精睿样本测试（16.5.11）

显示全部楼层 · 发表于 2016-5-11 15:47:40

Avira Leftover 12

[mw_shl_code=css,true]Start of the scan: Wednesday, 11 May, 2016  15:35

Starting the file scan:

Begin scan in 'C:\Users\User\Downloads\Compressed\2016.5.11'
C:\Users\User\Downloads\Compressed\2016.5.11\01.vir
  [DETECTION] Is the TR/Dropper.MSIL.ymqa Trojan
C:\Users\User\Downloads\Compressed\2016.5.11\02.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\04.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\05.vir
  [DETECTION] Contains code of the W2000M/Agent.11934372 macro virus
C:\Users\User\Downloads\Compressed\2016.5.11\06.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\08.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\09.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\10.vir
  [DETECTION] Contains recognition pattern of the JS/Dldr.Locky.98765 Java script virus
C:\Users\User\Downloads\Compressed\2016.5.11\11.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\13.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\15.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\16.vir
[0] Archive type: ACE
--> Receipt.exe
      [DETECTION] Is the TR/Dropper.MSIL.mftf Trojan
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\20.vir
  [DETECTION] Is the TR/Dropper.Gen Trojan
C:\Users\User\Downloads\Compressed\2016.5.11\21.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\25.vir
  [DETECTION] Is the TR/Crypt.ZPACK.uljg Trojan
C:\Users\User\Downloads\Compressed\2016.5.11\26.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\27.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\28.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\29.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\31.vir
  [DETECTION] Contains recognition pattern of the JS/Dldr.Locky.98765 Java script virus
C:\Users\User\Downloads\Compressed\2016.5.11\32.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\35.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\36.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\37.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\38.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\40.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\41.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\43.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\44.vir
  [DETECTION] Is the TR/Dropper.MSIL.droi Trojan
C:\Users\User\Downloads\Compressed\2016.5.11\47.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\48.vir
[0] Archive type: CAB (Microsoft)
--> cash_ZEmrxanO120.js
      [DETECTION] Contains recognition pattern of the JS/Dldr.Agent.Daga.3 Java script virus
      [WARNING] Infected files in archives cannot be repaired
C:\Users\User\Downloads\Compressed\2016.5.11\49.vir
[0] Archive type: ZIP
--> word/vbaProject.bin
      [DETECTION] Contains code of the W2000M/Dldr.Agent.aagg macro virus
      [WARNING] Infected files in archives cannot be repaired

Begin scan in 'C:\Users\User\Downloads\Compressed\2016.5.11\07.vir'
C:\Users\User\Downloads\Compressed\2016.5.11\07.vir
  [DETECTION] Contains recognition pattern of the JS/Dldr.Locky.EL Java script virus
  [NOTE]    The file was moved to the quarantine directory under the name '510c74db.qua'!
Begin scan in 'C:\Users\User\Downloads\Compressed\2016.5.11\18.vir'
C:\Users\User\Downloads\Compressed\2016.5.11\18.vir
  [DETECTION] Contains recognition pattern of the JS/Dldr.Locky.EL Java script virus
  [NOTE]    The file was moved to the quarantine directory under the name '499b5b7d.qua'!
Begin scan in 'C:\Users\User\Downloads\Compressed\2016.5.11\23.vir'
C:\Users\User\Downloads\Compressed\2016.5.11\23.vir
  [DETECTION] Contains recognition pattern of the JS/Dldr.Agent.98765 Java script virus
  [NOTE]    The file was moved to the quarantine directory under the name '1bc40190.qua'!
Begin scan in 'C:\Users\User\Downloads\Compressed\2016.5.11\24.vir'
C:\Users\User\Downloads\Compressed\2016.5.11\24.vir
  [DETECTION] Contains recognition pattern of the JS/Dldr.Agent.98765 Java script virus
  [NOTE]    The file was moved to the quarantine directory under the name '7df34e53.qua'!
Begin scan in 'C:\Users\User\Downloads\Compressed\2016.5.11\33.vir'
C:\Users\User\Downloads\Compressed\2016.5.11\33.vir
  [DETECTION] Contains recognition pattern of the HTML/ExpKit.Gen2 HTML script virus
  [NOTE]    The file was moved to the quarantine directory under the name '3877636d.qua'!
Begin scan in 'C:\Users\User\Downloads\Compressed\2016.5.11\50.vir'
C:\Users\User\Downloads\Compressed\2016.5.11\50.vir
  [DETECTION] Contains recognition pattern of the JS/Dldr.Agent.98765 Java script virus
  [NOTE]    The file was moved to the quarantine directory under the name '5117725a.qua'![/mw_shl_code]

