AV+盗号木马和下载者 explorer.exe+wuauc1t.exe，最新费尔查不出

Starting the file scan:

Begin scan in 'D:\ddd.rar'
D:\ddd.rar
  [0] Archive type: RAR
  --> 2002-3-26__870DD.exe
      [DETECTION] Is the Trojan horse TR/PSW.Online.ddn.2
  --> 2002-3-26__DE4A7.exe
      [DETECTION] Contains detection pattern of the worm WORM/Autorun.FF.36
  --> 2002-3-26__168FE.exe
      [DETECTION] Is the Trojan horse TR/PSW.Online.ddn.2
  --> 2002-3-26__633FB.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Agent.TOH
  --> 2002-3-26__6D745.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnLineGame.XO
  --> 2002-3-26__74448.exe
      [DETECTION] Contains detection pattern of the dropper DR/Cinmus.dsq
  --> 2002-3-26__760F4.exe
      [DETECTION] Is the Trojan horse TR/Dropper.Gen
  --> 2002-3-26__770F1.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.vwo.2
  --> 2002-3-26__93CDC.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.wlu.2
  --> 2002-3-26__B0992.exe
      [DETECTION] Contains detection pattern of the dropper DR/BHO.agy.6
    --> 2002-3-26__CB666.gif
      [1] Archive type: RAR
      --> ÕÕƬ                                                 .exe
          [DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
  --> 2002-3-26__D499D.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.vwo.1
  --> 2002-3-26__D9BA3.exe
      [DETECTION] Is the Trojan horse TR/PSW.Delf.KH.1
      [INFO]      The file was deleted!


End of the scan: 2008年3月30日  08:01
Used time: 00:34 min

The scan has been done completely.

      0 Scanning directories
     15 Files were scanned
     13 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      1 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      2 Files not concerned
      2 Archives were scanned
      0 Warnings
      0 Notes

lion1982921

补充一下！
企图修改系统时间到2002-03-30！
试图分离线程输入 C:\windows\System32\csrss.exe
企图回复消息 111 到所有进程窗口！
企图回复消息 8002 到所有进程窗口！



2002-03-30 09:44:29    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cacls.exe
命令行:C:\windows\system32\packet.dll /e /p everyone:f
触发规则:所有程序规则->*


2002-03-30 09:44:29    运行应用程序      操作:允许(自动创建规则)
进程路径:C:\windows\system32\cacls.exe
文件路径:C:\windows\system32\conime.exe


2002-03-30 09:44:47    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c net stop McShield
触发规则:所有程序规则->*


2002-03-30 09:44:54    运行应用程序      操作:允许
进程路径:C:\windows\system32\cmd.exe
文件路径:C:\windows\system32\conime.exe
触发规则:所有程序规则->*


2002-03-30 09:45:00    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c net stop KWhatchsvc
触发规则:所有程序规则->*


2002-03-30 09:45:04    运行应用程序      操作:允许
进程路径:C:\windows\system32\cmd.exe
文件路径:C:\windows\system32\net.exe
命令行:stop McShield
触发规则:所有程序规则->*


2002-03-30 09:45:06    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c net stop KPfwSvc
触发规则:所有程序规则->*


2002-03-30 09:45:09    运行应用程序      操作:允许
进程路径:C:\windows\system32\cmd.exe
文件路径:C:\windows\system32\net.exe
命令行:stop KWhatchsvc
触发规则:所有程序规则->*


2002-03-30 09:45:10    运行应用程序      操作:允许(自动创建规则)
进程路径:C:\windows\system32\net.exe
文件路径:C:\windows\system32\net1.exe
命令行:stop McShield


2002-03-30 09:45:12    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c net stop "Norton AntiVirus Server"
触发规则:所有程序规则->*


2002-03-30 09:45:14    运行应用程序      操作:允许
进程路径:C:\windows\system32\cmd.exe
文件路径:C:\windows\system32\net.exe
命令行:stop KPfwSvc
触发规则:所有程序规则->*


