公司里的剧毒

显示全部楼层 · 发表于 2008-6-12 08:29:36

原帖由 电影结束了 于 2008-6-12 08:28 发表

大概再过几分钟TF就会发来报告了。。。。

还好公司里有我这个安全人士

大家说要给我加工资

显示全部楼层 · 发表于 2008-6-12 08:38:54

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Adware.Component.Unrelated	These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File MD5	Alias
1	c:\0.pif c:\1.pif c:\10.pif c:\11.pif c:\2.pif c:\3.pif c:\4.pif c:\5.pif c:\6.pif c:\7.pif c:\8.pif c:\9.pif	125 bytes	0x7C5F5A68051F6B0C0E9A2AD33C40D415	(not available)
2	c:\AUTORUN.INF	143 bytes	0xAAE6D8754A4E53E59BC72CDED4B01731	INF.Autorun.Gen [PCTools] Worm.Win32.AutoRun.dtx [Kaspersky Lab] Generic!atr [McAfee]
3	c:\MSDS.PIF %System%\iexplorer.exe [file and pathname of the sample #1] %System%\waucl1.exe	23,604 bytes	0x6CB13E04725D450613EBE0B6BA82CA80	Worm.Win32.Downloader.my [Kaspersky Lab] New Malware.u [McAfee] Cryp_Xed-3 [Trend Micro]
4	%System%\k1ogon.dll	612,352 bytes	0x3F795D6FB4050C93CBBD0FF699A2635A	(not available)

Note:
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Keys were created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE

The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  - IEXPLORER = "%System%\iexplorer.exe"
  so that iexplorer.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of 360rpt.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of 360safe.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of 360tray.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of ANTIARP.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of Ast.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of AutoRunKiller.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of AvMonitor.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of AVP.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of CCenter.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of Frameworkservice.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of GFUpd.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of GuardField.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of IceSword.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of Iparmor.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of KASARP.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of KRegEx.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of KVMonxp.kxp by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of KVSrvXP.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of KVWSC.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of Mmsk.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of Navapsvc.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of Nod32kui.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of RAS.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of Regedit.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of Runiep.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of VPC32.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of VPTRAY.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of WOPTILITIES.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of Wuauclt.EXE by being installed as its default debugger
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE]
  - Debugger = "%System%\waucl1.exe"
  so that waucl1.exe is injected into the execution sequence of ~.EXE by being installed as its default debugger

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:
- systembest

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
xnibi.com	80	(null)	(null)

这家伙偶见过。。。。

显示全部楼层 · 发表于 2008-6-12 09:42:45

你们公司用的是什么杀软？
该考虑换换了，另外建议请来一个没这么菜的sysadmin

显示全部楼层 · 发表于 2008-6-12 10:06:47

Win32:Trojan-gen {Other}

显示全部楼层 · 发表于 2008-6-12 10:13:10

原帖由 solcroft 于 2008-6-12 09:42 发表
你们公司用的是什么杀软？
该考虑换换了，另外建议请来一个没这么菜的sysadmin

我公司里啥杀毒软件都没装的

显示全部楼层 · 发表于 2008-6-12 10:30:34

信息 2008-06-12  10:30:04 您此次查毒清除了1个病毒
信息 2008-06-12  10:30:04 您此次查毒共查出1个病毒以及危险代码
信息 2008-06-12  10:30:04 您此次查毒共查了内存模块0个，磁盘引导扇区0个，文件5个
信息 2008-06-12  10:30:04 金山毒霸主程序查毒过程结束，查毒方式：命令行查毒
病毒 2008-06-12  10:30:04 D:\Desktop\Ñù±¾.rar\样本\MSDS.PIF Win32.Troj.Downloader.if.109568 清除成功

显示全部楼层 · 发表于 2008-6-12 10:45:47

Information: Is the Trojan horse TR/Crypt.CFI.Gen

显示全部楼层 · 发表于 2008-6-12 11:43:41

The following error was encountered:

The requested object is INFECTED with the following viruses: Worm.Win32.Downloader.my

显示全部楼层 · 发表于 2008-6-12 11:46:10

D:\firefox download\样本.rar > RAR > 样本\MSDS.PIF - Win32/AutoRun.JO 蠕虫的变种 - 是已删除对象的一部分
D:\firefox download\1.rar > RAR > k1ogon.dll - 正常
D:\firefox download\1.rar > RAR > npptools.dll - 正常
D:\firefox download\1.rar > RAR > waucl1.exe - Win32/AutoRun.JO 蠕虫的变种 - 是已删除对象的一部分

显示全部楼层 · 发表于 2008-6-12 14:20:39

在 C:\Documents and Settings\Administrator\桌面\样本.rar->样本\MSDS.PIF 中发现 Trojan/Agent.bbqm 病毒, 已删除

在 C:\Documents and Settings\Administrator\桌面\1.rar->waucl1.exe 中发现 Trojan/Agent.bbqm 病毒, 已删除

[ 本帖最后由 tvuser2007 于 2008-6-12 14:22 编辑 ]

[病毒样本] 公司里的剧毒