W2KM_DLOADER.BVET

显示全部楼层 · 发表于 2016-5-1 17:48:14

密码是infected

显示全部楼层 · 发表于 2016-5-1 17:56:19

双击，红伞杀

显示全部楼层 · 发表于 2016-5-1 17:59:20

[mw_shl_code=css,true]VirusTotal
SHA256: 212ffddeabc0906736c9204369473dd94e8254bb47e412da1c427015db02c22d
File name: 08641_009.exe
Detection ratio: 27 / 55
Analysis date: 2016-05-01 09:58:22 UTC ( 0 minutes ago )
0 1
Analysis
File detail
Additional information
Comments
Votes
Antivirus Result Update
ALYac W97M.Downloader.BPJ 20160501
AVG Downloader.Generic_c.ALKL 20160501
Ad-Aware W97M.Downloader.BPJ 20160501
AhnLab-V3 W97M/Downloader 20160430
Arcabit W97M.Downloader.BPJ 20160501
Avast VBA:Downloader-BOH [Trj] 20160501
Avira (no cloud) W2000M/Dldr.Agent.CG.318 20160430
Baidu VBA.Trojan-Downloader.Agent.abf 20160429
BitDefender W97M.Downloader.BPJ 20160501
Cyren PP97M/Downloader.AW 20160501
ESET-NOD32 VBA/TrojanDownloader.Agent.AZR 20160430
Emsisoft W97M.Downloader.BPJ (B) 20160501
F-Prot PP97M/Downloader.AW 20160501
F-Secure W97M.Downloader.BPJ 20160501
Fortinet WM/Agent.AZR!tr 20160501
GData W97M.Downloader.BPJ 20160501
Ikarus Trojan-Downloader.VBA.Agent 20160501
Kaspersky Trojan.MSWord.Agent.dh 20160501
McAfee W97M/Downloader.bcc 20160501
McAfee-GW-Edition W97M/Downloader.bcc 20160501
Microsoft TrojanDownloader:O97M/Donoff.BG 20160501
Panda O97M/Downloader 20160430
Sophos Troj/DocDl-CKM 20160501
Symantec W97M.Downloader 20160501
Tencent Win32.Trojan-downloader.Agent.Huzm 20160501
TrendMicro W2KM_DL.A59356A8 20160501
nProtect W97M.Downloader.BPJ 20160429
AVware 20160501
AegisLab 20160501
Alibaba 20160429
Antiy-AVL 20160501
Baidu-International 20160501
Bkav 20160429
CAT-QuickHeal 20160430
CMC 20160429
ClamAV 20160430
Comodo 20160501
DrWeb 20160501
Jiangmin 20160501
K7AntiVirus 20160501
K7GW 20160501
Kingsoft 20160501
Malwarebytes 20160501
NANO-Antivirus 20160501
Qihoo-360 20160501
Rising 20160501
SUPERAntiSpyware 20160501
TheHacker 20160430
TrendMicro-HouseCall 20160501
VBA32 20160430
VIPRE 20160501
ViRobot 20160430
Yandex 20160501
Zillya 20160430
Zoner 20160501[/mw_shl_code]

显示全部楼层 · 发表于 2016-5-1 18:02:11

Huorong Network Security Suite v3.0.26.2 (Last update: 2016-04-29 14:08)
Copyright (C) Huorong Borui (Beijing) Technology Co., Ltd. All rights reserved.

Scan engine version:v3.0.3.1
Signature database fingerprint: 40162d0:d2ee512:e3eb417:e3eb417
Signature database timestamp: 2016-04-29 14:08

Scan started at: 2016-05-01 18:01:20

C:\Users\wuliao\Desktop\08641_009\08641_009.docm >> word\vbaProject.bin: OMacro/Downloader.gy

Scan completed at: 2016-05-01 18:01:20

Total:          1 file(s), 16 objects(s)
Infected:       1 file(s), 1 objects(s)
Deleted:          0 file(s), 0 failure(s)
Disinfected:    0 file(s), 0 failure(s)
Duration:       00:00:00

显示全部楼层 · 发表于 2016-5-1 18:05:32

[mw_shl_code=css,true]行为描述：获取窗口截图信息
详情信息：
Foreground window Info: HWND = 0x00000000, DC = 0x380103c8.
进程行为
行为描述：创建本地线程
详情信息：
TargetProcess: WINWORD.EXE, InheritedFromPID = 2008, ProcessID = 1336, ThreadID = 1312, StartAddress = 77E56C7D, Parameter = 001A6630
TargetProcess: WINWORD.EXE, InheritedFromPID = 2008, ProcessID = 1336, ThreadID = 1304, StartAddress = 769AE43B, Parameter = 001A97E8
TargetProcess: WINWORD.EXE, InheritedFromPID = 2008, ProcessID = 1336, ThreadID = 420, StartAddress = 77E56C7D, Parameter = 001AA6B8

