赶尽杀绝2

显示全部楼层 · 发表于 2008-5-5 09:07:53

http://www.serversina.cn/wm/Real.gif
=>http://www.serversina.cn/wm/mm.exe
=>http://www.serversina.cn/List.txt
=>

http://www.serversina.cn/mm/2.exe
http://www.serversina.cn/mm/11.exe
http://www.serversina.cn/mm/12.exe
http://www.serversina.cn/mm/13.exe
http://www.serversina.cn/mm/14.exe
http://www.serversina.cn/mm/15.exe
http://www.serversina.cn/mm/16.exe
http://www.serversina.cn/mm/17.exe
http://www.serversina.cn/mm/18.exe
http://www.serversina.cn/mm/19.exe
http://www.serversina.cn/mm/20.exe
http://www.serversina.cn/mm/21.exe
http://www.serversina.cn/mm/22.exe
http://www.serversina.cn/mm/23.exe
http://www.serversina.cn/mm/24.exe
http://www.serversina.cn/mm/25.exe
http://www.serversina.cn/mm/26.exe
http://www.serversina.cn/mm/27.exe
http://www.serversina.cn/mm/28.exe
http://www.serversina.cn/mm/29.exe
http://www.serversina.cn/mm/30.exe
http://www.serversina.cn/mm/31.exe
http://www.serversina.cn/mm/32.exe
http://www.serversina.cn/mm/33.exe
http://www.serversina.cn/mm/34.exe
http://www.serversina.cn/mm/35.exe
http://www.serversina.cn/mm/36.exe
http://www.serversina.cn/mm/38.exe
http://www.serversina.cn/mm/40.exe
http://www.serversina.cn/mm/41.exe
http://www.serversina.cn/mm/44.exe
http://www.serversina.cn/zd/pl.exe
http://www.serversina.cn/zd/pp.exe
http://www.serversina.cn/zd/uuse.exe

复制代码

其中有几个下不下来，pl.exe（PPLIVE）、pp.exe（PPSTREAM）、uuse.exe（UUSEE）搭载了病毒传播的“快车”，会在下载后自动安装，在此BS一下！

下下来的样本除去自解压和NSIS，得到样本24例，其中5例是广告插件(adware)。

显示全部楼层 · 发表于 2008-5-5 09:10:12

时间处理结果木马名称木马进程名木马文件创建者
2008-05-05 09:09:37 处理成功 AdWare.Win32.Boran.bk C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\VIR\S\INSSHELL.EXE C:\PROGRAM FILES\WINRAR\WINRAR.EXE
2008-05-05 09:09:37 处理成功 AdWare.Win32.Cinmus.csb C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\VIR\S\DOSSSETUP.DLL C:\PROGRAM FILES\WINRAR\WINRAR.EXE
2008-05-05 09:09:37 处理成功 Trojan-Downloader.Win32.Small.ryi C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\VIR\S\38.EXE C:\PROGRAM FILES\WINRAR\WINRAR.EXE

显示全部楼层 · 发表于 2008-5-5 09:13:33

D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/11.exe - a variant of Win32/PSW.OnLineGames.MUG trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/15.exe - a variant of Win32/PSW.OnLineGames.MUG trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/16.exe - a variant of Win32/PSW.OnLineGames.MUG trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/17.exe - a variant of Win32/PSW.OnLineGames.MUG trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/18.exe - a variant of Win32/PSW.OnLineGames.MUG trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/2.exe - probably a variant of Win32/Genetik trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/20.exe - Win32/PSW.OnLineGames.MUG trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/21.exe - a variant of Win32/PSW.OnLineGames.MUG trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/23.exe - a variant of Win32/PSW.OnLineGames.NML trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/24.exe - a variant of Win32/PSW.OnLineGames.XZN trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/25.exe - a variant of Win32/PSW.OnLineGames.NML trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/26.exe - a variant of Win32/PSW.OnLineGames.NML trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/27.exe - a variant of Win32/PSW.OnLineGames.NML trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/32.exe - a variant of Win32/PSW.OnLineGames.XZN trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/33.exe - a variant of Win32/PSW.QQPass.NCZ trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/acpidisk.sys - Win32/Adware.Cinmus application
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/DoSSSetup.dll - Win32/Adware.Cinmus application
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/InsShell.exe - Win32/Adware.Boran application
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/mm.exe - a variant of Win32/TrojanDownloader.Delf.OBZ trojan
D:\Documents and Settings\EKINCHENG\桌面\s.zip » ZIP » s/scm.exe - Win32/Ysmarsys.G trojan

