修改一段代码过卡巴扫描

显示全部楼层 · 发表于 2008-5-19 13:14:47

RT，卡巴的基因实在太弱了，一个老毒用我手上的代码修改工具改一下就挂了，注意不是加壳，而是直接修改了特征码，用沙盘测试是活的。

PS：卡巴学红伞多好，用基因家族查杀，省去很多上报分析。基因能查杀的就不用上报以及分析了。不然这么多毒通过修改理论上能改成无数变种，任你反映速度再快也跟不上。别提HIPS，因为既然扫不出来就有风险，HIPS不能防住所有病毒行为，只能减小风险。所以建议卡巴要把引擎好好改进了。

显示全部楼层 · 发表于 2008-5-19 13:15:35

只要修改的人愿意，把样本区的毒全部翻新一遍都是可以的。

显示全部楼层 · 发表于 2008-5-19 13:16:27

AhnLab-V3 2008.5.16.0 2008.05.18 -
AntiVir 7.8.0.19 2008.05.18 TR/Crypt.FKM.Gen
Authentium 5.1.0.4 2008.05.18 W32/Downloader.J.gen!Eldorado
Avast 4.8.1195.0 2008.05.18 -
AVG 7.5.0.516 2008.05.18 -
BitDefender 7.2 2008.05.19 Backdoor.Hupigon.AAEA
CAT-QuickHeal 9.50 2008.05.17 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.05.19 -
DrWeb 4.44.0.09170 2008.05.19 -
eSafe 7.0.15.0 2008.05.18 -
eTrust-Vet 31.4.5796 2008.05.16 -
Ewido 4.0 2008.05.18 -
F-Prot 4.4.2.54 2008.05.16 W32/Downloader.J.gen!Eldorado
F-Secure 6.70.13260.0 2008.05.18 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.05.19 -
GData 2.0.7306.1023 2008.05.19 -
Ikarus T3.1.1.26.0 2008.05.19 Virus.Win32.Agent.SIM
Kaspersky 7.0.0.125 2008.05.19 -
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3107 2008.05.18 probably a variant of Win32/TrojanDownloader.Delf.OBZ
Norman 5.80.02 2008.05.16 -
Panda 9.0.0.4 2008.05.18 Suspicious file
Prevx1 V2 2008.05.19 -
Rising 20.44.62.00 2008.05.18 -
Sophos 4.29.0 2008.05.19 Mal/Emogen-E
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.18 Downloader.Trojan
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.18 -
VirusBuster 4.3.26:9 2008.05.18 -
附加信息
File size: 76288 bytes
MD5...: a519a454ef182cc33a08c2525f0a0af6
SHA1..: d6d5722c44490f2173f90e0d3babf992f5fa3318
SHA256: 5ad1e09ece909ac5f987cfb62b76e2886ea6b7be92a70f4ad023e667daf23ffb
SHA512: 2dcdb30264fc7d9f9898d6c6c7e2c52f1af6e30280be6487b7e49166191e9d0e
98a64df980cbcded51efe1ab35acc0e39f208d1e37b0c515baa66e9ac9c3e6cd
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x41f04c
timedatestamp.....: 0x482e58c1 (Sat May 17 04:02:09 2008)
machinetype.......: 0x14c (I386)

( 12 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xc1cc 0xc200 7.22 d86d033990031115b080c63d8f1a7cbf
.itext 0xe000 0x480 0x600 6.10 f7dc55649ee1f5e01901a281c6e5c342
.data 0xf000 0x157c 0x1600 5.16 9102764991233f289da3a3c0ac70f79c
.bss 0x11000 0x4a10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x16000 0xd44 0xe00 4.63 37618db62f68202beba4af38b713f5f7
.tls 0x17000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x18000 0x18 0x200 0.21 79dfef5ffcb72cafab1c3f63c6eef231
SbXueL0 0x19000 0xf64 0x1000 6.96 a4b48a92adaead4e79d93ea55378ac7f
.rsrc 0x1a000 0x1200 0x1200 3.62 680e767b1f71af0e6ecbd17fca39079b
SbXueL1 0x1c000 0x1b3 0x200 6.61 75d2b07c35e7c9ab62b8e2250fedd990
.data 0x1d000 0x1134 0x1200 6.98 4ac0c33c162b95cfb8b23552815a4da9
.text 0x1f000 0x1ff 0x200 6.84 d4eb5c857a6042f79972be2366d8e0c9