行为描述：创建文件
详情信息：
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{A24201CD-99B0-43DE-A674-6214E00BCF83}.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\1462097931.578815.docx
行为描述：修改文件内容
详情信息：
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm ---> Offset = 54
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{A24201CD-99B0-43DE-A674-6214E00BCF83}.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\1462097931.631946.docx ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\1462097931.632290.docx ---> Offset = 54
C:\Documents and Settings\Administrator\Local Settings\%temp%\1462097931.632633.docx ---> Offset = 0
行为描述：查找文件
详情信息：
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\Program Files
FileName = C:\Program Files\Microsoft Office 2007
FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\Program Files\Microsoft Office 2007\Office12\Normal.dotm
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dotm
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates
行为描述：复制文件
详情信息：
C:\Program Files\Microsoft Office 2007\Office12\OPA12.BAK ---> C:\Program Files\Microsoft Office 2007\Office12\opa12.dat

行为描述：修改注册表
详情信息：
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\pj&
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage\ProductFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\LanguageResources\EnabledLanguages\2052
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\LanguageResources\EnabledLanguages\1033
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage\WORDFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\.s&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\>u&
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\WORDFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\2w&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\aw&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\~x&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\)y&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\&y&
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\ProductNonBootFiles
行为描述：删除注册表键值
详情信息：
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\.s&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\>u&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\2w&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\aw&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\~x&
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\)y&

行为描述：创建互斥体
详情信息：
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.GCompartListMUTEX.DefaultS-*
MSCTF.Shared.MUTEX.APH
MSCTF.Shared.MUTEX.EGF
行为描述：创建事件对象
详情信息：
EventName = Local\PrimaryWord12Mutex_S-*
EventName = MSCTF.SendReceive.Event.EGF.IC
EventName = MSCTF.SendReceiveConection.Event.EGF.IC
EventName = Global\WatsonDataAccess
行为描述：查找指定窗口
详情信息：
NtUserFindWindowEx: [Class,Window] = [mspim_wnd32,]
NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp10,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述：调整进程token权限
详情信息：
SE_LOAD_DRIVER_PRIVILEGE
行为描述：窗口信息
详情信息：
Pid = 1336, Hwnd=0x3018a, Text = MsoDockTop, ClassName = MsoCommandBarDock.
Pid = 1336, Hwnd=0x201ac, Text = Ribbon, ClassName = MsoCommandBar.
Pid = 1336, Hwnd=0x201ae, Text = MsoDockBottom, ClassName = MsoCommandBarDock.
Pid = 1336, Hwnd=0x201a6, Text = 状态栏, ClassName = MsoCommandBar.
Pid = 1336, Hwnd=0x101b8, Text = 状态栏, ClassName = MsoWorkPane.
Pid = 1336, Hwnd=0x3016c, Text = MsoWorkPane, ClassName = MsoWorkPane.
Pid = 1336, Hwnd=0x201a8, Text = MsoWorkPane, ClassName = MsoWorkPane.
Pid = 1336, Hwnd=0x20198, Text = Microsoft Word, ClassName = OpusApp.
Pid = 1336, Hwnd=0x4016e, Text = Microsoft Office Word, ClassName = bosa_sdm_Microsoft Office Word 12.0.
Pid = 1336, Hwnd=0x101c2, Text = Ribbon, ClassName = MsoWorkPane.
行为描述：获取窗口截图信息
详情信息：
Foreground window Info: HWND = 0x00000000, DC = 0x380103c8.
行为描述：隐藏指定窗口
详情信息：
[Window,Class] = [,ThunderRT6Main]
[/mw_shl_code]

显示全部楼层 · 发表于 2016-5-1 19:08:19

数字和ess入库杀

显示全部楼层 · 发表于 2016-5-1 19:10:33

本帖最后由 275751198 于 2016-5-1 19:14 编辑

上报360，没有双击

sorry,原来自动修复了，刚刚看日志才发现

360杀毒实时防护日志

时间防护说明处理结果文件
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2016-05-01 19:09:45 宏病毒(macro.office.07vba.gen.1) 文件中感染的病毒代码已经清除，您可放心使用。 d:\360安全浏览器下载\08641_009.docm

显示全部楼层 · 发表于 2016-5-1 19:13:02

卡巴已入库

01.05.2016 19.11.44;检测到的对象 ( 文件 ) 已删除。;C:\Users\Administrator\Downloads\病毒测试\08641_009.docm//word/vbaProject.bin//Module2;C:\Users\Administrator\Downloads\病毒测试\08641_009.docm//word/vbaProject.bin//Module2;Trojan.MSWord.Agent.dh;木马程序;05/01/2016 19:11:44

显示全部楼层 · 发表于 2016-5-1 19:37:25

sep heuristic

显示全部楼层 · 发表于 2016-5-1 21:22:56

gdata kill

[病毒样本] W2KM_DLOADER.BVET

本帖子中包含更多资源

本帖子中包含更多资源

浏览过的版块