请各位帮我看看这个bat(加密过)！

显示全部楼层 · 发表于 2008-6-6 18:16:27

分析程序把虚拟机搞蓝屏N次..郁闷死..

显示全部楼层 · 发表于 2008-6-6 18:25:29

微点杀

显示全部楼层 · 发表于 2008-6-6 18:34:59

病毒 2008-06-06 18:34:47 C:\Documents and Settings\Administrator\桌面\self.rar\self.bat Win32.PSWTroj.OnlineGames.as.114688 跳过，未处理

显示全部楼层 · 发表于 2008-6-6 18:37:32

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.Popuper	Trojan.Popuper hijacks the default Internet Explorer settings and changes your Internet Explorer homepage. It also appears as a security alert notifying users that their PC has been compromised and then downloads rogue antispyware products onto their PC.

Attention! The following threat categories were identified:

Threat Category	Description
	A program that can be used to hijack certain aspects of users' web browser functionality (such as homepage, search page, and security settings)
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File MD5	Alias
1	%Temp%\orz.exe	11 bytes	0xE3B5A7F1CD7A8EADDA5C0D452EA7FB69	(not available)
2	[file and pathname of the sample #1]	12,356 bytes	0xBF68DABB4FFE2B35D9A8AABCBB5805DE	Trojan.Popuper [PCTools] Trojan-PSW.Win32.OnLineGames.alse [Kaspersky Lab] New Malware.aj [McAfee] WORM_AUTORUN.BB [Trend Micro]
3	%System%\wininnet.nls	32,768 bytes	0xA0C6CD4F02BA361DA8A17D3742CF9915	(not available)
4	c:\_uniep.bat	112 bytes	0x58ACA2BB16FE18CCB49CD53348D9E415	(not available)

Notes:
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	114,688 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
wininnet.nls	%System%\wininnet.nls	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1AF0000 - 0x1AF8000

http://www.threatexpert.com/report.aspx?md5=bf68dabb4ffe2b35d9a8aabcbb5805de

显示全部楼层 · 发表于 2008-6-6 18:38:11

http://txt.sonuher6.info/tt/1.txt 。。。。。

[DOWN]1=http://xxx.dfasdaqwd.cn/cao/aa1.exe2=http://xxx.dfasdaqwd.cn/cao/aa2.exe3=http://xxx.dfasdaqwd.cn/cao/aa3.exe4=http://5.gexiub38.info/cao/aa4.exe5=http://5.gexiub38.info/cao/aa5.exe6=http://5.gexiub38.info/cao/aa6.exe7=http://5.gexiub38.info/cao/aa7.exe8=http://xxx.dfasdaqwd.cn/cao/aa8.exe9=http://xxx.dfasdaqwd.cn/cao/aa9.exe10=http://111.dfasdaqwd.cn/cao/aa10.exe11=http://111.dfasdaqwd.cn/cao/aa11.exe12=http://111.dfasdaqwd.cn/cao/aa12.exe13=http://111.dfasdaqwd.cn/cao/aa13.exe14=http://111.dfasdaqwd.cn/cao/aa14.exe15=http://222.dfasdaqwd.cn/cao/aa15.exe16=http://222.dfasdaqwd.cn/cao/aa16.exe17=http://222.dfasdaqwd.cn/cao/aa17.exe18=http://222.dfasdaqwd.cn/cao/aa18.exe19=http://222.dfasdaqwd.cn/cao/aa19.exe20=http://333.dfasdaqwd.cn/cao/aa20.exe21=http://333.dfasdaqwd.cn/cao/aa21.exe22=http://333.dfasdaqwd.cn/cao/aa22.exe23=http://333.dfasdaqwd.cn/cao/aa23.exe24=http://444.dfasdaqwd.cn/cao/aa24.exe25=http://444.dfasdaqwd.cn/cao/aa25.exe30=http://444.dfasdaqwd.cn/cao/aa111.exe

显示全部楼层 · 发表于 2008-6-6 20:08:01

Begin scan in 'C:\Documents and Settings\haha\桌面\self.rar'
C:\Documents and Settings\haha\桌面\self.rar
  [0] Archive type: RAR
  --> self.bat
   [DETECTION] Is the Trojan horse TR/Agent.12356
   [NOTE]    A backup was created as '48b528f9.qua'  ( QUARANTINE )

显示全部楼层 · 发表于 2008-6-6 20:12:19

[Scanning : C:\Documents and Settings\All Users\Documents\Test]

C:\Documents and Settings\All Users\Documents\Test\self.rar<RAR>:self.bat<UPack>:self.bat <- Heur.RoundKick : No action

Scanned objects : 3

Infected objects : 1

显示全部楼层 · 发表于 2008-6-6 20:12:44

[Found security risk] <W32/Agent.L.gen!Eldorado (not disinfectable, generic)> C:\Documents and Settings\All Users\Documents\Test\self.rar->self.bat->(UPack)

---------------------------------------------------------------------
Scan ended: 2008-6-6, 20:12:28
Duration: 0:00:01

Scan result:

Scanned files:    6
Infected objects:    1
Disinfected objects:    0
Quarantined files:    0
---------------------------------------------------------------------

显示全部楼层 · 发表于 2008-6-6 20:13:47

瑞星病毒查杀结果报告

清除病毒种类列表：

病毒： Trojan.Win32.AvKiller.bz

MAC 地址：00:11:5B:F3:6D:69

用户来源：互联网

软件版本：20.47.42

显示全部楼层 · 发表于 2008-6-6 20:26:07

访问被拒绝
找不到所请求的 URL

在尝试检索 URL 时:

http://bbs.kafan.cn/attachment.php?aid=
280054&k=31219c79b0ea2a9ed643b9dab0401db
7&t=1212755116

遇到了下列错误:

所请求的对象已被感染了下列病毒: Trojan-PSW.Win32.OnLineGames.alse

如果您认为这是不正确的,请联系您的服务提供商。
生成于:
Fri Jun 06 20:24:21 2008
Kaspersky Internet Security 2009 Beta

[病毒样本] 请各位帮我看看这个bat(加密过)！

本帖子中包含更多资源

ArcaVir2008

F-Prot 4.4.4

3/1