显示全部楼层 · 发表于 2016-5-11 15:48:04

本帖最后由坏脾气的男生于 2016-5-11 16:15 编辑

简单彡发表于 2016-5-11 11:53
瑞星31

整个国产杀毒，就只有瑞星最好，其他扫描360，金山管家基本个位数，百度刚刚试用了也是个位数，而且占用相当大

显示全部楼层 · 发表于 2016-5-11 16:01:18

本帖最后由 275751198 于 2016-5-11 16:03 编辑

既然发包这么长时间了，肯定就没有云相应的问题的。该入库就入库。今天为了解决部分样本的后缀改不对的问题，回归原始测试方法。 360杀毒无BD和红伞引擎
后缀名为EXE  报5个

后缀名为doc  报25个

删掉所有修复后的文件，剩余文件改后缀名Zip，报1个

后缀名为js  报1个

最终剩余18个

显示全部楼层 · 发表于 2016-5-11 16:06:53

坏脾气的男生发表于 2016-5-11 15:48
整个国产杀毒，就只有瑞星最好，其他扫描360，金山管家基本个位数，百度不知道

后缀名不对，360不报

显示全部楼层 · 发表于 2016-5-11 16:19:43

275751198 发表于 2016-5-11 16:06
后缀名不对，360不报

后缀名该为exe已经可以运行了，，也才五个，难道用户中毒了，要叫用户自己该后缀，而且你该后缀名多次扫描，360云很快，很可能是云相应。我相信用你这个方法测试，金山和管家，百度杀毒都能会是增加很多，所以我认为这个测试没有意义。

显示全部楼层 · 发表于 2016-5-11 16:49:14

坏脾气的男生发表于 2016-5-11 16:19
后缀名该为exe已经可以运行了，，也才五个，难道用户中毒了，要叫用户自己该后缀，而且你该后缀名多次扫 ...

样本都有自己的后缀，比如说你把一个doc文件改成EXE是运行不起来的。精锐包里有很多doc，js，Zip的文件，这些文件都被做了灭活处理（即统一被修改为vir）后缀不正确一般是运行不起来的，会提示文件错误。

以19号为例，19号原本文件属性是doc ，改成EXE之后，运行失败。

我在一开始就说了发包5个小时了，报个位数是后缀名的问题不是没入库，后来报25个也不是新入库，只是后缀名不对而已。
刚刚我已经测试过了，样本包还没删，我再解压重新测试一遍。

现在已经下午4点38分了哦。

一共50个文件重命名为EXE

扫描报了7个，看来还真的是云响应了2个。

如果后面的25个是云入库拉黑的话，为什么我现在再扫描只是报7个，而不是30多个呢？很显然只是后缀名不对不报而已。

再次修改剩余文件后缀名为doc

又见20多个了吧。

真的是后缀名问题，不是云入库。我干嘛花这么长时间写这个，又重测一遍，你爱信不信

显示全部楼层 · 发表于 2016-5-11 16:54:58

轩夏发表于 2016-5-11 10:09
MSE 40个

39个，42.vir是密码保护的压缩包

显示全部楼层 · 发表于 2016-5-11 18:07:49

本帖最后由 skyboybone 于 2016-5-11 18:11 编辑

skycai 发表于 2016-5-11 14:42
我自己看了下。
这几天的样本里面，脚本类比较多。
国内这几个云引擎杀软，对脚本类就没啥法子了。只能 ...

那就正常了，金山基本上不会入库脚本的

文档下载者也不会入库，上报也不会管

显示全部楼层 · 发表于 2016-5-11 18:13:29

楼主，商量个事儿，精睿包有没有灭活前的原始包，测那个应该比较准

显示全部楼层 · 发表于 2016-5-11 18:18:23

540923555 发表于 2016-5-11 16:54
39个，42.vir是密码保护的压缩包

既然檢測到就算上吧。。。

[病毒样本] 精睿样本测试（16.5.11）

本帖子中包含更多资源

本帖子中包含更多资源