显示全部楼层 · 发表于 2008-5-5 09:42:17

Starting the file scan:

Begin scan in 'E:\AV\s'
E:\AV\s\11.exe
--> Object
   [1] Archive type: RSRC
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.abur.19
   [NOTE]    The file was deleted!
E:\AV\s\15.exe
--> Object
   [1] Archive type: RSRC
   --> Object
      --> Object
      [3] Archive type: RSRC
      --> Object
            [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.aayo
   [NOTE]    The file was deleted!
E:\AV\s\16.exe
  [0] Archive type: RSRC
--> Object
   [1] Archive type: RSRC
   --> Object
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.abzd.45
   [NOTE]    The file was deleted!
E:\AV\s\17.exe
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
E:\AV\s\18.exe
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
E:\AV\s\2.exe
   [DETECTION] Is the Trojan horse TR/Dldr.Delphi.Gen
   [NOTE]    The file was deleted!
E:\AV\s\20.exe
--> Object
   [1] Archive type: RSRC
   --> Object
      --> Object
      [3] Archive type: RSRC
      --> Object
            [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.aajr
   [NOTE]    The file was deleted!
E:\AV\s\21.exe
--> Object
   [1] Archive type: RSRC
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.abzd.17
   [NOTE]    The file was deleted!
E:\AV\s\22.sys
   [DETECTION] Is the Trojan horse TR/Rootkit.Gen
   [NOTE]    The file was deleted!
E:\AV\s\23.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\s\24.exe
  [0] Archive type: OVL
  --> Object
   [DETECTION] Is the Trojan horse TR/Agent.9858
--> Object
   [1] Archive type: RSRC
   --> Object
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.acqi.1
   [NOTE]    The file was deleted!
E:\AV\s\25.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\s\26.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\s\27.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\s\32.exe
  [0] Archive type: OVL
  --> Object
   [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.acsi
--> Object
   [1] Archive type: RSRC
   --> Object
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.acqi.1
   [NOTE]    The file was deleted!
E:\AV\s\33.exe
--> Object
   [1] Archive type: RSRC
   --> Object
      [DETECTION] Contains detection pattern of the worm WORM/Autorun.FF.42
   [NOTE]    The file was deleted!
E:\AV\s\38.exe
   [DETECTION] Is the Trojan horse TR/Downloader.Gen
   [NOTE]    The file was deleted!
E:\AV\s\41.exe
   [DETECTION] Is the Trojan horse TR/Downloader.Gen
   [NOTE]    The file was deleted!
E:\AV\s\acpidisk.sys
   [DETECTION] Is the Trojan horse TR/Rootkit.Gen
   [NOTE]    The file was deleted!
E:\AV\s\DoSSSetup.dll
   [DETECTION] Contains detection pattern of the Ad- or Spyware ADSPY/AdSpy.Gen
   [NOTE]    The file was deleted!
E:\AV\s\InsShell.exe
   [DETECTION] Contains detection pattern of the Ad- or Spyware ADSPY/Baidu.kkt
   [NOTE]    The file was deleted!
E:\AV\s\mm.exe
   [DETECTION] Contains suspicious code HEUR/Crypted
   [NOTE]    The file was deleted!
E:\AV\s\scm.exe
   [DETECTION] Is the Trojan horse TR/Agent.16384.56
   [NOTE]    The file was deleted!

