！紧急求助：不知道该文件是不是有木马？！

matrix21

今天用刚安装的“360安全卫士v4.15红心中国版”查杀木马（使用360完全木马+安天木马查杀引擎）突然查出
C:\WINDOWS\system32\6to4ex.dll 为Trojan/Win32.Undef.exu
但卡巴斯基并未报毒（KIS7.0.1.325+当天最新病毒库），不敢确认360的检测水准，于是又进行了如下检测：

1.Dr.Web CureIt!检测结果：


2.VirusTotal 在线检测：

附加信息：

File size: 97792 bytes

MD5...: a99f1b547855e18e023e08f897be5824

SHA1..: bd6dad6ce151df9404f769e5c75c94984db69d03

SHA256: e08c5ac24adf5942025697df89dc5e26bcad015b2b8b34c8b8948800daa52909

SHA512: 8171d20f73b34526effda342e9e9fdd6ce9c6e191f9d0c3c882c9a57be3fc2af 995441f967882a3f532d1c645b51125a6f190761f4bfea16ac817922f28a8c98

PEiD..: Armadillo v1.xx - v2.xx

PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10010d4a timedatestamp.....: 0x47f587c6 (Fri Apr 04 01:43:34 2008) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x10305 0x10400 6.47 f49ad88f7f31e6b505ea4fb6fa6bdbab .rdata 0x12000 0x35ee 0x3600 5.30 a20e714d16d9aaa91a088a93473cbe81 .data 0x16000 0x20b8 0x1c00 3.74 be89d6eba4d22110c4ac0ffc834c592d .shared 0x19000 0x5dc 0x600 0.00 53e979547d8c2ea86560ac45de08ae25 .rsrc 0x1a000 0xbe0 0xc00 3.91 9a05b270b0eee6ffb9bd0ae7fd308a19 .reloc 0x1b000 0x1022 0x1200 5.44 d7f6eb942da033370507124a01f1b2f2 ( 17 imports ) > KERNEL32.dll: CreateFileA, ReadFile, SetFilePointer, WriteFile, MoveFileA, SetLastError, GetSystemDirectoryA, GetTempPathA, MoveFileExA, GetTickCount, GetLocalTime, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, GlobalSize, GetStartupInfoA, CreatePipe, DisconnectNamedPipe, TerminateProcess, PeekNamedPipe, DeleteFileA, SizeofResource, GetFileSize, FindResourceA, DeviceIoControl, LoadLibraryExA, GetModuleHandleA, SetFileAttributesA, ReleaseMutex, OpenEventA, LocalReAlloc, CreateMutexA, SetUnhandledExceptionFilter, GetCurrentThreadId, FreeConsole, LocalSize, OpenProcess, Process32Next, Process32First, CreateToolhelp32Snapshot, GetCurrentProcess, lstrcmpiA, FindNextFileA, LocalFree, FindClose, RemoveDirectoryA, LocalAlloc, LoadResource, FindFirstFileA, GetVersionExA, GetPrivateProfileStringA, lstrcmpA, WideCharToMultiByte, MultiByteToWideChar, LoadLibraryA, GetProcAddress, FreeLibrary, GetWindowsDirectoryA, lstrcatA, GetPrivateProfileSectionNamesA, lstrlenA, Sleep, CancelIo, InterlockedExchange, ResetEvent, lstrcpyA, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, GetLogicalDriveStringsA, GetVolumeInformationA, GetDiskFreeSpaceExA, GetDriveTypeA, CreateProcessA, GetFileAttributesA, CreateDirectoryA, SetErrorMode, GetLastError, VirtualFree, DeleteCriticalSection, InitializeCriticalSection, CreateThread, ResumeThread, SetEvent, WaitForSingleObject, TerminateThread, CloseHandle, WaitForMultipleObjects, CreateEventA > USER32.dll: GetProcessWindowStation, ExitWindowsEx, GetWindowThreadProcessId, OpenWindowStationA, SetProcessWindowStation, SetThreadDesktop, CloseWindowStation, GetCursorPos, GetCursorInfo, GetThreadDesktop, GetDesktopWindow, GetDC, SetRect, GetSystemMetrics, GetClipboardData, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, mouse_event, SetCursorPos, WindowFromPoint, SetCapture, MapVirtualKeyA, IsWindowVisible, CloseDesktop, EnumWindows, OpenInputDesktop, DispatchMessageA, GetUserObjectInformationA, OpenDesktopA, PostMessageA, CreateWindowExA, CloseWindow, ReleaseDC, TranslateMessage, GetMessageA, wsprintfA, CharNextA, IsWindow, GetWindowTextA, GetActiveWindow, GetKeyNameTextA, GetFocus, CallNextHookEx, SetWindowsHookExA, UnhookWindowsHookEx, LoadCursorA, DestroyCursor, BlockInput, SystemParametersInfoA, SendMessageA, keybd_event > GDI32.dll: BitBlt, DeleteObject, CreateCompatibleBitmap, CreateCompatibleDC, GetDIBits, DeleteDC, SelectObject, CreateDIBSection > ADVAPI32.dll: ClearEventLogA, GetTokenInformation, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, SetServiceStatus, RegisterServiceCtrlHandlerA, StartServiceA, OpenEventLogA, IsValidSid, LookupAccountNameA, LsaClose, LsaRetrievePrivateData, LsaOpenPolicy, LsaFreeMemory, RegCloseKey, RegQueryValueA, RegOpenKeyExA, CloseServiceHandle, DeleteService, ControlService, QueryServiceStatus, OpenServiceA, OpenSCManagerA, RegSetValueExA, RegCreateKeyA, RegQueryValueExA, RegOpenKeyA, CloseEventLog, LookupAccountSidA > SHELL32.dll: SHGetFileInfoA, SHGetSpecialFolderPathA > SHLWAPI.dll: SHDeleteKeyA > MSVCRT.dll: _except_handler3, strrchr, strncpy, realloc, atoi, wcstombs, free, calloc, __1type_info@@UAE@XZ, _initterm, _adjust_fdiv, malloc, strchr, _CxxThrowException, strstr, _strcmpi, _ftol, ceil, memmove, __CxxFrameHandler, __3@YAXPAX@Z, _beginthreadex, __2@YAPAXI@Z > WINMM.dll: waveInUnprepareHeader, waveInReset, waveInStop, waveOutWrite, waveInStart, waveInClose, waveInPrepareHeader, waveInOpen, waveInGetNumDevs, waveOutPrepareHeader, waveOutGetNumDevs, waveOutOpen, waveOutReset, waveOutUnprepareHeader, waveOutClose, waveInAddBuffer > WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, - > MSVCP60.dll: _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, __Xran@std@@YAXXZ, __Split@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXXZ, __Eos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, __Refcnt@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEAAEPBD@Z, __Grow@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAE_NI_N@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z > IMM32.dll: ImmReleaseContext, ImmGetContext, ImmGetCompositionStringA > WININET.dll: InternetOpenUrlA, InternetReadFile, InternetCloseHandle, InternetOpenA > urlmon.dll: URLDownloadToFileA > AVICAP32.dll: capGetDriverDescriptionA, capCreateCaptureWindowA > MSVFW32.dll: ICSeqCompressFrame, ICSendMessage, ICOpen, ICClose, ICCompressorFree, ICSeqCompressFrameEnd, ICSeqCompressFrameStart > PSAPI.DLL: GetModuleFileNameExA, EnumProcessModules > WTSAPI32.dll: WTSFreeMemory, WTSQuerySessionInformationA ( 2 exports ) ResetSSDT, ServiceMain 3.VirSCAN.org 在线检测： 4.Online malware scan 在线检测： 请斑竹或者高手们给予分析检测一下，以确定是否有木马？！急！！！ 万分感谢！！！！！！ 可疑文件如下：

