MD5 : d4cfda3d7cbc3e0675b01735ab9b94b7

nosferatu

VirSCAN.org Scanned Report :
Scanned time   : 2008/05/28 05:02:18 (CST)
Scanner results: 25%的杀软(9/36)报告发现病毒

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      3.5.0.18        2008.05.26        2008-05-26  3.75   -
安博士V3       2008.05.27.01   2008.05.27        2008-05-27  1.19   -
AntiVir        7.8.0.19        7.0.4.101         2008-05-27  2.78   -
Arcavir        1.0.4           200805271137      2008-05-27  1.62   -
AVAST          1.0.8           080527-1          2008-05-27  3.06   -
AVG            7.5.51.442      269.24.1/1469     2008-05-27  2.47   -
BitDefender    7.60825.1245277 7.19209           2008-05-28  8.60   Trojan.Peed.JJM
CA (VET)       9.0.0.143       31.4.5826         2008-05-27  11.05  -
ClamAV         0.93            7269              2008-05-28  0.04   -
Comodo         2.11            2.0.0.537         2008-05-27  1.78   -
CP Secure      1.1.0.715       2008.05.27        2008-05-27  9.72   -
Dr.WEB         4.44.0.9170     2008.05.27        2008-05-27  4.89   Trojan.DownLoader.62005
ewido          4.0.0.2         2008.05.27        2008-05-27  3.02   -
F-PROT         4.4.1.52        20080526          2008-05-26  2.10   -
F-SECURE       5.51.6100       2008.05.27.06     2008-05-27  4.52   -
飞塔           2.81-3.11       9.135             2008-05-27  6.34   Suspicious
ViRobot        20080527        2008.05.27        2008-05-27  0.66   -
IKARUS         T3.1.01.26      2008.05.27.70825  2008-05-27  2.65   MalwareScope.Worm.Nuwar-Glowa.1
江民杀毒       11.00.703       2008.05.27 09:20:322008-05-27 09:20:321.60   -
卡巴斯基       5.5.10          2008.05.27        2008-05-27  15.67  -
金山毒霸       2008.1.14.15    2008.5.27.18      2008-05-27  1.65   -
迈克菲         5.2.00          5304              2008-05-27  5.16   -
Microsoft      1.3520          2008.05.27        2008-05-27  11.27  TrojanDropper:Win32/Nuwar.gen!lds
MKS_VIR        2.01            2008.05.27        2008-05-27  3.06   -
NORMAN         5.92.08         5.92.00           2008-05-27  7.55   -
熊猫卫士       9.04.03.0001    2008.05.27        2008-05-27  3.69   Suspicious file
趋势           8.700-1004      5.300.08          2008-05-27  0.00   -
Prevx          V2              20080527          2008-05-27  12.99  Generic.Malware
QuickHeal      9.00            2008.05.26        2008-05-26  0.43   -
瑞星           20.0            20.46.12.00       2008-05-27  4.54   -
SOPHOS         2.74.1          4.30              2008-05-28  8.66   Mal/EncPk-DA
赛门铁克       1.3.0.24        20080527.003      2008-05-27  1.28   -
nProtect       2008-05-27.00   1514351           2008-05-27  7.39   -
The Hacker     6.2.92          v00320            2008-05-26  1.92   -
VBA32          3.12.6.6        20080526.2148     2008-05-26  36.14  MalwareScope.Worm.Nuwar-Glowa.1
VirusBuster    4.3.19:9        9.130.6/11.0      2008-05-27  2.13   -

mofunzone

The file 'video.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Agent.ncp. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.

palfan

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.5.28.0	2008.05.27	-
AntiVir	7.8.0.19	2008.05.27	-
Authentium	5.1.0.4	2008.05.27	-
Avast	4.8.1195.0	2008.05.27	-
AVG	7.5.0.516	2008.05.27	-
BitDefender	7.2	2008.05.27	Trojan.Peed.JJM
CAT-QuickHeal	9.50	2008.05.26	(Suspicious) - DNAScan
ClamAV	0.92.1	2008.05.27	-
DrWeb	4.44.0.09170	2008.05.27	Trojan.DownLoader.62005
eSafe	7.0.15.0	2008.05.27	Suspicious File
eTrust-Vet	31.4.5826	2008.05.27	-
Ewido	4.0	2008.05.27	-
F-Prot	4.4.4.56	2008.05.27	-
F-Secure	6.70.13260.0	2008.05.27	-
Fortinet	3.14.0.0	2008.05.27	-
GData	2.0.7306.1023	2008.05.27	-
Ikarus	T3.1.1.26.0	2008.05.27	MalwareScope.Worm.Nuwar-Glowa.1
Kaspersky	7.0.0.125	2008.05.27	-
McAfee	5304	2008.05.27	-
Microsoft	None	2008.05.27	-
NOD32v2	3136	2008.05.27	Win32/Agent.ETH
Norman	5.80.02	2008.05.27	-
Panda	9.0.0.4	2008.05.27	-
Prevx1	V2	2008.05.27	Malicious Software
Rising	20.46.12.00	2008.05.27	-
Sophos	4.29.0	2008.05.27	Mal/EncPk-DA
Sunbelt	3.0.1123.1	2008.05.17	-
Symantec	10	2008.05.27	-
TheHacker	6.2.92.321	2008.05.27	-
VBA32	3.12.6.6	2008.05.27	MalwareScope.Worm.Nuwar-Glowa.1
VirusBuster	4.3.26:9	2008.05.27	-
Webwasher-Gateway	6.6.2	2008.05.27	Worm.Win32.Malware.gen (suspicious)