End of the scan: 2008年5月5日  09:44
Used time: 00:15 min

The scan has been done completely.

   1 Scanning directories
   24 Files were scanned
   24 viruses and/or unwanted programs were found
   1 Files were classified as suspicious:
   23 files were deleted
   0 files were repaired
   0 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   0 Files not concerned
   0 Archives were scanned
   0 Warnings
   23 Notes

显示全部楼层 · 发表于 2008-5-5 10:42:31

MM是原头

显示全部楼层 · 发表于 2008-5-5 10:45:16

http://www.serversina.cn/wm/Real.gif
这才是源头

显示全部楼层 · 发表于 2008-5-5 11:54:20

已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.Agent.ahz 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/11.exe//PE_Patch.UPX//UPX
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.aayo 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/15.exe//PE_Patch//UPack
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.abzb 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/16.exe
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.aclu 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/17.exe//PE_Patch.UPX//UPX
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.aclu 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/18.exe//PE_Patch.UPX//UPX
已刪除: 特洛伊木馬程式 Trojan-Downloader.Win32.Delf.gfu 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/2.exe//FSG
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.aajs 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/20.exe//PE_Patch//UPack
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.abzb 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/21.exe//PE_Patch.UPX//UPX
已刪除: 廣告軟體 not-a-virus:AdWare.Win32.Cinmus.evm 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/22.sys
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.acmz 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/23.exe//PE_Patch//UPack
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.acld 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/24.exe//PE_Patch//UPack
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.acgv 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/25.exe//PE_Patch//UPack
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.acmz 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/26.exe//PE_Patch//UPack
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.acmz 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/27.exe//PE_Patch//UPack
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.OnLineGames.acld 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/32.exe//PE_Patch//UPack
已刪除: 特洛伊木馬程式 Trojan-PSW.Win32.QQPass.btj 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/33.exe//UPX
已刪除: 特洛伊木馬程式 Trojan-Downloader.Win32.Small.uwg 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/38.exe
已刪除: 廣告軟體 not-a-virus:AdWare.Win32.Cinmus.ejd 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/acpidisk.sys
已刪除: 廣告軟體 not-a-virus:AdWare.Win32.Cinmus.esa 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/DoSSSetup.dll
已刪除: 廣告軟體 not-a-virus:AdWare.Win32.Boran.el 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/InsShell.exe
已刪除: 特洛伊木馬程式 Trojan-Downloader.Win32.Losabel.iv 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/mm.exe//FSG
已刪除: 特洛伊木馬程式 Trojan-Downloader.Win32.Agent.nas 檔案: C:\Documents and Settings\kato9096\桌面\s.zip/s/scm.exe

22,不报的已上报

显示全部楼层 · 发表于 2008-5-5 12:28:22

信息 2008-05-05  12:28:17 您此次查毒清除了15个病毒
信息 2008-05-05  12:28:17 您此次查毒共查出15个病毒以及危险代码
信息 2008-05-05  12:28:17 您此次查毒共查了内存模块0个，磁盘引导扇区0个，文件41个
信息 2008-05-05  12:28:17 金山毒霸主程序查毒过程结束，查毒方式：命令行查毒
病毒 2008-05-05  12:28:17 D:\Desktop\s.zip\s\mm.exe Win32.TrojDownloader.Delf.118784 清除成功
病毒 2008-05-05  12:28:16 D:\Desktop\s.zip\s\DoSSSetup.dll Win32.Troj.CinmusT.ey.151552 清除成功
病毒 2008-05-05  12:28:16 D:\Desktop\s.zip\s\acpidisk.sys Win32.Troj.RootKitT.qb.176772 清除成功
病毒 2008-05-05  12:28:16 D:\Desktop\s.zip\s\33.exe Win32.Troj.QQPswT.bs.116858 清除成功
病毒 2008-05-05  12:28:16 D:\Desktop\s.zip\s\32.exe Win32.Troj.OnlineGameT.zp.57344 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\24.exe Win32.Troj.OnlineGameT.zp.57344 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\22.sys Win32.Troj.CinmusT.dm.198212 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\21.exe Win32.Troj.OnlineGamesT.zy.32923 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\20.exe Win32.Hack.UpackT.a.15981 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\2.exe Win32.TrojDownloader.Delf.745472 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\18.exe Win32.Troj.OnlineGamesT.zy.32923 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\17.exe Win32.Troj.OnlineGamesT.zy.32923 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\16.exe Win32.Troj.OnlineGamesT.zy.32923 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\15.exe Win32.Hack.UpackT.a.15981 清除成功
病毒 2008-05-05  12:28:15 D:\Desktop\s.zip\s\11.exe Win32.Troj.OnlineGamesT.zy.32923 清除成功