[ 本帖最后由 matrix21 于 2008-4-26 14:49 编辑 ]

挪威的冬天

信息        2008-04-26  14:22:00        您此次查毒清除了1个病毒                       
信息        2008-04-26  14:22:00        您此次查毒共查出1个病毒以及危险代码                       
信息        2008-04-26  14:22:00        您此次查毒共查了内存模块0个，磁盘引导扇区0个，文件2个                       
信息        2008-04-26  14:22:00        金山毒霸主程序查毒过程结束，查毒方式：命令行查毒                       
病毒        2008-04-26  14:22:00        D:\Desktop\6to4ex.rar\6to4ex.dll        Win32.Troj.GuiseGhoT.aq.97792        清除成功

秋叶濛濛

Begin scan in 'F:\Virus\6to4ex.rar'
F:\Virus\6to4ex.rar
  [0] Archive type: RAR
    --> 6to4ex.dll
      [1] Archive type: RSRC
      --> Object
          [DETECTION] Is the Trojan horse TR/Spy.Gen
      [NOTE]      The file was deleted!

mofunzone

最好用其他杀毒软件再扫描一下，pcclient客户端一定是3个文件，一个dll，一个exe，还有一个sys，你这个只是dll而已

matrix21

多谢大家，不过还是没人能给于一个肯定的答案……

顺便问一下：秋叶濛濛  用的是什么杀软啊？？

28654621

http://bbs.kafan.cn/attachment.php?aid=250187\6to4ex.dll
Win32:Dialer-1314 [Trj]
拨号程序
080425-1, 2008-04-25

matrix21

原帖由 28654621 于 2008-4-26 15:00 发表
http://bbs.kafan.cn/attachment.php?aid=250187\6to4ex.dll
Win32:Dialer-1314
拨号程序
080425-1, 2008-04-25

拨号程序啊？难怪卡巴没报，多谢啦！！

sun88990

McAfee:
Generic BackDoor.t

zwl2828

TO KL

wangjay1980

gHello,


6to4ex.dll - Trojan.Win32.Dialer.ayc,

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Vyacheslav Zakorzhevsky
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.



>[:1:]