谁用GD，跟官方反馈一下这个样本吧

墨家小子

http://bbs.kafan.cn/thread-2095598-1-1.html
带进来的bc00000066.exe，GD主防防御不了加密

还有这个js样本，运行之后一个是加密，一个是利用regsvr32搞事情
https://www.hybrid-analysis.com/ ... d?environmentId=100

欧阳宣

https://su.gdatasoftware.com/us/sample-submission

zh7000047

下载不下来，直接拦截了

，就一个.

js脚本下载不了啊 要么你就直接把样本贴出来 方便大家现在 弄些网站又是英文 打开也很慢 怎么下载都不知道

，就一个.

一两个样本不能说明什么 能杀就行了

，就一个.

反馈什么啊 你又不用GD

墨家小子

，就一个. 发表于 2017-7-8 00:49
反馈什么啊 你又不用GD

说话别这么绝对 我诺顿 ESET GD都是三年key好吗
你的这种说法绝壁是有问题的，新品种出来那个不是过BD系，如果GD主防被过，意味着什么你应该清楚

墨家小子

zh7000047 发表于 2017-7-7 20:30
下载不下来，直接拦截了

关闭实时监控，把样本下载回来，进入虚拟机双击JS，看看GD主防能不能拦截到

，就一个.

墨家小子 发表于 2017-7-8 12:39
关闭实时监控，把样本下载回来，进入虚拟机双击JS，看看GD主防能不能拦截到

好的 好的 我试试看

，就一个.

墨家小子 发表于 2017-7-8 12:39
关闭实时监控，把样本下载回来，进入虚拟机双击JS，看看GD主防能不能拦截到

JS脚本我终于下载到了  我双击以后 过了大概10秒钟

出现

然后又过了10秒钟这个东西关闭了出现

随后GD主防弹出对话框 要求重启清除

这是日志
AVA 25.13275
GD 25.9951

*** Process ***

Process: 8356
File name: WScript.exe
Path: c:\windows\system32\wscript.exe

Publisher: Microsoft Windows
Creation date: 2016年7月16日 19:42:37
Modification date: 2016年7月16日 19:42:37

Started by: Explorer.EXE
Publisher: Microsoft Windows


*** Actions ***

The program establishes a network connection.
The program was modified in memory.
The program has created or manipulated an executable file.
The program has read data from its own program file.


*** Quarantine ***

The following files were moved into quarantine:
C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\01HY20VK\counter[1].htm
C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\01HY20VK\counter[1].js
C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\B8ZLJ2XM\8422[1].png
C:\Users\Administrator\AppData\Local\Temp\1CsnkH4ym42iWxo65QoRtFDC4aPD93QU7e.doc
C:\Users\Administrator\AppData\Local\Temp\1CsnkH4ym42iWxo65QoRtFDC4aPD93QU7e2.exe
C:\Users\Administrator\AppData\Local\Temp\klog\log_wpscloudsvr
C:\Users\Administrator\AppData\Local\Temp\~$snkH4ym42iWxo65QoRtFDC4aPD93QU7e.doc
C:\Users\Administrator\AppData\Roaming\kingsoft\office6\UserFeature\UserFeatureTags.ini
C:\Users\Administrator\AppData\Roaming\kingsoft\office6\backup\wps_7316.bk
C:\Users\Administrator\AppData\Roaming\kingsoft\office6\cache\e61019c722bcc2915a903546af9117841935175e.keys
C:\Users\Administrator\AppData\Roaming\kingsoft\office6\cache\e61019c722bcc2915a903546af9117841935175e.values
C:\Users\Administrator\AppData\Roaming\kingsoft\office6\templates\wps\zh_CN\Normal.dotm
C:\Users\Administrator\AppData\Roaming\kingsoft\office6\templates\wps\zh_CN\~$Normal.dotm
C:\Users\Administrator\AppData\Roaming\kingsoft\office6\update\log\wpsnotify_2017_07_08.log
C:\Users\Administrator\AppData\Roaming\kingsoft\office6\update\log\wpsupdate_2017_07_08.log
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\data\win-i386\docersoso_update_rep_1.0.0.0.ini
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\list\win-i386\10.1.0.6638\wps\plugin.plg
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\docerrecommend_1.0.0.1\__attr.plg
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\docerrecommend_1.0.0.1\download.7z
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kadverttipctrl_1.0.0.29\download.7z
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kfeedback_1.0.0.19\download.7z
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\konlinepicture_1.0.0.15\download.7z
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kpropaganda_1.0.0.0\download.7z
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\ktranslation_1.0.0.37\download.7z
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kweibo_1.0.0.2\download.7z
C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsartstyleborder_1.0.0.7\download.7z
C:\Windows\Temp\avkhttp_151402750_0619a881.tmp
C:\Windows\Temp\avkhttp_151403360_0619a2f1.tmp
c:\users\administrator\appdata\roaming\kingsoft\office6\backup\wps.bkl

The following registry entries were deleted:


YGLRyZIJLCcpJycnCC0nvysnKye/Bi4n+HKScoIMp0InKXRyQicIt3KScnJygoArJycnJyYGyHKCYmJygpArFp0sDOlyci8nJyfnoConCspycnJyYmKgLSeLcpJyog/bcnJycmJiwCknJyYmJwf8cnIoJycnd9AmJy4nKCcMjXJycnJiYuAmJwePctIoJykn/PApJycmJicH/3JycnJiYnBocnJiYnJycLhycicnKycMhy0nKScnJwinKxtXY7bicsFbY7ZysnE1ZisNty0nd3JycnIGxy8nJycnJgbXKScuJygnDOcoJw/nLicK9ygnC/cpJ68qJiYnrwr3LycpJiYnCWgpJ+iAl3KygOtycnJyYmKA+3JyLScoJ7eAjHJycnJiYoC+cqIpJyknaoCPcoIAAA
Rules version: 5.0.147
OS: Windows 10.0 Service Pack 0.0 Build: 14393 - Workstation 64bit OS
dll version: 68091

"C:\windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\9106926.doc.js"
MD5: AF5C4AA89DF62F369E529A9587E2BE1F
C:\windows\Explorer.EXE
MD5: 05181A5AC4197D6C5C02ACE6070AF234