一大包

zzh161

下载者搞来的，费尔从23-36都报启发，看样子蛮新的，看那个文件应该是3号更新的毒

[CONTROL]
VERSION=2008-2-3

[DOWN]
NEWVERSION=http://xxx.huilaiba.info/ceshi/gx.exe
1=http://xxx.huilaiba.info/ww/11.exe
2=http://xxx.huilaiba.info/ww/12.exe
3=http://xxx.huilaiba.info/ww/13.exe
4=http://xxx.huilaiba.info/ww/14.exe
5=http://xxx.huilaiba.info/ww/15.exe
6=http://xxx.huilaiba.info/ww/16.exe
7=http://xxx.huilaiba.info/ww/17.exe
8=http://xxx.huilaiba.info/ww/18.exe
9=http://xxx.huilaiba.info/ww/19.exe
10=http://xxx.huilaiba.info/ww/20.exe
11=http://xxx.huilaiba.info/ww/21.exe
12=http://xxx.huilaiba.info/ww/22.exe
13=http://60.190.216.12/ww/23.exe
14=http://60.190.216.12/ww/24.exe
15=http://60.190.216.12/ww/25.exe
16=http://60.190.216.12/ww/26.exe
17=http://60.190.216.12/ww/27.exe
18=http://60.190.216.12/ww/28.exe
19=http://60.190.216.12/ww/29.exe
20=http://60.190.216.12/ww/30.exe
21=http://60.190.216.12/ww/31.exe
22=http://60.190.216.12/ww/32.exe
23=http://60.190.216.12/ww/33.exe
24=http://60.190.216.12/ww/34.exe
25=http://60.190.216.12/ww/35.exe
26=http://60.190.216.12/ww/36.exe

样本：

Joker

20
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qiv        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\11.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qnk        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\12.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qiv        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\14.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qoz        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\15.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.pud        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\16.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qiv        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\17.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qox        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\18.exe//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qnk        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\19.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qiv        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\20.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qoz        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\21.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.pzl        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\22.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.rbf        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\23.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.rbf        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\24.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.rbf        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\25.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.pzl        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\26.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qnc        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\27.exe//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.qoz        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\33.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.rbf        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\34.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.rbf        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\35.exe//PE_Patch//UPack
deleted: Trojan program Trojan-PSW.Win32.OnLineGames.rbf        File: C:\Documents and Settings\Administrator\×ÀÃæ\la.rar/la\36.exe//PE_Patch//UPack

spaceplane

avast 13

kkgh

瑞星病毒查杀结果报告

清除病毒种类列表：
病毒： Trojan.PSW.Win32.OnlineGames.GEN
病毒： RootKit.Win32.GameHack.GEN
病毒： Trojan.PSW.Win32.XYOnline.aay
病毒： Trojan.PSW.Win32.GamesOnline.mn
病毒： Trojan.PSW.Win32.GameOL.lvx
病毒： Trojan.PSW.Win32.GameOL.GEN
病毒： Trojan.PSW.Win32.ZhengTu.ymy
病毒： Trojan.PSW.Win32.GameOL.GEN
病毒： Trojan.PSW.Win32.GamesOnline.mh

