SEP 11 对 autorun病毒无动于衷

显示全部楼层 · 发表于 2008-5-1 16:42:23

我的U盘上的病毒，SEP11对它怎么这么关爱，好像要养它似的
VirSCAN.org Scanned Report :
Scanned time : 2008/05/01 16:37:42 (CST)
Scanner results: 64%的杀软(23/36)报告发现病毒
File Name    : Setup.pif
File Size    : 13824 byte
File Type    : MS-DOS executable (EXE), OS/2 or MS Windows
MD5          : 2a75f92dd54b10cb1240f05c38b07002
SHA1          : 4c2b4e140ba4ef02db4fac52ff5bf8d7c13ec843
Online report  : http://virscan.org/report/01e3c24d9620fd1fa8f27e369a073043.html
Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    3.5.0.16       2008.04.30       2008-04-30  4.84 Trojan-Downloader.Win32.Agent.awc
安博士V3    2008.05.01.00 2008.05.01       2008-05-01  1.55 Win-Trojan/Agent.11604
AntiVir       7.8.0.11       7.0.3.235       2008-04-30  10.54  TR/Crypt.ULPM.Gen
Arcavir       1.0.4          200804301615    2008-04-30  5.66 Trojan.Downloader.Agent.Awc
AVAST       1.0.8          080430-1       2008-04-30  8.27 Win32:Small-HEQ [Trj]
AVG          7.5.51.442    269.23.7/1408    2008-04-30  3.96 Downloader.Generic3.GCX
BitDefender 7.60825.1188458 7.18756          2008-05-01  6.07 GenPack:Trojan.Downloader.Delf.OMV
CA (VET)    9.0.0.143    31.3.5749       2008-05-01  12.71  Win32/Nedky.X worm.
ClamAV       0.93          6997             2008-04-30  0.02 Trojan.Delf-293
Comodo       2.11          2.0.0.512       2008-05-01  1.11 -
CP Secure    1.1.0.715    2008.05.01       2008-05-01  17.80  Troj.Downloader.W32.Delf.asi
Dr.WEB       4.44.0.9170    2008.04.30       2008-04-30  12.35  Trojan.DownLoader.19227
ewido       4.0.0.2       2008.04.30       2008-04-30  3.02 -
F-PROT       4.4.1.52       20080430       2008-04-30  5.98 Possible W32/NewUnknownMalware-P143!Maximus
F-SECURE    5.51.6100    2008.04.30.06    2008-04-30  13.62  Trojan-Downloader.Win32.Agent.awc [AVP]
飞塔          2.81-3.11    9.36             2008-05-01  2.44 Suspicious
ViRobot       20080430       2008.04.30       2008-04-30  1.29 -
IKARUS       T3.1.01.26    2008.05.01.70684  2008-05-01  6.72 Virus.Win32.Small.HEQ
江民杀毒    10.00.650    2008.04.30       2008-04-30  1.78 TrojanDownloader.Agent.eij
卡巴斯基    5.5.10       2008.04.28       2008-04-28  15.59  Trojan-Downloader.Win32.Agent.awc
金山毒霸    2007.6.20.249 2008.5.1       2008-05-01  0.95 Win32.TrojDownloader.Agent.aw.11604
迈克菲       5.2.00       5285             2008-04-30  4.42 -
Microsoft    1.3408       2008.04.24       2008-04-24  8.23 -
MKS_VIR       2.01          2008.04.30       2008-04-30  5.02 -
NORMAN       5.91.10       5.90             2008-04-29  13.76  -
熊猫卫士    9.04.03.0001 2008.04.30       2008-04-30  3.63 -
趋势          8.500-1001    5.250.01       2008-04-30  0.14 -
Prevx       V2             20080501       2008-05-01  3.32 BACKDOOR.HUPIGON.YBO
QuickHeal    9.00          2008.04.30       2008-04-30  3.10 Suspicious - DNAScan
瑞星          20.0          20.42.22.00    2008-04-30  1.18 Suspicious.Trojan.Win32.Downldr.a
SOPHOS       2.73.0       4.29             2008-05-01  5.40 -
赛门铁克    1.3.0.24       20080430.017    2008-04-30  0.23 -
nProtect    2008-04-30.00 1442203          2008-04-30  5.77 GenPack:Trojan.Downloader.Delf.OMV
The Hacker    6.2.92       v00298          2008-04-30  1.13 W32/Behav-Heuristic-073
VBA32       3.12.6.5       20080430.1911    2008-04-30  2.42 -
VirusBuster 4.3.19:9       9.127.3/11.0    2008-04-30  2.07 -

File Setup.pif received on 05.01.2008 10:37:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 19/32 (59.38%)

Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___
.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.

