有hips的来测下，这到底是什么东东？

luckyjoy

金山的分析师说是木马，我觉得很勉强，希望卡饭的高手试验下，谢谢！

hahacomcn

红伞没报，上报看看。

1688388728

c:\windows\system32\wscript.exe
检测到一个应用程序尝试创建一个 DNS 请求
询问名称: _ldap._tcp.dc._msdcs.sgsingmeyad03.pacrim.ey.net.
DNS 服务器: 61.128.114.133, 61.128.114.166

[ 本帖最后由 1688388728 于 2008-2-25 20:52 编辑 ]

曲中求

AhnLab-V3 2008.2.22.0 2008.02.22 VBS/Runner.8192
AntiVir 7.6.0.67 2008.02.25 -
Authentium 4.93.8 2008.02.24 -
Avast 4.7.1098.0 2008.02.24 -
AVG 7.5.0.516 2008.02.25 -
BitDefender 7.2 2008.02.25 -
CAT-QuickHeal 9.50 2008.02.22 Backdoor.Agent.abj
ClamAV 0.92.1 2008.02.25 -
DrWeb 4.44.0.09170 2008.02.25 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5562 2008.02.25 -
Ewido 4.0 2008.02.25 -
FileAdvisor 1 2008.02.25 -
Fortinet 3.14.0.0 2008.02.25 -
F-Prot 4.4.2.54 2008.02.24 W32/Trojan2.NPD
F-Secure 6.70.13260.0 2008.02.25 -
Ikarus T3.1.1.20 2008.02.25 Trojan.Win32.Agent.sk
Kaspersky 7.0.0.125 2008.02.25 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.25 -
NOD32v2 2899 2008.02.25 -
Norman 5.80.02 2008.02.25 -
Panda 9.0.0.4 2008.02.25 Suspicious file
Prevx1 V2 2008.02.25 W32.Malware.gen
Rising 20.33.02.00 2008.02.25 Backdoor.Win32.CAK.a
Sophos 4.26.0 2008.02.25 Sus/ExeScript-A
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.25 -
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.24 -
Webwasher-Gateway 6.6.2 2008.02.25 -

sharkkong

沙盘下运行后调用wscript.exe，并且让他联网，呵呵，卡巴无视。高手来看看呢。

wangjay1980

联网卡巴怎么会无视呢

Hello,

ADExpire.exe_

No malicious code was found in this file.

Please quote all when answering.

--
Best regards, Kirill Erakhtin
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.



> Attachment: ADExpire.rar

[ 本帖最后由 wangjay1980 于 2008-2-26 11:21 编辑 ]

spaceplane

http://research.sunbelt-software.com/ViewMalware.aspx?id=3229776

不是误报

挪威的冬天

为啥觉得很勉强呢

信息        2008-02-25  22:40:16        您此次查毒共查出1个病毒以及危险代码                       
信息        2008-02-25  22:40:16        您此次查毒共查了内存模块0个，磁盘引导扇区0个，文件2个                       
信息        2008-02-25  22:40:16        金山毒霸主程序查毒过程结束，查毒方式：命令行查毒                       
病毒        2008-02-25  22:40:16        C:\Users\挪威的冬天\Desktop\ADExpire.rar\ADExpire.exe        Win32.TrojDownloader.gen.8704        跳过，未处理

冷冷

Dim dtmValue, intTimeInterval, intMaxPwdAge, Silent, Silent1, Silent2
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ADS_SCOPE_SUBTREE = 2
On Error Resume Next
Set objArgs = Wscript.Arguments
Silent = 100
Silent1 = 14
If objArgs.Count > 0 Then
   If objArgs(0) > 0 Then
      Silent = objArgs(0)*1000
   End If
End If
If objArgs.Count > 1 Then
   If objArgs(1) > 0 Then
      Silent1 = objArgs(1)*1
   End If
End If
If objArgs.Count > 2 Then
   If objArgs(2) = "E" Or objArgs(2) = "e" Then
      Silent2 = "E"
   End If
End If
WScript.sleep Silent
Set WshNetwork = WScript.CreateObject("WScript.Network")
duname = WshNetwork.UserName
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 10
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
   "SELECT AdsPath FROM 'LDAP://sgsingmeyad03.pacrim.ey.net/ou=CN,dc=pacrim,dc=ey,dc=net' WHERE sAMAccountName='" & duname & "'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
dtmValue = objUser.PasswordLastChanged
intTimeInterval = int(now - dtmValue)
intMaxPwdAge = 90
If dtmValue = 0 Then
   If Silent2 = "E"  Then
      MsgBox "Error, can't contact AD.", vbOKOnly+vbExclamation, "AD Password Expire Checking"
   End If
  WScript.Quit
Else
intCurrentValue = objUser.Get("userAccountControl")
If intCurrentValue And ADS_UF_DONT_EXPIRE_PASSWD Then
'  MsgBox "The password does not expire.", vbOKOnly, "Info"
  WScript.Quit
Else
If intTimeInterval > intMaxPwdAge Then
  MsgBox "Your Domain password has been expired. Please contact ITSS department.", vbOKOnly+vbExclamation, "AD Password Expired"
Else
If (intMaxPwdAge - intTimeInterval) =< Silent1 Then
  MsgBox "Your Domain password will expire in " & int((dtmValue + intMaxPwdAge) - now + 1) & " day(s). Please reset your password by pressing alt+ctrl+del and clicking on " & CHR(34) & "Change Password Button" & CHR(34)& ".", vbOKOnly+vbExclamation, "AD Password Expired"
End If
End If
End If
End If

运行一个VBS  内容如上

xiaoxmj

第一次看到金山报gen,嘿嘿