收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 费尔拦下的
12
返回列表 发新帖
楼主: 小飞侠.net
 收起左侧

[病毒样本] 费尔拦下的

[复制链接]
小飞侠.net
 楼主| 发表于 2008-2-7 14:49:16 | 显示全部楼层

没人分析?转一下隔壁“jun0717 ”分析结果

ht  tp://1.111281.com/down.exe

[oo]
t0=20080202
e0=http://1.111281.com/1.exe
t1=20080202
e1=http://1.111281.com/2.exe
t2=20080202
e2=http://1.111281.com/3.exe
t3=20080202
e3=http://1.111281.com/4.exe
t4=20080202
e4=http://1.111281.com/5.exe
t5=20080202
e5=http://1.111281.com/6.exe
t6=20080202
e6=http://1.111281.com/7.exe
t7=20080202
e7=http://1.111281.com/8.exe
t8=20080202
e8=http://1.111281.com/9.exe
t9=20080203
e9=http://1.111281.com/10.exe
t10=20080202
e10=http://1.111281.com/11.exe
t11=20080202
e11=http://1.111281.com/12.exe
t12=20080202
e12=http://1.111281.com/13.exe
t13=20080202
e13=http://1.111281.com/14.exe
t14=20080203
e14=http://1.111281.com/15.exe
t15=20080202
e15=http://1.111281.com/16.exe
t16=20080202
e16=http://1.111281.com/17.exe
t17=20080202
e17=http://1.111281.com/18.exe
t18=20080202
e18=http://1.111281.com/19.exe
t19=20080202
e19=http://1.111281.com/20.exe
t20=20080202
e20=http://1.111281.com/21.exe




[ Changes to filesystem ]
  * Creates file C:\WINDOWS\SYSTEM32\drivers\pcihdd2.sys.
  * Deletes file C:\WINDOWS\SYSTEM32\drivers\pcihdd2.sys.
  * Creates file C:\WINDOWS\SYSTEM32\lssass.exe.
  * Creates file C:\_uninsep.bat.
  * Creates file C:\WINDOWS\SYSTEM32\drivers\ati32srv.sys.
  * Creates file C:\WINDOWS\SYSTEM32\HDDGuard.dll.

[ Changes to registry ]
  * Creates key "HKLM\System\CurrentControlSet\Services\DeepFree Update".
  * Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\drivers\pcihdd2.sys" in key "HKLM\System\CurrentControlSet\Services\DeepFree Update".
  * Sets value "DisplayName"="DeepFree Update" in key "HKLM\System\CurrentControlSet\Services\DeepFree Update".
  * Creates key "HKLM\System\CurrentControlSet\Services\ATI2HDDSRV".
  * Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\drivers\ati32srv.sys" in key "HKLM\System\CurrentControlSet\Services\ATI2HDDSRV".
  * Sets value "DisplayName"="ATI2HDDSRV" in key "HKLM\System\CurrentControlSet\Services\ATI2HDDSRV".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\avp.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\avp.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\runiep.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\runiep.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\PFW.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\PFW.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\FYFireWall.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\FYFireWall.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\rfwmain.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\rfwmain.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\rfwsrv.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\rfwsrv.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\KAVPF.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\KAVPF.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\KPFW32.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\KPFW32.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\nod32kui.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\nod32kui.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\nod32.exeNavapsvc.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\nod32.exeNavapsvc.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Navapw32.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Navapw32.exe".
  * Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\avconsol.exe".
  * Sets value "Debugger"="ntsd -d" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\avconsol.exe".

[ Changes to system settings ]
  * Creates WindowsHook monitoring messages activity.

[ Process/window information ]
  * Creates service "DeepFree Update (DeepFree Update)" as "C:\WINDOWS\SYSTEM32\drivers\pcihdd2.sys".
  * Creates process "C:\WINDOWS\SYSTEM32\lssass.exe".
  * Creates a mutex 2008-1-25.
  * Creates service "ATI2HDDSRV (ATI2HDDSRV)" as "C:\WINDOWS\SYSTEM32\drivers\ati32srv.sys".
  * Terminates AV software.
  * Creates process ""C:\Program Files\Internet Explorer\iexplore.exe"TAIL_ANTI".
  * Enumerates running processes.
  * Creates process ""C:\Program Files\Internet Explorer\iexplore.exe"TAIL_JQG".
  * Enumerates running processes several parses....
回复

举报

Graybird
发表于 2008-2-7 15:29:41 | 显示全部楼层

回复 4楼 Graybird 的帖子

Starting the file scan:

Begin scan in 'E:\新建文件夹 (2).rar'
E:\新建文件夹 (2).rar
  [0] Archive type: RAR
    --> 001.rar
      [1] Archive type: RAR
      --> 06014[1].htm
          [DETECTION] Is the Trojan horse TR/Dldr.Psyme.ZM
    --> 002.rar
      [1] Archive type: RAR
      --> bf[1].htm
          [DETECTION] Contains detection pattern of the exploits EXP/Agent.FO
    --> 003.rar
      [1] Archive type: RAR
      --> d[1].htm
          [DETECTION] Is the Trojan horse TR/Dldr.Psyme.ZN
    --> 004.rar
      [1] Archive type: RAR
      --> realCAN5GBJK.htm
          [DETECTION] Contains detection pattern of the exploits EXP/RealPlr.BK
    --> 005.rar
      [1] Archive type: RAR
      --> real[1].htm
          [DETECTION] Contains detection pattern of the exploits EXP/RealPlr.BK
      [INFO]      The file was deleted!
回复

举报

12
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-5-3 20:41 , Processed in 0.090125 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表