Compact
Print results

Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position:
) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.5.1.0	2008.05.01	Win-Trojan/Agent.11604
AntiVir	7.8.0.11	2008.04.30	TR/Crypt.ULPM.Gen
Authentium	4.93.8	2008.04.30	-
Avast	4.8.1169.0	2008.04.30	Win32:Small-HEQ
AVG	7.5.0.516	2008.04.30	Downloader.Generic3.GCX
BitDefender	7.2	2008.05.01	GenPack:Trojan.Downloader.Delf.OMV
CAT-QuickHeal	9.50	2008.04.30	(Suspicious) - DNAScan
ClamAV	0.92.1	2008.05.01	-
DrWeb	4.44.0.09170	2008.04.30	Trojan.DownLoader.19227
eSafe	7.0.15.0	2008.04.28	suspicious Trojan/Worm
eTrust-Vet	31.3.5750	2008.05.01	Win32/Nedky.X
Ewido	4.0	2008.04.30	-
F-Prot	4.4.2.54	2008.05.01	W32/NewUnknownMalware-P143!Maximus
F-Secure	6.70.13260.0	2008.04.30	Trojan-Downloader.Win32.Agent.awc
FileAdvisor	1	2008.05.01	-
Fortinet	3.14.0.0	2008.05.01	-
Ikarus	T3.1.1.26.0	2008.05.01	Virus.Win32.Small.HEQ
Kaspersky	7.0.0.125	2008.05.01	Trojan-Downloader.Win32.Agent.awc
McAfee	5285	2008.04.30	-
Microsoft	1.3408	2008.04.22	-
NOD32v2	3067	2008.04.30	a variant of Win32/TrojanDownloader.Delf.AZM
Norman	5.80.02	2008.04.30	-
Panda	9.0.0.4	2008.04.30	Suspicious file
Prevx1	V2	2008.05.01	-
Rising	20.42.22.00	2008.04.30	Trojan.DL.Agent.yjg
Sophos	4.29.0	2008.05.01	-
Sunbelt	3.0.1097.0	2008.05.01	VIPRE.Suspicious
Symantec	10	2008.05.01	-
TheHacker	6.2.92.298	2008.04.30	W32/Behav-Heuristic-073
VBA32	3.12.6.5	2008.05.01	-
VirusBuster	4.3.26:9	2008.04.30	-
Webwasher-Gateway	6.6.2	2008.04.30	Win32.Malware.gen

Additional information

File size: 13824 bytes

MD5...: 2a75f92dd54b10cb1240f05c38b07002

SHA1..: 4c2b4e140ba4ef02db4fac52ff5bf8d7c13ec843

SHA256: a98b3d25223f2ec0d7d35a9affc21027bad3ffd38e81a111c56f9691a6e43ad3

SHA512: 61d8cfc20d93858d08fd61c0629331e0cbd3d1e734b55e464efc590fd636f750
3af007fe96158de697bb20c2ed64f679d32fbd2a87c3d4b7996864f4598dcf6c

PEiD..: Upx-Lock 1.0 - 1.2 --> CyberDoom / Team-X & BoB / BobSoft

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x410000
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0xb000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0xc000 0x3000 0x2200 7.69 6d2f0a3930910df88a876c885e75ebc5
.rsrc 0xf000 0x1000 0x400 2.39 1146e46616a7f65334995c1809666e85
0x10000 0x1000 0x354 6.10 4caf7782a0eda5fb3b53c5b7c74d4993
XOR 0x11000 0x800 0x800 0.81 5bd78b0a32eda3bd69fdc2c2e6112471

( 3 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> advapi32.dll: OpenServiceA
> user32.dll: SetTimer

( 0 exports )

packers (F-Prot): UPX

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware

两个检验结果差不多。
样本http://bbs.kafan.cn/viewthread.php?tid=245208&extra=page%3D1&frombbs=1

