卡巴不认识的后门 据称过过微点

woai_jolin

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

server.exe : INFECTED with W32/Malware (Signature: W32/Smalldrp.RVD)


[ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: W32/Smalldrp.RVD
    * Compressed: NO
    * TLS hooks: YES
    * Executable type: Application
    * Executable file structure: OK

[ General information ]
    * Accesses executable file from resource section.
    * File length:        93184 bytes.
    * MD5 hash: e42b8dac36d5f7684bb91ab87574eba4.

[ Changes to filesystem ]
    * Creates file C:\WINDOWS\Kvmon.exe.
    * Creates file C:\WINDOWS\Kvmon.dll.

[ Changes to registry ]
    * Accesses Registry key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system".
    * Accesses Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup".

[ Process/window information ]
    * Creates a mutex Myfutex.
    * Creates process "svchost.exe".
    * Checks if privilege "SeDebugPrivilege" is available.
    * Enables privilege SeDebugPrivilege.
    * Modifies memory in process svchost.exe.
    * Creates a thread in process svchost.exe.
    * Will inject library C:\WINDOWS\Kvmon.dll into remote processes.

[ Signature Scanning ]
    * C:\WINDOWS\Kvmon.exe (93184 bytes) : W32/Smalldrp.RVD.
    * C:\WINDOWS\Kvmon.dll (66560 bytes) : no signature detection.



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

[ 本帖最后由 woai_jolin 于 2008-6-12 14:08 编辑 ]

woai_jolin

AhnLab-V3	-	-	-
AntiVir	-	-	BDS/Graybird.D0A2D110
Authentium	-	-	-
Avast	-	-	Win32:Trojan-gen {Other}
AVG	-	-	-
BitDefender	-	-	Dropped:Generic.Graybird.D0A2D110
CAT-QuickHeal	-	-	-
ClamAV	-	-	PUA.Elirt
DrWeb	-	-	BackDoor.Dong
eSafe	-	-	-
eTrust-Vet	-	-	-
Ewido	-	-	-
F-Prot	-	-	W32/Hupigon.C.gen!Eldorado
F-Secure	-	-	W32/Malware
FileAdvisor	-	-	-
Fortinet	-	-	-
Ikarus	-	-	Trojan-Dropper.Win32.Mudrop.bn
Kaspersky	-	-	Heur.Trojan.Generic
McAfee	-	-	New Malware.ab
Microsoft	-	-	-
NOD32v2	-	-	probably unknown NewHeur_PE virus
Norman	-	-	W32/Smalldrp.RVD
Panda	-	-	Suspicious file
Prevx1	-	-	Trojan.Yabe
Rising	-	-	Suspicious.Backdoor.Win32.Delgen.a
Sophos	-	-	Sus/DelpDldr-A
Sunbelt	-	-	-
Symantec	-	-	-
TheHacker	-	-	-
VBA32	-	-	suspected of Backdoor.XiaoBird.1
VirusBuster	-	-	-
Webwasher-Gateway	-	-	Trojan.Backdoor.Graybird.D0A2D110

附加信息

MD5: e42b8dac36d5f7684bb91ab87574eba4

SHA1: b9c185b28653ee229752485e956ea9789971fc95

SHA256: 5522389e900dc228357f8956c596ab98f45ceb46c59920f0eb16afe91c9549d2

SHA512: 95c3251c1129d809cdf3c3138818b88cb1e660adc9c84a714ac478797e35f6b5963d6d7ac7a784ff90ffd7c28a61cc76ebef0ac6bae46e177fbb76ea32b6280f

woai_jolin

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

SETUP.EXE : INFECTED with W32/Malware (Signature: NO_VIRUS)


[ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS
    * Compressed: YES
    * TLS hooks: YES
    * Executable type: Application
    * Executable file structure: OK

[ General information ]
    * File might be compressed.
    * Decompressing ASPack.
    * Drops files in %WINSYS% folder.
    * Accesses executable file from resource section.
    * File length:       344576 bytes.
    * MD5 hash: bad9ee20bad306b278a4c261b8ac8fda.

[ Changes to filesystem ]
    * Creates file C:\WINDOWS\System32\Ly_Server2008.exe.
    * Creates file C:\WINDOWS\uninstal.bat.
    * Deletes file "c:\sample.exe".
    * Deletes file %0.
    * Creates file C:\WINDOWS\System32\Ly_Server2008.DLL.
    * Creates file C:\DOCUME~1\SANDBOX\blabla.dat.

[ Changes to registry ]
    * Accesses Registry key "HKCU\Software\Borland\Locales".
    * Accesses Registry key "HKLM\Software\Borland\Locales".
    * Accesses Registry key "HKCU\Software\Borland\Delphi\Locales".
    * Sets value "ImagePath"="C:\WINDOWS\System32\Ly_Server2008.exe" in key "HKLM\System\CurrentControlSet\Services".
    * Sets value "DisplayName"="ÄÁÃñÔ¶³Ì¹ÜÀíÈí¼þ" in key "HKLM\System\CurrentControlSet\Services".
    * Accesses Registry key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp".
    * Creates key "HKCU\Software\Microsoft\Internet Connection Wizard".
    * Sets value "Completed"="
" in key "HKCU\Software\Microsoft\Internet Connection Wizard".
    * Sets value "Check_Associations"="no" in key "HKCU\Software\Microsoft\Internet Explorer\Main".

