过卡巴的一个

显示全部楼层 · 发表于 2008-3-22 12:22:44

今天在上网，忽然微点报发现未知木马，我就点了删除
时间处理结果木马名称木马进程名木马文件创建者
2008-03-22 11:54:18 处理成功未知木马 C:\WINDOWS\SYSTEM32\INTERNE.EXE C:\WINDOWS\SYSTEM32\SSS0.EXE
2008-03-22 11:54:17 处理成功未知木马 C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\SYSTEM32\SSS0.EXE
2008-03-22 11:54:17 处理成功未知木马 C:\WINDOWS\SYSTEM32\SSS0.EXE C:\WINDOWS\SYSTEM32\FTP.EXE
我的kis7.0没报，我把样本和生成物从隔离区拿出来，把样本拿出来扫了一下
文件 SSS0.EXE 接收于 2008.03.22 05:02:58 (CET)
当前状态: 完成
结果: 13/32 (40.62%)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.3.22.1	2008.03.21	-
AntiVir	7.6.0.75	2008.03.21	HEUR/Malware
Authentium	4.93.8	2008.03.22	-
Avast	4.7.1098.0	2008.03.21	Win32:Trojan-gen {VC}
AVG	7.5.0.516	2008.03.21	-
BitDefender	7.2	2008.03.22	-
CAT-QuickHeal	9.50	2008.03.21	(Suspicious) - DNAScan
ClamAV	0.92.1	2008.03.22	-
DrWeb	4.44.0.09170	2008.03.21	modification of BackDoor.Generic.1464
eSafe	7.0.15.0	2008.03.18	suspicious Trojan/Worm
eTrust-Vet	31.3.5633	2008.03.21	-
Ewido	4.0	2008.03.21	-
FileAdvisor	1	2008.03.22	-
Fortinet	3.14.0.0	2008.03.21	-
F-Prot	4.4.2.54	2008.03.20	-
F-Secure	6.70.13260.0	2008.03.21	Suspicious:W32/Malware!Gemini
Ikarus	T3.1.1.20	2008.03.22	-
Kaspersky	7.0.0.125	2008.03.22	-
McAfee	5257	2008.03.21	W32/Generic.worm!p2p
Microsoft	1.3301	2008.03.21	-
NOD32v2	2967	2008.03.21	probably unknown NewHeur_PE virus
Norman	5.80.02	2008.03.20	-
Panda	9.0.0.4	2008.03.22	Suspicious file
Prevx1	V2	2008.03.22	-
Rising	20.36.42.00	2008.03.21	-
Sophos	4.27.0	2008.03.21	Mal/EncPk-C
Sunbelt	3.0.978.0	2008.03.18	VIPRE.Suspicious
Symantec	10	2008.03.22	-
TheHacker	6.2.92.250	2008.03.19	-
VBA32	3.12.6.3	2008.03.21	-
VirusBuster	4.3.26:9	2008.03.21	Packed/FSG
Webwasher-Gateway	6.6.2	2008.03.21	Heuristic.Malware

附加信息

File size: 41797 bytes

MD5: 7d694c47ecb42425a79348d661a77f4f

SHA1: 4f7c40b5d2a9e12ced78f91e0a93c3a89460fb28

PEiD: FSG v2.0 -> bart/xt

packers: FSG

注意: VirusTotal 是 Hispasec Sistemas 提供的免费服务. 我们不保证任何该服务的可用性和持续性. 尽管使用多种反病毒引擎所提供的检测率优于使用单一产品, 但这些结果并不保证文件无害. 目前来说, 没有任何一种解决方案可以提供 100% 的病毒和恶意软件检测率. 如果您购买了一款声称具有此能力的产品, 那么您可能已经成为受害者.
下面是样本和生成物

