红伞误报autoguarder新版升级程序

真.菲戈

用来清理办公电脑U盘病毒的……
昨天升级程序更新到5.0后险些被红伞干掉~
ms是因为加了UPX的壳引起的，已上报

File ID	Filename	Size (Byte)	Result
25055010	LiveUpdate.exe	327.5 KB	UNDER ANALYSIS

文件 LiveUpdate.exe 接收于 2008.06.23 03:53:48 (CET)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.6.22.0	2008.06.22	-
AntiVir	7.8.0.59	2008.06.22	ADSPY/AdSpy.Gen
Authentium	5.1.0.4	2008.06.21	-
Avast	4.8.1195.0	2008.06.23	-
AVG	7.5.0.516	2008.06.22	-
BitDefender	7.2	2008.06.23	-
CAT-QuickHeal	9.50	2008.06.20	-
ClamAV	0.93.1	2008.06.23	-
DrWeb	4.44.0.09170	2008.06.22	-
eSafe	7.0.15.0	2008.06.22	suspicious Trojan/Worm
eTrust-Vet	31.6.5892	2008.06.21	-
Ewido	4.0	2008.06.22	-
F-Prot	4.4.4.56	2008.06.21	-
F-Secure	7.60.13501.0	2008.06.20	-
Fortinet	3.14.0.0	2008.06.22	-
GData	2.0.7306.1023	2008.06.23	-
Ikarus	T3.1.1.26.0	2008.06.23	-
Kaspersky	7.0.0.125	2008.06.23	-
McAfee	5322	2008.06.20	-
Microsoft	1.3604	2008.06.23	-
NOD32v2	3207	2008.06.22	-
Norman	5.80.02	2008.06.20	-
Panda	9.0.0.4	2008.06.22	-
Prevx1	V2	2008.06.23	-
Rising	20.49.62.00	2008.06.22	-
Sophos	4.30.0	2008.06.23	-
Sunbelt	3.0.1153.1	2008.06.15	-
Symantec	10	2008.06.22	-
TheHacker	6.2.92.358	2008.06.21	-
TrendMicro	8.700.0.1004	2008.06.20	-
VBA32	3.12.6.7	2008.06.22	-
VirusBuster	4.3.26:9	2008.06.12	-
Webwasher-Gateway	6.6.2	2008.06.23	-
附加信息
File size: 335360 bytes
MD5...: af868a1fc0a3b3ffeeec8232545f761f
SHA1..: 4302328c85914a96d5f858deb8765770ce7ed429
SHA256: 11117eb0ccd059a7f6285a34716bc7f3f0beae7282065819245fcaf1d2e4eda8
SHA512:32e32e222c07325f5805635b454d62a48613d93db3509b499044efba0d3b74fe<br>59f04e23a64a2eea05cce26cfa783230900c9b3554d86b166173c465c6a66f49
PEiD..: -
PEInfo:PE Structure information<br><br>( base data)<br>entrypointaddress.: 0x49bcb0<br>timedatestamp.....:0x485e4309 (Sun Jun 22 12:18:17 2008)<br>machinetype.......:0x14c (I386)<br><br>( 3 sections )<br>name viraddvirsiz rawdsiz ntrpy md5<br>UPX0 0x1000 0x71000 0x0 0.00d41d8cd98f00b204e9800998ecf8427e<br>UPX1 0x72000 0x2a000 0x2a0007.92 58ac2fb4131121ee7825de91bf30fd4a<br>.rsrc 0x9c000 0x280000x27a00 6.65 c644c016f6e5d986d42dbd8b95d56dc1<br><br>( 14imports ) <br>&gt; KERNEL32.DLL: LoadLibraryA,GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree,ExitProcess<br>&gt; ADVAPI32.dll:RegOpenKeyW<br>&gt; COMCTL32.dll:InitCommonControlsEx<br>&gt; COMDLG32.dll:GetFileTitleW<br>&gt; GDI32.dll: Escape<br>&gt;ole32.dll: CoTaskMemFree<br>&gt; OLEAUT32.dll:-<br>&gt; oledlg.dll: OleUIBusyW<br>&gt; PSAPI.DLL:EnumProcessModules<br>&gt; SHELL32.dll:ShellExecuteW<br>&gt; SHLWAPI.dll:PathIsUNCW<br>&gt; USER32.dll: GetDC<br>&gt;WINSPOOL.DRV: OpenPrinterW<br>&gt; WS2_32.dll:-<br><br>( 0 exports ) <br>
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX

小邪邪

UPX 可是一款很普遍可执行程序文件压缩器，连这也报？强

SIGKILL

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\LiveUpdate.rar'
C:\Documents and Settings\Administrator\桌面\


End of the scan: 2008年6月23日星期一  10:35
Used time: 00:03 min

The scan has been done completely.

      0 Scanning directories
      2 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      2 Files not concerned
      1 Archives were scanned
      0 Warnings
      0 Notes

残缺的唯美

曲中求

呵呵，非UPX引起，ADSPY广谱，光一个UPX，红伞是不会报的。

已上报，等结果看看。

Suspicious Files and Miscellaneous Uploads

Thank you for your submission. Below you can see the current status of the uploaded files.



We received the following archive files:
File ID         Filename        Size (Byte)        Result
25055092         LiveUpdate.rar        272.87 KB        OK


A listing of files contained inside archives alongside their results can be found below:File ID         Filename        Size (Byte)        Result
25055010         LiveUpdate.exe         327.5 KB         UNDER ANALYSIS



Please find a detailed report concerning each individual sample below: Filename        Result
 LiveUpdate.exe         UNDER ANALYSIS


The file 'LiveUpdate.exe' has been determined to be 'UNDER ANALYSIS'. 

Please note that you will receive an email which will contain the results shown above. In case the final outcome of the analysis is not yet finished for all files the notification will be sent once ready.

[ 本帖最后由 曲中求 于 2008-6-23 12:57 编辑 ]

真.菲戈

md，死不悔改~
?Filename         Result
LiveUpdate.exe          MALWARE

The file 'LiveUpdate.exe' has been determined to be 'MALWARE'. Our analysts named the threat ADSPY/AdSpy.Gen. The term "ADSPY/" denotes adware or spyware. This type of malware is able to change browser settings for example by manipulating registry settings or by using of NTFS-streams. Very often IEexploits are used to manipulate the browserhelp.dll.This malware is detected by a special detection routine from the engine module.

只好加排除了~