精睿样本测试（16.3.22）

蓝天二号

sorom 发表于 2016-3-22 10:26
也是强呀，卡巴+大BD，，剩下那5个vir也是不容易呀

综合症晚期吧。。。还有ESET，，，

沧桑浪子

360杀毒全引擎+360安全卫士QVM云特征引擎+剩余样本放文件夹里压缩打包再扫描
开启360安全卫士的本地QVM，联网又扫描出23和28
断网360杀毒本地QVM扫描剩余样本文件夹压缩包杀出09和20，2016.3.18离线病毒库的QVM
剩余如图


04.vir去除密码后又隔离


剩余的22和47，360云鉴定器人工鉴定！





47.vir鉴定结果危险


360杀毒云QVM

扫描结果
======================
高危风险项
----------------------
C:\Documents and Settings\Administrator\桌面\2016.3.22\47.vir        HEUR/QVM03.0.Malware.Gen        已删除

目前剩余的，文件夹打包后360闪电云鉴定器交给人工鉴定！


目前剩余
------------------------编辑---------------------------------------
又杀一个22.vir
2016-03-22 18:56:39     恶意软件(HEUR/QVM30.1.Malware.Gen)MD5:ac9066a7a21fbd1649888fcd312ead26    已删除此文件，如果您发现误删，可从隔离区恢复此文件。        c:\documents and settings\administrator\桌面\2016.3.22\22.vir

扩展名改成.exe又灭了6个

还剩4个

********************************************
2016年3月24日 09:52:09
BD引擎
C:\Documents and Settings\Administrator\桌面\2016.3.22\01.vir        JS:Trojan.JS.Agent.MJ        已删除

剩余三个，15，34，39

sorom

蓝天二号 发表于 2016-3-22 10:29
综合症晚期吧。。。还有ESET，，，

哦，看到了，对eset的隔离区图片不敏感呐，，只想对那5 X vir说：兄弟不容易，且行且珍惜

Eset小粉絲

Avira 28X
剩餘已上報


[mw_shl_code=css,true]Start of the scan: Tuesday, March 22, 2016  10:41

Starting the file scan:

