貌似中了，过红伞，动作太多用comodo结束进程

ranguangning

【9楼，必须要有相应规则，不然EQ默认允许】

sjwuzk

过了卡巴 红伞

闪电战

那就上报去吧

唔該行開

一開始就要訪問底層

曲中求

红伞已回复：

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00158396.


We received the following archive files:

File ID	?Filename	Size (Byte)	Result
25036417	virus.zip	955.27 KB	OK

A listing of files contained inside archives alongside their results can be found below:

File ID	?Filename	Size (Byte)	Result
25036405	466F9D5D.TMP	103 Byte	CLEAN
2240030	npf.sys	41.52 KB	CLEAN
25016315	packet.dll	86.63 KB	CLEAN
25036396	test0.10.exe	924 KB	MALWARE
1241169	wpcap.dll	234.61 KB	KNOWN CLEAN

Please find a detailed report concerning each individual sample below:

?Filename	Result
466F9D5D.TMP	CLEAN

The file '466F9D5D.TMP' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

?Filename	Result
npf.sys	CLEAN

The file 'npf.sys' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

?Filename	Result
packet.dll	CLEAN

The file 'packet.dll' has been determined to be 'CLEAN'. Our analysts did not discovered any malicious content.

?Filename	Result
test0.10.exe	MALWARE

The file 'test0.10.exe' has been determined to be 'MALWARE'.
Our analysts named the threat Worm/Kolab.XJ. The term "WORM/" denotes a worm that is able to spread itself for instance over the Internet (using eMail, peer-to-peer networks, IRC networks etc.).Detection will be added to our virus definition file (VDF) with one of the next updates.

?Filename	Result
wpcap.dll	KNOWN CLEAN

The file 'wpcap.dll' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Winpcap 4.0.1'.


Alternatively you can see the analysis result here:
http://analysis.avira.com/samples/details.php?uniqueid=gN1UUmq6Qg92NDdhLG0rIgRZVzTfJTU8&incidentid=158396

An overview of all your submissions can be found here:
http://analysis.avira.com/samples/details.php?uniqueid=gN1UUmq6Qg92NDdhLG0rIgRZVzTfJTU8

Please note: The detection of Spy/Adware is not available in the product "AntiVir PersonalEdition Classic". Please address specific questions to support@avira.com
Kind regards
Avira Virus Lab

---------------------------------------------
Avira GmbH
Lindauer Str. 21, D-88069 Tettnang, Germany
Phone: +49 (0) 7542-500 0
Fax: +49 (0) 7542-525 10
Internet: http://www.avira.com

CEO: Tjark Auerbach
Headquarter: Tettnang
Commercial register: AG Ulm HRB 630992
---------------------------------------------

spiha

C:\Documents and Settings\All Users\Application Data\TEMP:466F9D5D
(隐藏文件)C:\WINDOWS\system32\svdhost.exe
C:\WINDOWS\system32\Drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll

足够明显了 ... 很烦就结束了－ －

zenwalk

就一个坏东东，剩下都素winpcap的东东。

ALEXBLAIR

新建文件：
%TEMP%\Cookies
%TEMP%\Cookies\index.dat
%TEMP%\History\History.IE5
%TEMP%\History\History.IE5\index.dat
%TEMP%\Temporary Internet Files\Content.IE5
%TEMP%\Temporary Internet Files\Content.IE5\index.dat
\user\all\Application Data\TEMP\466F9D5D.TMP
C:\WINDOWS\Debug\UserMode\userenv.log


修改后的注册表：
HKCU\software\Microsoft\OLE\Windows Sound
HKLM\software\Classes\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\dUljcdg\(Default)
HKLM\software\Classes\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\krouy\(Default)
HKLM\software\Classes\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nFuzcsskdqFv\(Default)
HKLM\software\Classes\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tEumfv\(Default)
HKLM\software\Classes\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\TuISTwAfuIm\(Default)
HKLM\software\Classes\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\uVnumhoIVVl\(Default)
HKLM\software\Classes\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vczntxpm\(Default)
HKLM\software\Licenses\{0DEE9E09D11E5850E}
HKLM\software\Licenses\{IDEE9E09D11E5850E}
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
HKLM\software\microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Sound
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Windows Sound
HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous
HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymoussam

a256886572008

2008-06-04 18:49:20        應用程序防護(執行應用程序)     操作:使用沙箱操作
程序路徑:D:\桌面\virus\test0.10\test0.10.exe
檔案路徑:C:\WINDOWS\system32\svdhost.exe
指令列:500 "D:\桌面\virus\test0.10\test0.10.exe"

2008-06-04 18:49:20        應用程序防護(訪問服務管理器)     操作:使用沙箱操作
程序路徑:D:\桌面\virus\test0.10\test0.10.exe

2008-06-04 18:49:20        應用程序防護(程序間消息操作)     操作:使用沙箱操作
程序路徑:D:\桌面\virus\test0.10\test0.10.exe

消息類型:49530\

a256886572008

不要攔截   列出文件，

這只是 隱藏你的資料而已！