分割线－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
2008－5－2
终于有点明白了。
我的系统为两系统，XP用的SEP11，VISTA 用的DRWEB
我用dr.web扫描了xp的系统全盘，发现了一个moviemk在系统system32目录被DRWEB报毒，并切全盘只查出这一个，我上传样本扫描结果如下：
VirSCAN.org Scanned Report :
Scanned time : 2008/05/02 07:40:03 (CST)
Scanner results: 64%的杀软(23/36)报告发现病毒
File Name    : moviemk.exe
File Size    : 13824 byte
File Type    : MS-DOS executable (EXE), OS/2 or MS Windows
MD5          : 2a75f92dd54b10cb1240f05c38b07002
SHA1          : 4c2b4e140ba4ef02db4fac52ff5bf8d7c13ec843
Online report  : http://virscan.org/report/01e3c24d9620fd1fa8f27e369a073043.html
Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    3.5.0.16       2008.05.01       2008-05-01  3.66 Trojan-Downloader.Win32.Agent.awc
安博士V3    2008.05.02.00 2008.05.02       2008-05-02  1.46 Win-Trojan/Agent.11604
AntiVir       7.8.0.11       7.0.3.236       2008-05-01  3.25 TR/Crypt.ULPM.Gen
Arcavir       1.0.4          200805011110    2008-05-01  3.08 Trojan.Downloader.Agent.Awc
AVAST       1.0.8          080501-0       2008-05-01  4.92 Win32:Small-HEQ [Trj]
AVG          7.5.51.442    269.23.7/1410    2008-05-01  5.25 Downloader.Generic3.GCX
BitDefender 7.60825.1188960 7.18768          2008-05-02  4.89 GenPack:Trojan.Downloader.Delf.OMV
CA (VET)    9.0.0.143    31.3.5752       2008-05-02  9.37 Win32/Nedky.X worm.
ClamAV       0.93          6997             2008-04-30  0.02 Trojan.Delf-293
Comodo       2.11          2.0.0.512       2008-05-01  1.08 -
CP Secure    1.1.0.715    2008.05.01       2008-05-01  11.16  Troj.Downloader.W32.Delf.asi
Dr.WEB       4.44.0.9170    2008.04.30       2008-04-30  10.28  Trojan.DownLoader.19227
ewido       4.0.0.2       2008.05.01       2008-05-01  4.50 -
F-PROT       4.4.1.52       20080501       2008-05-01  2.13 Possible W32/NewUnknownMalware-P143!Maximus
F-SECURE    5.51.6100    2008.05.01.01    2008-05-01  2.36 Trojan-Downloader.Win32.Agent.awc [AVP]
飞塔          2.81-3.11    9.39             2008-05-02  2.52 W32/Agent.AWC!tr.dldr
ViRobot       20080430       2008.04.30       2008-04-30  0.86 -
IKARUS       T3.1.01.26    2008.05.01.70686  2008-05-01  3.26 Virus.Win32.Small.HEQ
江民杀毒    10.00.650    2008.05.01       2008-05-01  1.61 TrojanDownloader.Agent.eij
卡巴斯基    5.5.10       2008.04.28       2008-04-28  12.97  Trojan-Downloader.Win32.Agent.awc
金山毒霸    2007.6.20.249 2008.5.1       2008-05-01  1.28 Win32.TrojDownloader.Agent.aw.11604
迈克菲       5.2.00       5286             2008-05-01  3.10 -
Microsoft    1.3408       2008.04.24       2008-04-24  11.33  -
MKS_VIR       2.01          2008.05.01       2008-05-01  6.74 -
NORMAN       5.91.10       5.90             2008-04-29  13.50  -
熊猫卫士    9.04.03.0001 2008.04.30       2008-04-30  4.04 -
趋势          8.500-1001    5.250.07       2008-05-01  0.14 -
Prevx       V2             20080502       2008-05-02  5.97 TROJAN.DOWNLOADER.GEN
QuickHeal    9.00          2008.05.01       2008-05-01  4.62 Suspicious - DNAScan
瑞星          20.0          20.42.22.00    2008-04-30  1.40 Suspicious.Trojan.Win32.Downldr.a
SOPHOS       2.73.0       4.29             2008-05-02  5.14 -
赛门铁克    1.3.0.24       20080501.019    2008-05-01  1.05 -
nProtect    2008-04-30.00 1442203          2008-04-30  6.10 GenPack:Trojan.Downloader.Delf.OMV
The Hacker    6.2.92       v00298          2008-04-30  1.10 W32/Behav-Heuristic-073
VBA32       3.12.6.5       20080430.1911    2008-04-30  1.40 -
VirusBuster 4.3.19:9       9.127.4/11.0    2008-04-30  1.91 -

