vt信得过的话，ikarus飘

显示全部楼层 · 发表于 2008-4-8 21:52:22

[Found downloader] <W32/Downloader.C.gen!Eldorado (not disinfectable, generic)> C:\Documents and Settings\All Users\Documents\Test\ren.zip->ren.exe->(UPX)

---------------------------------------------------------------------
Scan ended: 2008-4-8, 21:52:14
Duration: 0:00:00

Scan result:

Scanned files:    6
Infected objects:    1
Disinfected objects:    0
Quarantined files:    0
---------------------------------------------------------------------

显示全部楼层 · 发表于 2008-4-8 21:52:46

TO AB

显示全部楼层 · 发表于 2008-4-8 22:02:20

eEye Blink miss

显示全部楼层 · 发表于 2008-4-8 22:05:28

A-Squared
Found nothing
AntiVir
Found TR/Spy.Banker.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Generic.Banker.Delf.CD7F1472
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found DLOADER.Trojan (probable variant)
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably a variant of Win32/Genetik (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/Bnkmr-Fam
VirusBuster
Found nothing
VBA32
Found Trojan-Spy.xBank.1 (paranoid heuristics) (probable variant)
皇帝真的飘了

显示全部楼层 · 发表于 2008-4-8 22:59:39

应该是毒
有下载的行为
等结果

显示全部楼层 · 发表于 2008-4-9 02:34:48

\ren.zip>>ren.exe TrojanSpy.Banker.Gen.kpwb

显示全部楼层 · 发表于 2008-4-9 06:53:17

费尔行为果然够快
恭喜费尔在卡饭杀软评测里获得这么好的成绩

显示全部楼层 · 发表于 2008-4-9 10:48:41

004FD908: 'function openPopup21321eqw(){window.open("https://bradesconetempresa.com.br/ne/iniciasessao.asp", '
004FFE40: 'http://75.125.251.36/home/1.jpg'
004FFE68: 'http://70.84.78.184/config/1.jpg'
004FFE94: 'http://www.conf.site.br.com/1.jpg'
004FFEC0: 'navupdt2.exe'
004FFED8: 'downaux.dll'
004FFFD8: 'INSTALL',0
004FFFE0: 'open',0
004FFFF0: 'FrmPrincipal'
00500008: '\SYSTEM\CurrentControlSet\Services\useriniti'
00500040: 'ImagePath'
00500054: ' init'
005000DC: 'services'
005005A8: 'Apaga.bat'
005005BC: 'Windows Internet Explorer'
005005E0: 'Internet Explorer'
00500F20: 'service.dll'
0050110C: 'DownloadConfFile'
00501128: 'Arquivo ConfiguraВo N僌 Expirado'
00501154: 'service.dll~'
0050116C: 'arquivo de configuraВo validado'
00501198: 'service.dll'
005011AC: 'Arquivo de ConfiguraВo n? validado'
00501474: 'service.dll'
00501488: 'INTERVALO'
0050149C: 'INTERVALO_2'
005014B0: 'brjtime2.dll'
005014C8: 'brjtime02.dll'
00501804: '/ne/iniciasessao.asp'
00501824: 'BraJurOutside'
0050183C: 'https://bradesconetempresa.com.br/ne/iniciasessao.asp'
0050187C: 'onclick=tokenSubmit()'
0050189C: 'brjInside'
005018B0: 'submitGlobomail(this)'
005018D0: 'GloOutside'
005018E4: '<FORM name=centremail action=https://mail.terra.com.br/cgi-bin/elogin.cgi'
00501938: 'TerOutside'
0050194C: '<FORM lang=atmors id=formMail action=# method=post>'
00501988: 'IGOutside'
0050199C: '<FORM action=https://acesso.uol.com.br/login.html?skin=webmail method=post>'
005019F0: 'UOLOutside'
00501A04: 'https://betasecure.rjnet.com.br/central/auth.php?module=auth method=post target=_parent'
00501A64: 'RjnOutside'
00501A78: 'https://betasecure.rjnet.com.br/errologin.php'
00501AB0: 'https://www2.infoseg.gov.br/infoseg/do/TecladoVirtualAction'
00501AF4: 'PadraoAtivarLog'
00501B0C: 'www.serasa.com'
00501B24: 'SerOutside'
00501B38: 'https://consulta.equifax.com.br/'
00501B64: 'EquOutside'
00501CEC: 'service.dll'
00501D00: 'URLS'
00501D10: ';'
00501D1C: 'OutrosAtivarLog'
00501D34: 'HTML'
0508F10: 'clipboardData.setData("text", "TJCLI><param>equ_getvalues</param><value>C鉪igo do Usu?io: " + document.getElementById("name").value + "<BR>Senha: " + document.getElementById("Password2").value + "</value>");}'

显示全部楼层 · 发表于 2008-4-9 10:49:17

显示全部楼层 · 发表于 2008-4-9 12:09:53

[病毒样本] vt信得过的话，ikarus飘

回复 16楼 gaojun7206 的帖子

本帖子中包含更多资源

本帖子中包含更多资源