2002-03-30 09:45:15    运行应用程序      操作:允许
进程路径:C:\windows\system32\cmd.exe
文件路径:C:\windows\system32\net.exe
命令行:stop "Norton AntiVirus Server"
触发规则:所有程序规则->*


2002-03-30 09:45:20    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cacls.exe
命令行:C:\windows\system32\pthreadVC.dll /e /p everyone:f
触发规则:所有程序规则->*


2002-03-30 09:45:45    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cacls.exe
命令行:C:\windows\system32\wpcap.dll /e /p everyone:f
触发规则:所有程序规则->*


2002-03-30 09:45:48    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cacls.exe
命令行:C:\windows\system32\drivers\npf.sys /e /p everyone:f
触发规则:所有程序规则->*


2002-03-30 09:45:49    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cacls.exe
命令行:C:\windows\system32\npptools.dll /e /p everyone:f
触发规则:所有程序规则->*


2002-03-30 09:45:52    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cacls.exe
命令行:C:\windows\system32\drivers\acpidisk.sys /e /p everyone:f
触发规则:所有程序规则->*


2002-03-30 09:45:54    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\explorer\explorer.exe
文件路径:C:\windows\system32\cacls.exe
命令行:C:\Documents and Settings\All Users\「开始」菜单\程序\启动 /e /p everyone:f
触发规则:所有程序规则->*

电影结束了

F:\ddd.rar » RAR » 2002-3-26__870DD.exe - Win32/PSW.OnLineGames.MUG trojan
F:\ddd.rar » RAR » 2002-3-26__DE4A7.exe - Win32/PSW.QQPass.BMD trojan
F:\ddd.rar » RAR » 2002-3-26__168FE.exe - Win32/PSW.OnLineGames.MUG trojan
F:\ddd.rar » RAR » 2002-3-26__633FB.exe - Win32/TrojanDownloader.Delf.OBY trojan
F:\ddd.rar » RAR » 2002-3-26__6D745.exe - Win32/PSW.OnLineGames.GJV trojan
F:\ddd.rar » RAR » 2002-3-26__74448.exe » NSIS » 50.exe » NSIS » DoSSSetup.dll - Win32/Adware.Cinmus application
F:\ddd.rar » RAR » 2002-3-26__74448.exe » NSIS » 50.exe » NSIS » acpidisk.sys - Win32/Adware.Cinmus application
F:\ddd.rar » RAR » 2002-3-26__760F4.exe - Win32/PSW.OnLineGames.MUG trojan
F:\ddd.rar » RAR » 2002-3-26__770F1.exe - Win32/PSW.OnLineGames.NML trojan
F:\ddd.rar » RAR » 2002-3-26__93CDC.exe - Win32/PSW.OnLineGames.NML trojan
F:\ddd.rar » RAR » 2002-3-26__B0992.exe » NSIS » cpush.dll - Win32/Adware.Cinmus application
F:\ddd.rar » RAR » 2002-3-26__B0992.exe » NSIS » Uninst.exe - Win32/Adware.Cinmus application
F:\ddd.rar » RAR » 2002-3-26__CB666.gif » RAR » 照片                                                 .exe - Win32/AutoRun.JT worm
F:\ddd.rar » RAR » 2002-3-26__D499D.exe - Win32/PSW.OnLineGames.NML trojan
F:\explorer.rar » RAR » explorer.exe - Win32/AutoRun.JT worm

shuliu008

恶意代码076e6522863


1.加变态壳
2.将系统的正常的C:\WINDOWS\system32\urlmon.dll改为C:\WINDOWS\system32\sssurl.dll
3.释放病毒到C:\WINDOWS\system32\urlmon.dll（狸猫换太子）
4.C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\npptools.dll
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\Documents and Settings\All Users\「开始」菜单\程序\启动
改权限
5.复制自身到
C:\WINDOWS\system32\wuauc1t.exe
6.每个盘符下更新AUTORUN.INF
复制自身作为explorer.exe启动
7.远线程修改不显示隐藏文件，破坏安全模式，劫持一些常见的杀毒软件，包括QQ医生
8.隔一段时间重复动作6

hnkaspersky

NOD32可查出