Begin scan in 'C:\Users\IVAN\Desktop\2016.3.22'
C:\Users\IVAN\Desktop\2016.3.22\06.vir
    [0] Archive type: 7-Zip
    --> DOINV27398.rtf
        [1] Archive type: Office Legacy XML
      --> P3hATzCJWAQPBeZEiVwR1FmH.mso
          [2] Archive type: OLE
        --> Object
            [DETECTION] Contains code of the W2000M/Agent.6783456 macro virus
            [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '511c2e85.qua'!
C:\Users\IVAN\Desktop\2016.3.22\07.vir
  [DETECTION] Is the TR/Agent.LR Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '498b0123.qua'!
C:\Users\IVAN\Desktop\2016.3.22\08.vir
  [DETECTION] Is the TR/Crypt.ZPACK.237611 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '1bd45bc4.qua'!
C:\Users\IVAN\Desktop\2016.3.22\09.vir
    [0] Archive type: Inno Setup
    --> {app}\Namso Unlinked.exe
        [1] Archive type: NETRSRC
      --> Object
          [DETECTION] Is the TR/Agent.15360.596 Trojan
          [WARNING]   Infected files in archives cannot be repaired
    --> {app}\XMLRPC.exe
        [DETECTION] Is the TR/Agent.15360.596 Trojan
        [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '7de31404.qua'!
C:\Users\IVAN\Desktop\2016.3.22\13.vir
    [0] Archive type: 7-Zip
    --> ARINV10175.rtf
        [1] Archive type: Office Legacy XML
      --> UGIXaVvPmoW3DTuNLMV.mso
          [2] Archive type: OLE
        --> Object
            [DETECTION] Contains code of the W2000M/Agent.6783456 macro virus
            [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '38673934.qua'!
C:\Users\IVAN\Desktop\2016.3.22\14.vir
    [0] Archive type: Office Legacy XML
    --> P3hATzCJWAQPBeZEiVwR1FmH.mso
        [1] Archive type: OLE
      --> Object
          [DETECTION] Contains code of the W2000M/Agent.6783456 macro virus
          [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '477c0b54.qua'!
C:\Users\IVAN\Desktop\2016.3.22\18.vir
    [0] Archive type: ZIP
    --> PURCHASE-ORDER.exe
        [DETECTION] Is the TR/Dropper.MSIL.276388 Trojan
        [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '0bc42712.qua'!
C:\Users\IVAN\Desktop\2016.3.22\19.vir
    [0] Archive type: ZIP
    --> PurchaseOr.exe
        [1] Archive type: RAR SFX (self extracting)
      --> CMT
          [DETECTION] Is the TR/Injector.981490 Trojan
          [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '77dc6741.qua'!
C:\Users\IVAN\Desktop\2016.3.22\20.vir
  [DETECTION] Is the TR/FileCoder.Locky.56777 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '5a864807.qua'!
C:\Users\IVAN\Desktop\2016.3.22\21.vir
  [DETECTION] Is the TR/Dropper.VB.52795 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '43ee739e.qua'!
C:\Users\IVAN\Desktop\2016.3.22\23.vir
  [DETECTION] Is the TR/Dropper.MSIL.Gen Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '2fb25fa8.qua'!
C:\Users\IVAN\Desktop\2016.3.22\24.vir
  [DETECTION] Is the TR/Agent.Elmo.pgli.138 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '5e0b663c.qua'!
C:\Users\IVAN\Desktop\2016.3.22\25.vir
  [DETECTION] Is the TR/Dropper.MSIL.273434 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '501156f8.qua'!
C:\Users\IVAN\Desktop\2016.3.22\28.vir
  [DETECTION] Is the TR/FileCoder.2560.292 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '15382fb5.qua'!
C:\Users\IVAN\Desktop\2016.3.22\31.vir
    [0] Archive type: MIME
    --> Object
        [DETECTION] Contains recognition pattern of the EXP/MS06-001.WMF exploit
        [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '1c332b15.qua'!
C:\Users\IVAN\Desktop\2016.3.22\33.vir
    [0] Archive type: ZIP
    --> word/vbaProject.bin
        [DETECTION] Contains code of the W2000M/Downloader.L macro virus
        [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '4472327a.qua'!
C:\Users\IVAN\Desktop\2016.3.22\35.vir
    [0] Archive type: ZIP
    --> word/vbaProject.bin
        [DETECTION] Contains code of the W2000M/Downloader.L macro virus
        [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '68864bb4.qua'!
C:\Users\IVAN\Desktop\2016.3.22\38.vir
  [DETECTION] Is the TR/Agent.336896.83 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '56782b61.qua'!
C:\Users\IVAN\Desktop\2016.3.22\41.vir
    [0] Archive type: Office Legacy XML
    --> ilzZb7XblYRH1PRPBpdoi.mso
        [1] Archive type: OLE
      --> Object
          [DETECTION] Contains code of the W2000M/Agent.6783456 macro virus
          [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '35760019.qua'!
C:\Users\IVAN\Desktop\2016.3.22\42.vir
  [DETECTION] Is the TR/Dropper.MSIL.275337 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '13be4005.qua'!
C:\Users\IVAN\Desktop\2016.3.22\44.vir
  [DETECTION] Is the TR/Dropper.Gen Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '212a3ba6.qua'!
C:\Users\IVAN\Desktop\2016.3.22\45.vir
  [DETECTION] Is the TR/Dropper.MSIL.275226 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '2b6f10db.qua'!
C:\Users\IVAN\Desktop\2016.3.22\46.vir
    [0] Archive type: Office Legacy XML
    --> VP5eAFOQZBY8BcM2G97p1WDg.mso
        [1] Archive type: OLE
      --> Object
          [DETECTION] Contains code of the W2000M/Agent.6783456 macro virus
          [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '143c749f.qua'!
C:\Users\IVAN\Desktop\2016.3.22\49.vir
    [0] Archive type: Office Legacy XML
    --> x85QGdIdRyWOdQeVyahofhbcI.mso
        [1] Archive type: OLE
      --> Object
          [DETECTION] Contains code of the W2000M/Agent.6783456 macro virus
          [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '6a1078b5.qua'!
C:\Users\IVAN\Desktop\2016.3.22\50.vir
    [0] Archive type: NSIS
    --> ProgramFilesDir/arthroscopy.dll
        [DETECTION] Is the TR/Injector.49152.90 Trojan
        [WARNING]   Infected files in archives cannot be repaired
  [NOTE]      The file was moved to the quarantine directory under the name '3f687c75.qua'!
C:\Users\IVAN\Desktop\2016.3.22\03.vir
  [DETECTION] Contains recognition pattern of the HTML/ExpKit.Gen6 HTML script virus
  [NOTE]      The file was moved to the quarantine directory under the name '52d22761.qua'!
C:\Users\IVAN\Desktop\2016.3.22\34.vir
  [DETECTION] Contains recognition pattern of the PHP/Agent.xadx PHP virus
  [NOTE]      The file was moved to the quarantine directory under the name '513121a8.qua'!


[/mw_shl_code]

欧阳宣

趋势检测11，修复2个。

Llano_心情

虚拟机双击测试，XP SP3

首先扫描

killx5.。。。。见怪不怪了

鸡冻人心的时刻到了，双击测试


首先改exe。。。。。







然后改了一波vbs，03样本被清除了
又改了下js，没啥反应。
最后再统计下



总共处理了7个。。。。
熊猫再见了

共和时代

WD kill 32x and fix 6x  
altogether 38x

心醉咖啡

金山毒霸kill15X

pkuyzy

ikarus妖刀 kill 23x

siss

MXCERILYF! 发表于 2016-3-22 10:13
BD

卡巴补杀

看来已经没救了