又一个不同于机器狗的穿还原的样本！

byxxdrls

此样本来自３６０论坛，我的一台电脑安装了还原精灵６.０,系统分区是ＮＴＦＳ格式，运行了此病毒后，病毒在启动项中的信息穿透了还原（即重启还原后启动项存在），但病毒文件似乎已损坏（也许和ＮＴＦＳ格式有关），无法读取，后来在进行磁盘扫描并修复后，此文件被系统删除。哪位高手有兴趣的话可以分析一下这个病毒。样本地址：http://bbs.360safe.com/attachment.php?aid=123514

[ 本帖最后由 qianwenxiang 于 2008-2-15 13:06 编辑 ]

byxxdrls

反病毒引擎 版本 最后更新 扫描结果
AhnLab-V3 2008.2.15.11 2008.02.15 -
AntiVir 7.6.0.65 2008.02.14 TR/Delphi.Downloader.Gen
Authentium 4.93.8 2008.02.15 Possibly a new variant of W32/Downloader-WebExe-based!Maximus
Avast 4.7.1098.0 2008.02.14 -
AVG 7.5.0.516 2008.02.14 Downloader.Generic6.AIGZ
BitDefender 7.2 2008.02.15 Generic.Malware.Bdld.3324224C
CAT-QuickHeal None 2008.02.14 TrojanDownloader.Delf.epw
ClamAV 0.92.1 2008.02.15 -
DrWeb 4.44.0.09170 2008.02.14 DLOADER.Trojan
eSafe 7.0.15.0 2008.02.14 Win32.Delf.epw
eTrust-Vet 31.3.5538 2008.02.14 -
Ewido 4.0 2008.02.14 -
FileAdvisor 1 2008.02.15 -
Fortinet 3.14.0.0 2008.02.15 -
F-Prot 4.4.2.54 2008.02.14 W32/Downloader-WebExe-based!Maximus
F-Secure 6.70.13260.0 2008.02.15 Trojan-Downloader.Win32.Delf.epw
Ikarus T3.1.1.20 2008.02.15 Trojan-Spy.Win32.Delf.GI
Kaspersky 7.0.0.125 2008.02.15 Trojan-Downloader.Win32.Delf.epw
McAfee 5230 2008.02.14 -
Microsoft 1.3204 2008.02.14 TrojanDownloader:Win32/Small.gen!Z
NOD32v2 2876 2008.02.14 -
Norman 5.80.02 2008.02.14 -
Panda 9.0.0.4 2008.02.14 Suspicious file
Prevx1 V2 2008.02.15 -
Rising 20.31.30.00 2008.02.14 -
Sophos 4.26.0 2008.02.15 Mal/DelpDldr-F
Sunbelt 2.2.907.0 2008.02.14 -
Symantec 10 2008.02.15 -
TheHacker 6.2.9.220 2008.02.14 -
VBA32 3.12.6.1 2008.02.14 suspected of Embedded.Trojan-Downloader.Win32.Delf.eqf
VirusBuster 4.3.26:9 2008.02.14 -
Webwasher-Gateway 6.6.2 2008.02.14 Trojan.Delphi.Downloader.Gen
附加信息
File size: 20064 bytes
MD5: c374b4a7064b460b664d77ee533fc32b
SHA1: b604dc9faf6f4c4e4cb6b71b45ad77b21e1e913b
PEiD: -
packers: UPX
packers: UPX
packers: UPX

Joker

挪威的冬天

金山 MISS

taiw_1144

木马名称:Trojan-Downloader.Win32.Delf.iwi

程序:
C:\DOCUMENTS AND SETTINGS\WO\LOCAL SETTINGS\TEMP\RAR$EX00.859\NETGUY_UPDATEFILE.EXE
是木马程序!
已成功阻止其运行,是否要删除此文件?

spatra

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\200821355546946.rar'
C:\Documents and Settings\Administrator\桌面\200821355546946.rar
  [0] Archive type: RAR
  --> netguy_updatefile.exe
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [INFO]      The file was deleted!

woai_jolin

norman报了的


Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

netguy_updatefile.exe : Not detected by Sandbox (Signature: W32/Delf.BKHC)


[ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: W32/Delf.BKHC
    * Compressed: YES
    * TLS hooks: YES
    * Executable type: Application
    * Executable file structure: OK

[ General information ]
    * Decompressing UPX.
    * Accesses executable file from resource section.
    * File length:        21504 bytes.
    * MD5 hash: b510f02190591c3a06ef2718c9157bd8.

[ Changes to filesystem ]
    * Creates file C:\WINDOWS\TEMP\~87.tmp.

[ Signature Scanning ]
    * C:\WINDOWS\TEMP\~87.tmp (10496 bytes) : no signature detection.



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

sharkkong

ACCESS DENIED
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: http://bbs.kafan.cn/attachment.php?aid=201108

The folowing error was encountered:

The requested object is INFECTED. The following viruses Trojan-Downloader.Win32.Delf.epw were found

Please contact your service provider if you feel this is incorrect.



--------------------------------------------------------------------------------

Generated Fri Feb 15 13:59:37 2008 by Kaspersky Anti-Virus 7.0

scottxzt

木马名称:Trojan-Downloader.Win32.Delf.iwi

程序:
C:\DOCUMENTS AND SETTINGS\DELL\桌面\NETGUY_UPDATEFILE.EXE
是木马程序!
已成功阻止其运行,是否要删除此文件?

scottxzt

程序:
C:\DOCUMENTS AND SETTINGS\DELL\桌面\NETGUY_UPDATEFILE.EXE
木马程序生成以下文件:
1) C:\DOCUMENTS AND SETTINGS\ALL USERS\「开始」菜单\程序\启动\NETGUY_UPDATEFILE.EXE
2) C:\DOCUMENTS AND SETTINGS\DELL\LOCAL SETTINGS\TEMP\~42.TMP
是否删除木马程序及其衍生物?

[ 本帖最后由 scottxzt 于 2008-2-15 15:03 编辑 ]