显示全部楼层 · 发表于 2008-5-5 14:54:41

信息 2008-05-05 14:54:10 您此次查毒清除了8个病毒
信息 2008-05-05 14:54:10 您此次查毒共查出7个病毒以及危险代码
信息 2008-05-05 14:54:10 您此次查毒共查了内存模块0个，磁盘引导扇区0个，文件51个
信息 2008-05-05 14:54:10 金山毒霸主程序查毒过程结束，查毒方式：全面杀毒
病毒 2008-05-05 14:54:09 C:\Documents and Settings\Administrator\My Documents\赶尽杀绝2.zip VirusInZip 清除成功
病毒 2008-05-05 14:54:08 C:\Documents and Settings\Administrator\My Documents\赶尽杀绝2.zip\s\mm.exe Win32.TrojDownloader.Delf.118784 清除成功
病毒 2008-05-05 14:54:04 C:\Documents and Settings\Administrator\My Documents\赶尽杀绝2.zip\s\acpidisk.sys Win32.Troj.RootKitT.qb.176772 清除成功
病毒 2008-05-05 14:54:01 C:\Documents and Settings\Administrator\My Documents\赶尽杀绝2.zip\s\22.sys Win32.Troj.CinmusT.dm.198212 清除成功
病毒 2008-05-05 14:54:00 C:\Documents and Settings\Administrator\My Documents\赶尽杀绝2.zip\s\20.exe Win32.Hack.UpackT.a.15981 清除成功
病毒 2008-05-05 14:54:00 C:\Documents and Settings\Administrator\My Documents\赶尽杀绝2.zip\s\2.exe Win32.TrojDownloader.Delf.745472 清除成功
病毒 2008-05-05 14:53:57 C:\Documents and Settings\Administrator\My Documents\赶尽杀绝2.zip\s\16.exe Win32.PSWTroj.OnLineGames.65816 清除成功
病毒 2008-05-05 14:53:57 C:\Documents and Settings\Administrator\My Documents\赶尽杀绝2.zip\s\15.exe Win32.Hack.UpackT.a.15981 清除成功
信息 2008-05-05 14:53:34 金山毒霸主程序启动查毒过程，查毒方式：全面杀毒

金山是2007版的

显示全部楼层 · 发表于 2008-5-5 16:04:32

Hello,

41.exe_ - Trojan-Downloader.Win32.QQHelper.bey

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

eachnet.exe_

No malicious code was found in this file.

Please quote all when answering.

--
Best regards, Evgeny Aseev
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

> Attachment: 247097.rar

[病毒样本] 赶尽杀绝2

本帖子中包含更多资源

本帖子中包含更多资源

回复 5楼啊弥陀佛的帖子

浏览过的版块

[病毒样本] 赶尽杀绝2

本帖子中包含更多资源

本帖子中包含更多资源

回复 5楼 啊弥陀佛 的帖子

浏览过的版块

回复 5楼啊弥陀佛的帖子