迅雷破解版检测虚拟机相关

Eset小粉絲

解壓就報DR/Delphi.Gen dropper

好想用EMSI

ZoneAlarm会报毒

轩夏

MSE
Thunder9.0.10.300.exe
Infected: Trojan:Win32/Bagsu!rfn

cfhdrty

小A报广告

km2002

费尔下载弹窗

驭龙

WD特征码杀的话，基本上误报的概率不大了

pal家族

好吧 容我一语道破天机（装逼玩就跑！！！！）@蓝天二号 @驭龙

行为描述：        创建可执行文件
详情信息：       
C:\Documents and Settings\Administrator\Local Settings\Temp\delbchlfjcjj.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\1.zip
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\rav3490001.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\56a190le_1202000538.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\Baidu_Setup_2.2.200.1470_ftn_1050123723.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\Browser_V5.6.12860.10_r_4396_(Build1605251856).exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\kinst_168_165.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\V9.3._81529_20160429205807.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\1332280.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\jzwl_wd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx4E.tmp\kuwo_jm634.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Thunder9.0.10.300.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi52.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi52.tmp\UIEx.dll

行为描述：        打开HTTP请求
详情信息：       
HttpOpenRequestA: pv****om:80/cityjson, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: **.133.40.**:128/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00000010
HttpOpenRequestA: dl****cn:80/dl/ravchild/rav3490001.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: w.****om:80/go/full/201/1202000538, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: dl****om:80/ditui/zujian/baidu_setup_2.2.200.1470_ftn_1050123723.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: do****cn:80/pcbrowser/down.php?pid=4396, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: cd****et:80/duba/install/2011/ever/kinst_168_165.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: mi****om:80/app?packagename=pcqqbrowser&channelid=81529, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: dl****cn:80/dl/rse/1332280.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: d.****om:80/yx/jzwl/sqft/907453/jzwl_wd.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: do****cn:80/mbox/kuwo_jm634.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, R

只能说 你的关注点不对 这跟虚拟机的关系只在于一点点免杀，

真正起疑点的是 红伞：DR/Delphi.Gen dropper
卡巴troj dropper
费尔 dropper
哪里来的特征呢？
对应哈勃 就知道了

驭龙

pal家族 发表于 2016-7-13 13:26
好吧 容我一语道破天机（装逼玩就跑！！！！）@蓝天二号 @驭龙

好家伙，刚才WD的日志写是具体，也就是特征杀，可报毒名看看吧
https://www.microsoft.com/securi ... Win32%2fBagsu%21rfn
我没啥说的了。

我没有看分析，但这次黑寡妇也报后门了

ELOHIM

pal家族 发表于 2016-7-13 13:26
好吧 容我一语道破天机（装逼玩就跑！！！！）@蓝天二号 @驭龙

Threat behavior

We've automatically analyzed this threat, determined that it's a trojan because of what it does when it gets on a PC, and blocked and removed it from your PC.
Typically, trojans try to do one or all of the following:
•Download and install other malware.
•Use your computer for click fraud.
•Record your keystrokes and the sites you visit.
•Send information about your PC, including usernames and browsing history, to a remote malicious hacker.
•Give a remote malicious hacker access to your PC.
Due to the generic nature of this threat, we are unable to provide specific information on what it does.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fBagsu%21rfn

pal家族

ELOHIM 发表于 2016-7-13 14:05
http://www.microsoft.com/securit ... Trojan%3aWin32%2fBa ...

其实也不能说那么严重，那段话说的是：Typically, trojans try to do one or all of the following: 也不能即使这种木马。
只是想赚点推广费吧，大家远离就好