( 11 imports )
> oleaut32.dll: SysFreeString
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> user32.dll: GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
> kernel32.dll: GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> user32.dll: SetTimer, PostMessageA, MessageBoxA, LoadStringA, KillTimer, GetWindowTextA, GetSystemMetrics, GetWindow, GetMessageA, GetForegroundWindow, GetClassNameA, EnumWindows, DispatchMessageA, CharNextA, CharLowerBuffA, CharToOemA
> kernel32.dll: WriteFile, WaitForSingleObject, VirtualQuery, TerminateProcess, SetFileAttributesA, ReadFile, OpenProcess, LoadLibraryExA, LoadLibraryA, GlobalFree, GlobalAlloc, GetWindowsDirectoryA, GetVersionExA, GetThreadLocale, GetSystemDirectoryA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFileSize, GetFileAttributesA, GetDiskFreeSpaceA, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeLibrary, EnumCalendarInfoA, DeviceIoControl, DeleteFileA, CreateProcessA, CreateMutexA, CreateFileA, CreateDirectoryA, CopyFileExA, CopyFileA, CloseHandle
> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegOpenKeyA, RegCreateKeyA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges
> kernel32.dll: Sleep
> kernel32.dll: GetProcAddress, LoadLibraryA, GetModuleHandleA
> advapi32.dll: StartServiceA, OpenServiceA, OpenSCManagerA, ControlService, CloseServiceHandle

( 0 exports )

packers (Authentium): Klone.AF
packers (F-Prot): Klone.AF

注意: VirusTotal 是 Hispasec Sistemas 提供的免费服务. 我们不保证任何该服务的可用性和持续性. 尽管使用多种反病毒引擎所提供的检测率优于使用单一产品, 但这些结果并不保证文件无害. 目前来说, 没有任何一种解决方案可以提供 100% 的病毒和恶意软件检测率. 如果您购买了一款声称具有此能力的产品, 那么您可能已经成为受害者.

显示全部楼层 · 发表于 2008-5-19 13:17:23

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\卡巴免杀 .rar'
C:\Documents and Settings\Administrator\桌面\卡巴免杀 .rar
  [0] Archive type: RAR
  --> ﾿ﾨﾰￍￃ￢￉ﾱ .exe
   [DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
   [WARNING] The file was ignored!

End of the scan: 2008年5月19日  13:16
Used time: 00:09 min

显示全部楼层 · 发表于 2008-5-19 13:59:33

C:\Documents and Settings\Administrator\桌面\卡巴免杀 .rar > RAR > 卡巴免杀 .exe - 可能是 Win32/TrojanDownloader.Delf.OBZ 特洛伊木马的变种

显示全部楼层 · 发表于 2008-5-19 15:28:35

做个EAV免杀吧

显示全部楼层 · 发表于 2008-5-19 20:06:18

请问，您就是伟大的免杀从业者吗？

你以为样本区每天有什么新的东西吗？太天真了

这里只是年复一年的重复而已，一年都见不到几个“新病毒”其实说白了都是老毒穿新衣而已

A-Squared	Found nothing
AntiVir	Found TR/Crypt.FKM.Gen
ArcaVir	Found Heur.W32
Avast	Found nothing
AVG Antivirus	Found nothing
BitDefender	Found Backdoor.Hupigon.AAEA
ClamAV	Found nothing
CPsecure	Found nothing
Dr.Web	Found nothing
F-Prot Antivirus	Found Possibly a new variant of W32/Threat-SysVenFak-based!Maximus
F-Secure Anti-Virus	Found Trojan-Downloader.Win32.Losabel.mc
Fortinet	Found nothing
Ikarus	Found Virus.Win32.Agent.SIM
Kaspersky Anti-Virus	Found nothing
NOD32	Found probably a variant of Win32/TrojanDownloader.Delf.OBZ (probable variant)
Norman Virus Control	Found nothing
Panda Antivirus	Found nothing
Sophos Antivirus	Found Mal/Emogen-E
VirusBuster	Found nothing
VBA32	Found nothing

[ 本帖最后由 wangjay1980 于 2008-5-19 22:33 编辑 ]

显示全部楼层 · 发表于 2008-5-19 20:15:27

RS20.45.02未杀！

显示全部楼层 · 发表于 2008-5-19 20:44:17

[Scanning : C:\Documents and Settings\All Users\Documents\Test]

C:\Documents and Settings\All Users\Documents\Test\卡巴免杀 .rar<RAR>:卡巴免杀 .exe <- Heur.W32 : No action

Scanned objects : 2

Infected objects : 1

显示全部楼层 · 发表于 2008-5-19 20:44:51

[Found downloader] <W32/Downloader.J.gen!Eldorado (not disinfectable, generic)> C:\Documents and Settings\All Users\Documents\Test\卡巴免杀 .rar->卡巴免杀 .exe->(Klone.AF)

---------------------------------------------------------------------
Scan ended: 2008-5-19, 20:44:26
Duration: 0:00:01

Scan result:

Scanned files:    6
Infected objects:    1
Disinfected objects:    0
Quarantined files:    0
---------------------------------------------------------------------

[病毒样本] 修改一段代码过卡巴扫描

本帖子中包含更多资源

本帖子中包含更多资源

2/0

ArcaVir2008

F-Prot 4.4.4

浏览过的版块