转自救援区，给图片打包

显示全部楼层 · 发表于 2008-6-9 12:26:37

今天一个开影楼客户的电脑出现情况，JPEG图片被自动加壳为EXE格式，sreng扫描无太大异常，冰刃发现一个sleep.exe进程但无法发现源文件，用dr.web，360，auto防御者等均未发现异常，机器上的瑞星也表现正常，后我拷了几个EXE的图片回来在本机上实验，红伞不报，微点报未知BAT，能处理

不知算不算Jokes
http://www.virustotal.com/analisis/6ce97b3ba905660ed73578c7e88a89e7

File ID	Filename	Size (Byte)	Result
25039536	Function.dll	461.47 KB	UNDER ANALYSIS
25040444	SOLA_2.0_14042262...04.bat	10.61 KB	UNDER ANALYSIS

[ 本帖最后由 yk1234 于 2008-6-9 12:30 编辑 ]

显示全部楼层 · 发表于 2008-6-9 12:33:18

原帖由 yk1234 于 2008-6-9 12:26 发表

不知算不算Jokes
http://www.virustotal.com/analisis/6ce97b3ba905660ed73578c7e88a89e7

File ID Filename Size (Byte)Result25039536 Function.dll 461.47 KB UNDER ANALYSIS25040444 SOLA_2.0_14042262...0 ...

显示全部楼层 · 发表于 2008-6-9 12:34:20

金山毒霸 0

显示全部楼层 · 发表于 2008-6-9 12:38:33

avast!基因好

显示全部楼层 · 发表于 2008-6-9 14:50:31

卡巴杀dll，漏了一个bat

已删除：病毒 Virus.BAT.Agent.af 文件　: D:\软件\其它\v\k\IMG0052A.rar/Function.dll/SOLA.BAT
已删除：病毒 Virus.BAT.Agent.af 文件　: D:\软件\其它\v\k\IMG0052A.rar/Function.dll/scan.bat
已删除：病毒 Virus.BAT.Agent.af 文件　: D:\软件\其它\v\k\IMG0052A.rar/Function.dll/infect.bat
已删除：病毒 Virus.BAT.Agent.af 文件　: D:\软件\其它\v\k\IMG0052A.rar/Function.dll/Autorun.inf
已删除：病毒 Virus.BAT.Agent.af 文件　: D:\软件\其它\v\k\IMG0052A.rar/Function.dll/TENBATSU.BAT
已删除：病毒 Virus.BAT.Agent.af 文件　: D:\软件\其它\v\k\IMG0052A.rar/Function.dll/RecentInf.bat
已删除：病毒 Virus.BAT.Agent.af 文件　: D:\软件\其它\v\k\IMG0052A.rar/Function.dll/LocalScan.bat
已删除：病毒 Virus.BAT.Agent.af 文件　: D:\软件\其它\v\k\IMG0052A.rar/Function.dll/readlnk.bat

TO KL

显示全部楼层 · 发表于 2008-6-9 14:59:06

C:\Documents and Settings\Administrator\桌面\IMG0052A.rar>>Function.dll>>Autorun.inf Virus.BAT.Agent.af.pvef 病毒还未处理
C:\Documents and Settings\Administrator\桌面\IMG0052A.rar>>Function.dll>>infect.bat Virus.BAT.Agent.af.sysm 病毒还未处理
C:\Documents and Settings\Administrator\桌面\IMG0052A.rar>>Function.dll>>LocalScan.bat Virus.BAT.Agent.af.bfps 病毒还未处理
C:\Documents and Settings\Administrator\桌面\IMG0052A.rar>>Function.dll>>readlnk.bat Virus.BAT.Agent.af.rnin 病毒还未处理
C:\Documents and Settings\Administrator\桌面\IMG0052A.rar>>Function.dll>>RecentInf.bat Virus.BAT.Agent.af.mqhp 病毒还未处理
C:\Documents and Settings\Administrator\桌面\IMG0052A.rar>>Function.dll>>scan.bat Virus.BAT.Agent.af.ormd 病毒还未处理
C:\Documents and Settings\Administrator\桌面\IMG0052A.rar>>Function.dll>>SOLA.BAT Virus.BAT.Agent.af.rdpd 病毒还未处理
C:\Documents and Settings\Administrator\桌面\IMG0052A.rar>>Function.dll>>TENBATSU.BAT Virus.BAT.Agent.af.ctgn 病毒还未处理

显示全部楼层 · 发表于 2008-6-9 15:21:29

25040444  SOLA_2.0_14042262...04.bat  10.61 KB  CLEAN
25040501  infect.bat  2.18 KB  CLEAN
25040502  LocalScan.bat  453 Byte  CLEAN
25040503  readlnk.bat  252 Byte  CLEAN
25040504  RecentInf.bat  196 Byte  CLEAN
25040505  scan.bat  1.54 KB  CLEAN
25039538  SOLA.BAT  10.31 KB  MALWARE
25040506  TENBATSU.BAT  13.38 KB  CLEAN
25040507  docpack.dll  117.03 KB  CLEAN
25040508  exepack.dll  117.03 KB  CLEAN
25040509  jpgpack.dll  117.03 KB  CLEAN
25040510  txtpack.dll  117.03 KB  CLEAN
3817990  sleep.exe  1 KB  CLEAN
25040511  Autorun.inf  479 Byte  CLEAN
25040512  EJPack.txt  232 Byte  CLEAN
25040513  KillVirus.TXT  539 Byte  CLEAN
25040514  TDPack.txt  387 Byte  CLEAN
25040515  Tasks.xxx  364 Byte  CLEAN

显示全部楼层 · 发表于 2008-6-9 15:35:41

RS20.48未杀！

显示全部楼层 · 发表于 2008-6-9 15:45:09

ACCESS DENIED
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: http://bbs.kafan.cn/attachment.p ... 6e&t=1212997462

The folowing error was encountered:

The requested object is INFECTED. The following viruses Virus.BAT.Agent.af were found

Please contact your service provider if you feel this is incorrect.

--------------------------------------------------------------------------------

Generated Mon Jun 09 15:44:52 2008 by Kaspersky Anti-Virus 7.0

显示全部楼层 · 发表于 2008-6-9 17:34:58

会改时间

估计改完时间通过dll加载然后...........

[病毒样本] 转自救援区，给图片打包

本帖子中包含更多资源

本帖子中包含更多资源

8

22/0