看这个是病毒吗?

显示全部楼层 · 发表于 2008-6-13 18:00:47

这个东西是我在悠嘻猴论坛下的一个东西

显示全部楼层 · 发表于 2008-6-13 18:02:16

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\4'
C:\Documents and Settings\Administrator\桌面\4\m.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[NOTE] The file was deleted!

显示全部楼层 · 发表于 2008-6-13 18:05:38

C:\Documents and S... Heuri.Possible/Packed 启发式扫描还未处理

显示全部楼层 · 发表于 2008-6-13 18:20:48

File Changes by all processes
New Files	C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe C:\WINDOWS\svhosts.exe \Device\Tcp \Device\Ip \Device\Ip \Device\Tcp6 \Device\Ip6 \Device\Ip6 \Device\NetBT_Tcpip_{396A44C6-F9C9-4F93-B4C3-A0D6826D5BD5} \Device\RasAcd
Opened Files	C:\file.exe \\.\SICE \\.\NTICE \\.\SIWVID \\.\PIPE\lsarpc C:\WINDOWS\AppPatch\sysmain.sdb C:\WINDOWS\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe \\.\PIPE\lsarpc C:\WINDOWS\bootstet.dat \\.\PIPE\lsarpc C:\WINDOWS\svhosts.exe C:\WINDOWS\AppPatch\sysmain.sdb C:\WINDOWS\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\svchost.exe \\.\PIPE\lsarpc C:\WINDOWS\svhosts.exe \\.\Ip \\.\Ip6
Deleted Files	C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe
Chronological Order	Open File: C:\file.exe (OPEN_EXISTING) Find File: C:\aspr_keys.ini Open File: \\.\SICE (OPEN_EXISTING) Open File: \\.\NTICE (OPEN_EXISTING) Open File: \\.\SIWVID (OPEN_EXISTING) Get File Attributes: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP Get File Attributes: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe Set File Time: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe Set File Attributes: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe () Find File: 4.exe Set File Attributes: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe Find File: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\* Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS\.dat Open File: C:\WINDOWS\bootstet.dat (OPEN_EXISTING) Find File: C:\WINDOWS\svhosts.exe Copy File: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe to C:\WINDOWS\svhosts.exe Set File Attributes: C:\WINDOWS\svhosts.exe Flags: (FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_READONLY,FILE_ATTRIBUTE_SYSTEM,SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Find File: C:\WINDOWS\system32\svchost.exe Open File: C:\WINDOWS\svhosts.exe (OPEN_EXISTING) Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\svchost.exe () Find File: svchost.exe Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: C:\WINDOWS\svhosts.exe (OPEN_EXISTING) Find File: C:\WINDOWS\.dat Create/Open File: \Device\Tcp (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Open File: \\.\Ip (OPEN_EXISTING) Create/Open File: \Device\Tcp6 (OPEN_ALWAYS) Create/Open File: \Device\Ip6 (OPEN_ALWAYS) Create/Open File: \Device\Ip6 (OPEN_ALWAYS) Open File: \\.\Ip6 (OPEN_EXISTING) Create/Open File: \Device\NetBT_Tcpip_{396A44C6-F9C9-4F93-B4C3-A0D6826D5BD5} (OPEN_ALWAYS) Create/Open File: \Device\RasAcd (OPEN_ALWAYS)

Registry Changes by all processes
Create or Open
Changes	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "" = rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\"
Reads	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup "" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService ""

Network Activity

Connections

DNS Lookup
Host Name	IP Address
	captcha232
wpad

Download URLs

http://60.14.199.46/ip.txt (60.14.199.46)

Outgoing connection to remote server: 60.14.199.46 TCP port 80

咋那么多动作。。。

显示全部楼层 · 发表于 2008-6-13 20:04:53

RS20.48.42未杀！

显示全部楼层 · 发表于 2008-6-13 20:33:47

原帖由 电影结束了 于 2008-6-13 18:20 发表
File Changes by all processes New FilesC:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP
C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\4.exe
C:\WINDOWS\svhosts.exe
\Device\Tcp
\Device\Ip
\Device ...

我是菜鸟我想问下,
这个东西这么多动作能举例说说分别是干什么吗?
对电脑有什么危害

显示全部楼层 · 发表于 2008-6-13 22:11:24

[Scanning : C:\Documents and Settings\All Users\Documents\Test]

C:\Documents and Settings\All Users\Documents\Test\4\m.exe <- Variant:Trojan.Packed.Klone.Ao : No action

Scanned objects : 3

Infected objects : 1

显示全部楼层 · 发表于 2008-6-13 22:11:42

[Found backdoor] <W32/Hupigon.G.gen!Eldorado (not disinfectable, generic)> C:\Documents and Settings\All Users\Documents\Test\4\m.exe

---------------------------------------------------------------------
Scan ended: 2008-6-13, 22:11:35
Duration: 0:00:00

Scan result:

Scanned files:    8
Infected objects:    1
Disinfected objects:    0
Quarantined files:    0
---------------------------------------------------------------------

显示全部楼层 · 发表于 2008-6-13 22:16:53

kis主防攔

[ 本帖最后由 csliss 于 2008-6-13 22:21 编辑 ]

[病毒样本] 看这个是病毒吗?

本帖子中包含更多资源

ArcaVir2008

F-Prot 4.4.4

本帖子中包含更多资源