Antivirus Version Last Update Result
AhnLab-V3 2008.5.1.0 2008.05.01 Win-Trojan/Agent.11604
AntiVir 7.8.0.11 2008.05.01 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.05.02 Win32:Small-HEQ
AVG 7.5.0.516 2008.05.01 Downloader.Generic3.GCX
BitDefender 7.2 2008.05.02 GenPack:Trojan.Downloader.Delf.OMV
CAT-QuickHeal 9.50 2008.05.01 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.05.02 Trojan.Delf-293
DrWeb 4.44.0.09170 2008.04.30 Trojan.DownLoader.19227
eTrust-Vet 31.3.5752 2008.05.02 Win32/Nedky.X
Ewido 4.0 2008.05.01 -
F-Prot 4.4.2.54 2008.05.01 W32/NewUnknownMalware-P143!Maximus
F-Secure 6.70.13260.0 2008.05.01 Trojan-Downloader.Win32.Agent.awc
Fortinet 3.14.0.0 2008.05.01 W32/Agent.AWC!tr.dldr
Ikarus T3.1.1.26 2008.05.01 Virus.Win32.Small.HEQ
Kaspersky 7.0.0.125 2008.05.02 Trojan-Downloader.Win32.Agent.awc
McAfee 5285 2008.04.30 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3069 2008.05.01 a variant of Win32/TrojanDownloader.Delf.AZM
Norman 5.80.02 2008.04.30 -
Panda 9.0.0.4 2008.05.01 Suspicious file
Prevx1 V2 2008.05.02 -
Rising 20.42.22.00 2008.04.30 Trojan.DL.Agent.yjg
Sophos 4.29.0 2008.05.01 -
Sunbelt 3.0.1097.0 2008.05.01 VIPRE.Suspicious
Symantec 10 2008.05.02 -
TheHacker 6.2.92.298 2008.04.30 W32/Behav-Heuristic-073
VBA32 3.12.6.5 2008.05.01 -
VirusBuster 4.3.26:9 2008.05.01 -
Webwasher-Gateway 6.6.2 2008.05.02 Trojan.Crypt.ULPM.Gen

Antivirus Version Last Update Result
AhnLab-V3 2008.5.1.0 2008.05.01 Win-Trojan/Agent.11604
AntiVir 7.8.0.11 2008.05.01 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.05.02 Win32:Small-HEQ
AVG 7.5.0.516 2008.05.01 Downloader.Generic3.GCX
BitDefender 7.2 2008.05.02 GenPack:Trojan.Downloader.Delf.OMV
CAT-QuickHeal 9.50 2008.05.01 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.05.02 Trojan.Delf-293
DrWeb 4.44.0.09170 2008.04.30 Trojan.DownLoader.19227
eTrust-Vet 31.3.5752 2008.05.02 Win32/Nedky.X
Ewido 4.0 2008.05.01 -
F-Prot 4.4.2.54 2008.05.01 W32/NewUnknownMalware-P143!Maximus
F-Secure 6.70.13260.0 2008.05.01 Trojan-Downloader.Win32.Agent.awc
Fortinet 3.14.0.0 2008.05.01 W32/Agent.AWC!tr.dldr
Ikarus T3.1.1.26 2008.05.01 Virus.Win32.Small.HEQ
Kaspersky 7.0.0.125 2008.05.02 Trojan-Downloader.Win32.Agent.awc
McAfee 5285 2008.04.30 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3069 2008.05.01 a variant of Win32/TrojanDownloader.Delf.AZM
Norman 5.80.02 2008.04.30 -
Panda 9.0.0.4 2008.05.01 Suspicious file
Prevx1 V2 2008.05.02 -
Rising 20.42.22.00 2008.04.30 Trojan.DL.Agent.yjg
Sophos 4.29.0 2008.05.01 -
Sunbelt 3.0.1097.0 2008.05.01 VIPRE.Suspicious
Symantec 10 2008.05.02 -
TheHacker 6.2.92.298 2008.04.30 W32/Behav-Heuristic-073
VBA32 3.12.6.5 2008.05.01 -
VirusBuster 4.3.26:9 2008.05.01 -
Webwasher-Gateway 6.6.2 2008.05.02 Trojan.Crypt.ULPM.Gen

综合看这两次的结果与本人电脑的查杀结果，应该说moviemk就是我U盘上总出现AUTORUN，INI和SETUP.pif的原因了。

[ 本帖最后由网辑飞扬于 2008-5-2 08:32 编辑 ]

显示全部楼层 · 发表于 2008-5-1 16:52:58

大部分的报告都是启发或者报可疑~~~~
Norton的入库是比较慢的！这也是正常现象~~~~

Ps：请LZ不要在技术讨论区发布样本，你可以把样本发去样本区，然后添加一个链接到这个帖子里！

显示全部楼层 · 发表于 2008-5-1 17:36:01

建议楼主上报赛门铁克

显示全部楼层 · 发表于 2008-5-1 21:17:03

发现了就自己人肉删除撒

显示全部楼层 · 发表于 2008-5-1 21:26:46

上报赛门铁克
https://submit.symantec.com/websubmit/retail.cgi

[已解决] SEP 11 对 autorun病毒无动于衷

评分

评分

评分

浏览过的版块