显示全部楼层 · 发表于 2008-3-22 12:24:46

你有沒有上报？

显示全部楼层 · 发表于 2008-3-22 12:25:23

还没，你们上报吧

显示全部楼层 · 发表于 2008-3-22 12:26:17

好．．．．

显示全部楼层 · 发表于 2008-3-22 12:34:04

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\My Documents\SSS0.rar'
C:\Documents and Settings\Administrator\My Documents\
  SSS0.rar
[0] Archive type: RAR
   --> SSS0.EXE
      [1] Archive type: Runtime Packed
      --> Object
      [2] Archive type: RSRC
      --> Object
         [3] Archive type: RSRC
         --> Object
            [DETECTION] Contains detection pattern of the SPR/PortScan.I program
            [WARNING] Infected files in archives cannot be repaired!
         --> Object
            [4] Archive type: Runtime Packed
            --> Object
      --> Object
         [3] Archive type: Runtime Packed
         --> Object
   [NOTE]    The file was deleted!
Begin scan in 'C:\Documents and Settings\Administrator\My Documents\BAI.rar'
C:\Documents and Settings\Administrator\My Documents\
  BAI.rar
[0] Archive type: RAR
--> BAI.BAT
  BAI.rar:Zone.Identifier
Begin scan in 'C:\Documents and Settings\Administrator\My Documents\INTERNE.rar'
C:\Documents and Settings\Administrator\My Documents\
  INTERNE.rar
[0] Archive type: RAR
   --> INTERNE.EXE
      [1] Archive type: Runtime Packed
      --> Object
   [NOTE]    The file was deleted!
Begin scan in 'C:\Documents and Settings\Administrator\My Documents\SOUNDMAN.rar'
C:\Documents and Settings\Administrator\My Documents\
  SOUNDMAN.rar
[0] Archive type: RAR
   --> SOUNDMAN.EXE
      [1] Archive type: RSRC
      --> Object
         [DETECTION] Contains detection pattern of the SPR/PortScan.I program
         [WARNING] Infected files in archives cannot be repaired!
      --> Object
      [2] Archive type: Runtime Packed
      --> Object
   [NOTE]    The file was deleted!

End of the scan: 2008年3月21日  21:33
Used time: 00:04 min

The scan has been done completely.

   0 Scanning directories
   9 Files were scanned
   3 viruses and/or unwanted programs were found
   2 Files were classified as suspicious:
   3 files were deleted
   0 files were repaired
   0 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   6 Files not concerned
   4 Archives were scanned
   2 Warnings
   3 Notes

显示全部楼层 · 发表于 2008-3-22 12:43:37

C:\Documents and Settings\Administrator\桌面\SSS0.rar>>SSS0.EXE W32.Generic.worm.ohyu 病毒还未处理
C:\Documents and Settings\Administrator\桌面\SOUNDMAN.rar>>SOUNDMAN.EXE W32.Generic.worm.fehw 病毒还未处理
C:\Documents and Settings\Administrator\桌面\INTERNE.rar>>INTERNE.EXE W32.VB.NME.myce 病毒还未处理

显示全部楼层 · 发表于 2008-3-22 13:35:37

Hello,

BAI.bat_ - Trojan.BAT.Runner.m,
INTERNE.exe_, SOUNDMAN.exe_, SSS0.exe_ - Trojan-Downloader.Win32.VB.dka

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Yury Nesmachny
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

显示全部楼层 · 发表于 2008-3-22 14:03:23

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.11CEC37AC106420\桌面\SSS0.EXE
木马程序生成以下文件:
1) C:\WINDOWS\SYSTEM32\INTERNE.EXE
是否删除木马程序及其衍生物?

显示全部楼层 · 发表于 2008-3-22 14:09:39

"14:07" "文件监控" "文件" "PACKER-GEN.002" "SSS0.EXE (C:\Documents and Settings\Administrator\桌面\SSS0.rar.td)" "隔离成功" ""
"14:07" "文件监控" "文件" "---" "C:\Documents and Settings\Administrator\桌面\SSS0.rar.td (C:\Documents and Settings\Administrator\桌面\SSS0.rar.td)" "隔离成功" ""
"14:07" "文件监控" "文件" "PACKER-GEN.002" "INTERNE.EXE (C:\Documents and Settings\Administrator\桌面\INTERNE.rar.td)" "隔离成功" ""
"14:07" "文件监控" "文件" "---" "C:\Documents and Settings\Administrator\桌面\INTERNE.rar.td (C:\Documents and Settings\Administrator\桌面\INTERNE.rar.td)" "隔离成功" ""

显示全部楼层 · 发表于 2008-3-22 14:50:56

瑞星默认主防拦不住，需要高级系统加固

[病毒样本] 过卡巴的一个

本帖子中包含更多资源

回复 2楼 kato9096 的帖子

回复 3楼快乐男孩6 的帖子

[病毒样本] 过卡巴的一个

本帖子中包含更多资源

回复 2楼 kato9096 的帖子

回复 3楼 快乐男孩6 的帖子

回复 3楼快乐男孩6 的帖子