用户来源：互联网

软件版本：20.31.10
17个

spatra

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\la.rar'
C:\Documents and Settings\Administrator\桌面\la.rar
  [0] Archive type: RAR
  --> la\23.exe
      [DETECTION] Is the Trojan horse TR/Rootkit.Gen
  --> la\24.exe
      [DETECTION] Is the Trojan horse TR/Rootkit.Gen
  --> la\25.exe
      [DETECTION] Is the Trojan horse TR/Rootkit.Gen
  --> la\28.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
  --> la\29.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
  --> la\30.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
  --> la\31.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
  --> la\32.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
  --> la\34.exe
      [DETECTION] Is the Trojan horse TR/Rootkit.Gen
  --> la\35.exe
      [DETECTION] Is the Trojan horse TR/Rootkit.Gen
  --> la\36.exe
      [DETECTION] Is the Trojan horse TR/Rootkit.Gen
  --> la\11.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.QIV.1
  --> la\12.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.qnq.1
  --> la\13.exe
      [DETECTION] Contains suspicious code HEUR/Malware
  --> la\14.exe
      [DETECTION] Is the Trojan horse TR/PSW.Wow.acd
  --> la\15.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.qxo
  --> la\16.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.pmi.29
  --> la\17.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.QIV.5
  --> la\18.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Gen
  --> la\19.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.qnq.5
  --> la\20.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.qiv
  --> la\21.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.qoz.7
  --> la\22.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.Qha.1
  --> la\26.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.Qha.4
  --> la\27.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Gen
  --> la\33.exe
      [DETECTION] Is the Trojan horse TR/Rootkit.Gen
      [INFO]      The file was deleted!


End of the scan: 2008年2月14日  10:35
Used time: 01:18 min

The scan has been done completely.

      0 Scanning directories
     27 Files were scanned
     20 viruses and/or unwanted programs were found
      6 Files were classified as suspicious:
      1 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      7 Files not concerned
      1 Archives were scanned
      0 Warnings
      0 Notes

beyondcloud

卡巴 21

leonfg

FS 扫描14+沙盘12 全k
沙盘
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\13.EXE 中发现恶意代码。
感染: W32/Viking.EQ
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\23.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\24.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\25.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\28.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\29.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\30.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\31.EXE 中发现恶意代码。
感染: W32/Smalltroj.COVF.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\32.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\34.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\35.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.
在文件 C:\DOCUMENTS AND SETTINGS\GUNDAM\桌面\12\36.EXE 中发现恶意代码。
感染: W32/Suspicious_U.gen.dropper
操作: 无.

扫描
结果: 发现14个恶意软件
Trojan-PSW.Win32.OnLineGames.qiv (病毒)

• C:\Documents and Settings\GUNDAM\桌面\la\11.exe 操作: 删除
• C:\Documents and Settings\GUNDAM\桌面\la\14.exe 操作: 删除
• C:\Documents and Settings\GUNDAM\桌面\la\17.exe 操作: 删除
• C:\Documents and Settings\GUNDAM\桌面\la\20.exe 操作: 删除

Trojan-PSW.Win32.OnLineGames.qnk (病毒)

• C:\Documents and Settings\GUNDAM\桌面\la\12.exe 操作: 删除
• C:\Documents and Settings\GUNDAM\桌面\la\19.exe 操作: 删除

Trojan-PSW.Win32.OnLineGames.qoz (病毒)

• C:\Documents and Settings\GUNDAM\桌面\la\15.exe 操作: 删除
• C:\Documents and Settings\GUNDAM\桌面\la\21.exe 操作: 删除
• C:\Documents and Settings\GUNDAM\桌面\la\33.exe 操作: 删除

Trojan-PSW.Win32.OnLineGames.pud (病毒)

• C:\Documents and Settings\GUNDAM\桌面\la\16.exe 操作: 删除

Trojan-PSW.Win32.OnLineGames.qox (病毒)

• C:\Documents and Settings\GUNDAM\桌面\la\18.exe 操作: 删除

Trojan-PSW.Win32.OnLineGames.pzl (病毒)

• C:\Documents and Settings\GUNDAM\桌面\la\22.exe 操作: 删除
• C:\Documents and Settings\GUNDAM\桌面\la\26.exe 操作: 删除

Trojan-PSW.Win32.OnLineGames.qnc (病毒)

• C:\Documents and Settings\GUNDAM\桌面\la\27.exe 操作: 删除

[ 本帖最后由 leonfg 于 2008-2-14 10:43 编辑 ]

beyondcloud

又测试了一下江民，和卡巴一样，奇怪的是都是28-32这5个没报，两家病毒库挺巧的

f286168511

ESS    26个

leonfg

原帖由 f286168511 于 2008-2-14 10:58 发表
ESS    26个

nod对这种下载者下的成堆的东东一直都蛮强，样本区个人体会