[ Network services ]
    * Opens URL: about:blank.
    * Connects to "about:blank" on port 80 (TCP).
    * Opens URL: about:blank/.

[ Process/window information ]
    * Creates a mutex Ly_Server2008.exe.
    * Attempts to access service "".
    * Creates service " ()" as "C:\WINDOWS\System32\Ly_Server2008.exe".
    * Creates process "Ly_Server2008.exe".
    * Creates process "CMD.EXE".
    * Creates process "IEXPLORE.EXE"".
    * Modifies memory in process IEXPLORE.EXE".
    * Creates a thread in process IEXPLORE.EXE".
    * Will inject library C:\WINDOWS\System32\Ly_Server2008.DLL into remote processes.

[ Signature Scanning ]
    * C:\WINDOWS\System32\Ly_Server2008.exe (344576 bytes) : no signature detection.
    * C:\WINDOWS\uninstal.bat (76 bytes) : no signature detection.
    * C:\WINDOWS\System32\Ly_Server2008.DLL (698368 bytes) : W32/Hupigon.GQN.
    * C:\DOCUME~1\SANDBOX\blabla.dat (4096 bytes) : no signature detection.



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

woai_jolin

AhnLab-V3	2008.6.11.0	2008.06.11	Win-Trojan/Hupigon.Gen
AntiVir	7.8.0.55	2008.06.12	BDS/Hupigon.Gen
Authentium	5.1.0.4	2008.06.12	W32/Hupigon.L.gen!Eldorado
Avast	4.8.1195.0	2008.06.11	Win32:Hupigon-CWJ
AVG	7.5.0.516	2008.06.11	BackDoor.Generic2.VEX
BitDefender	7.2	2008.06.12	Backdoor.Hupigon.E
CAT-QuickHeal	9.50	2008.06.11	-
ClamAV	0.92.1	2008.06.12	Trojan.Hupigon-1309
DrWeb	4.44.0.09170	2008.06.11	BackDoor.IRC.Sdbot.1881
eSafe	7.0.15.0	2008.06.11	-
eTrust-Vet	31.6.5867	2008.06.11	Win32/Pigeon.FJ
Ewido	4.0	2008.06.11	Backdoor.Hupigon.cgy
F-Prot	4.4.4.56	2008.06.12	W32/Hupigon.L.gen!Eldorado
F-Secure	6.70.13260.0	2008.06.12	Backdoor.Win32.Hupigon.mmt
Fortinet	3.14.0.0	2008.06.12	-
GData	2.0.7306.1023	2008.06.12	Backdoor.Win32.Hupigon.mmt
Ikarus	T3.1.1.26.0	2008.06.12	Backdoor.Win32.Hupigon.ani
Kaspersky	7.0.0.125	2008.06.12	Backdoor.Win32.Hupigon.mmt
McAfee	5315	2008.06.11	BackDoor-AWQ
Microsoft	1.3604	2008.06.12	Backdoor:Win32/Hupigon
NOD32v2	3179	2008.06.11	a variant of Win32/Hupigon
Norman	5.80.02	2008.06.11	-
Panda	9.0.0.4	2008.06.11	Bck/Hupigon.AIJ
Prevx1	V2	2008.06.12	System Back Door
Rising	20.48.30.00	2008.06.12	Backdoor.Gpigeon.GEN
Sophos	4.30.0	2008.06.12	Mal/GrayBird
Sunbelt	3.0.1145.1	2008.06.05	-
Symantec	10	2008.06.12	Backdoor.Graybird!Gen
TheHacker	6.2.92.344	2008.06.12	-
VBA32	3.12.6.7	2008.06.12	OScope.Backdoor.XiaoBird.50C1
VirusBuster	4.3.26:9	2008.06.11	Backdoor.Hupigon.HIF
Webwasher-Gateway	6.6.2	2008.06.12	Trojan.Backdoor.Hupigon.Gen

黄金马甲出租

LZ也标题党.

飞兔儿

看来微点很厉害 啊  

电影结束了

kkgh

费尔杀

ch00962610

用G DATA AntiVirus检测病毒
版本 18.5.8071.731
病毒特征库日期 2008/6/12
开始时间： 2008/6/12 18:37
引擎： 引擎A (AVK 18.4105), 引擎B (AVKB 18.305)
启发式： 开启
档案文件： 开启
系统区域： 开启

检测系统区域...
检测以下目录和文件：
  C:\Documents and Settings\祝俊杰\桌面\Evil.rar

对象： SETUP.EXE
        在压缩档案中： C:\Documents and Settings\祝俊杰\桌面\Evil.rar
        状态： 检测到病毒
        病毒： Backdoor.Win32.Hupigon.mmt (引擎A)
对象： Evil.rar
        路径: C:\Documents and Settings\祝俊杰\桌面
        状态： 移动文件到隔离区
        病毒： Backdoor.Win32.Hupigon.mmt (引擎A)

检测执行时间： 2008/6/12 18:37
    1个文件已检测
    1个受感染文件
    0个可疑文件被发现

seamonkey

瑞星病毒查杀结果报告

清除病毒种类列表：
病毒： Suspicious.Backdoor.Win32.Delgen.a
病毒： Backdoor.Gpigeon.GEN