-----------------------------------------------------------------------------------------------

Submission Summary:

• Submission details:
  • Submission received: 28 May 2008, 07:51:29
  • Processing time: 4 min 21 sec
  • Submitted sample:
    • File MD5: 0xADEAD0FDAF21ADD54B3E26B1BCD13545
    • Filesize: 107,008 bytes

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Downloader.Agent	Trojan.Downloader.Agent downloads and installs other malware onto infected machine.

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File MD5
1	%System%\CbEvtSvc.exe [file and pathname of the sample #1]	107,008 bytes	0xADEAD0FDAF21ADD54B3E26B1BCD13545

• Note:
  • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
CbEvtSvc.exe	%System%\cbevtsvc.exe	131,072 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	131,072 bytes

• There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
CbEvtSvc	CbEvtSvc	"Running"	%System%\CbEvtSvc.exe -k netsvcs

Registry Modifications

• The following Registry Keys were created:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000\Control]
    • *NewlyCreated* = 0x00000000
    • ActiveService = "CbEvtSvc"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000]
    • Service = "CbEvtSvc"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "CbEvtSvc"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC]
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Enum]
    • 0 = "Root\LEGACY_CBEVTSVC\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Security]
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc]
    • Type = 0x00000010
    • Start = 0x00000002
    • ErrorControl = 0x00000001
    • ImagePath = "%System%\CbEvtSvc.exe -k netsvcs"
    • DisplayName = "CbEvtSvc"
    • ObjectName = "LocalSystem"
    • Opt = (zero-length binary value)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control]
    • *NewlyCreated* = 0x00000000
    • ActiveService = "CbEvtSvc"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000]
    • Service = "CbEvtSvc"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "CbEvtSvc"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC]
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum]
    • 0 = "Root\LEGACY_CBEVTSVC\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security]
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc]
    • Type = 0x00000010
    • Start = 0x00000002
    • ErrorControl = 0x00000001
    • ImagePath = "%System%\CbEvtSvc.exe -k netsvcs"
    • DisplayName = "CbEvtSvc"
    • ObjectName = "LocalSystem"
    • Opt = (zero-length binary value)

• The following Registry Values were modified:
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
    • (Default) = 0x0000000B
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
    • (Default) = 0x0000000B

Other details

• There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
72.9.98.234 443[/tr][/tr]

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 443:

00000000 | 1603 0100 4101 0000 3D03 0148 3C82 EF31 | ....A...=..H<..100000010 | F936 6088 AC66 72C2 FDFA 0361 D815 A683 | .6`..fr....a....00000020 | 2C16 067E CB07 9BA5 5E19 C100 0016 0004 | ,..~....^.......00000030 | 0005 000A 0009 0064 0062 0003 0006 0013 | .......d.b......00000040 | 0012 0063 0100                          | ...c..[/td]

http://www.threatexpert.com/report.aspx?md5=adead0fdaf21add54b3e26b1bcd13545

-----------------------------------------------------------------------------------------------
PS.准备睡觉咯...................

woai_jolin

Scan performed at: 2008/5/28 6:32:10
Scanning Log
NOD32 version 3136 (20080527) NT
Command line: G:\v\video.rar
C:\Program Files\Eset\nod32.exe - is OK

Date: 28.5.2008  Time: 06:32:12
Anti-Stealth technology is enabled.
Scanned disks, folders and files: G:\v\video.rar
G:\v\video.rar ?RAR ?video.exe - Win32/Agent.ETH trojan
G:\v\video.rar:Zone.Identifier - is OK
Number of scanned files: 2
Number of threats found: 1
Time of completion: 06:32:12 Total scanning time: 0 sec (00:00:00)

gaojun7206

video.exe 已被病毒感染 ：  Trojan.DownLoader.62005

sqsszzq

最后一个，闪人

电影结束了

啥时TF能够像上报一样弄清自己的问题去修复就好了。。。。
哎。。。

tracydk

allinwonderi

[Scanning : C:\Documents and Settings\All Users\Documents\Test]


C:\Documents and Settings\All Users\Documents\Test\video.rar<RAR>:video.exe <- Trojan.Downloader.Bja : No action



Scanned objects : 2

Infected objects : 1

allinwonderi

MISS