0}\InProcServer32 (Default) C:\WINDOWS\system32\shgina.dll 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:47 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60664caf-af0d-0004-a300-5c7d25ff22a0}\InProcServer32 (Default) C:\WINDOWS\system32\shgina.dll 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:47 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60664caf-af0d-0004-a300-5c7d25ff22a0}\InProcServer32 (Default) C:\WINDOWS\system32\shgina.dll 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:47 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60664caf-af0d-0004-a300-5c7d25ff22a0}\InProcServer32 (Default) C:\WINDOWS\system32\shgina.dll 未结束的Unicode字符串(带有环境变量参数) 读被允许　　
2008-2-4 12:50:47 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60664caf-af0d-0004-a300-5c7d25ff22a0}\InProcServer32 (Default) C:\WINDOWS\system32\shgina.dll 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:50:47 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\Controls (Default) {21EC2020-3AEA-1069-A2DD-08002B30309D} 未结束的Unicode字符串读被允许　　
2008-2-4 12:50:47 C:\Program Files\Sandboxie\SbieCtrl.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\Controls (Default) {21EC2020-3AEA-1069-A2DD-08002B30309D} 未结束的Unicode字符串读检测到
2008-2-4 12:49:01 C:\Documents and Settings\jehovah_king\桌面\Setup.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mailto\shell\open\command (Default) "%ProgramFiles%\Outlook Express\msimn.exe" /mailurl:%1 未结束的Unicode字符串(带有环境变量参数) 读检测到
2008-2-4 12:49:01 C:\Documents and Settings\jehovah_king\桌面\Setup.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mailto\shell\open\command (Default) "%ProgramFiles%\Outlook Express\msimn.exe" /mailurl:%1 未结束的Unicode字符串(带有环境变量参数) 读被允许　　

显示全部楼层 · 发表于 2008-2-4 12:59:44

发报告真累

显示全部楼层 · 发表于 2008-2-4 13:18:34

好像很强悍的样子

这个是那个安装包的报告吧

显示全部楼层 · 发表于 2008-2-4 13:21:11

是的，安装完后就剩下那个捆绑的东西驻留内存

显示全部楼层 · 发表于 2008-2-4 13:22:16

这个软件动作还不少

显示全部楼层 · 发表于 2008-2-4 14:05:18

avast avi飞

显示全部楼层 · 发表于 2008-2-4 15:15:20

对象: Setup.exe ReadBook.exe
在压缩档案里: D:\Documents\桌面\msdtc.rar
状态: 已发现病毒
病毒: Trojan-Clicker.Win32.VB.wj (KAV 引擎)
对象: Setup.exe msdtc.exe
在压缩档案里: D:\Documents\桌面\msdtc.rar
状态: 已发现病毒
病毒: Trojan-Downloader.Win32.VB.clq (KAV 引擎)
对象: msdtc.exe
在压缩档案里: D:\Documents\桌面\msdtc.rar
状态: 已发现病毒
病毒: Trojan-Downloader.Win32.VB.clq (KAV 引擎)
对象: msdtc.rar
路径: D:\Documents\桌面
状态: 已发现病毒
病毒: Trojan-Clicker.Win32.VB.wj, Trojan-Downloader.Win32.VB.clq (2x) (KAV 引擎)
分析完成: 2008-2-4 15:14
已扫描 1 个文件
已发现 1 个染毒文件
发现 0 个可疑文件

显示全部楼层 · 发表于 2008-2-4 15:44:59

rising20.30全过！

显示全部楼层 · 发表于 2008-2-4 16:42:04

The file 'Setup.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/Click.VB.WJ.8. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system.Detection is added to our virus definition file (VDF) starting with version 7.00.02.85.

The file 'msdtc.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Dldr.VB.clq. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.02.85.

显示全部楼层 · 发表于 2008-2-4 16:59:12

I:\virus\msdtc.rar:\Setup.exe - Signature 'Trojan-Clicker.Win32.VB.wj' found
I:\virus\msdtc.rar:\msdtc.exe
I:\virus\msdtc.rar

3 Files scanned
(1 Archiv with 2 files)
1 Signature found
0 Suspect code-parts found
Used time: 0:00.125
IK

[病毒样本] 1+1

回复 23楼 qianwenxiang 的帖子

回复 3楼 Graybird 的帖子