归来一贴

显示全部楼层 · 发表于 2008-6-24 12:11:48

老毒了，同学U盘上检

显示全部楼层 · 发表于 2008-6-24 12:14:46

许久不见王版……

Begin scan in 'E:\VIRUS\2(3).zip'
E:\VIRUS\2(3).zip
  [0] Archive type: ZIP
  --> 2.com
   [DETECTION] Contains detection pattern of the worm WORM/Autorun.eal
  --> 1.com
   [DETECTION] Contains detection pattern of the worm WORM/Autorun.eam.1
   [WARNING] The file was ignored!

显示全部楼层 · 发表于 2008-6-24 12:38:18

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

2.com : Not detected by Sandbox (Signature: NO_VIRUS)

[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: NO
* TLS hooks: YES
* Executable type: Application
* Executable file structure: OK

[ General information ]
* **Locates window "Information [class TMessageForm]" on desktop.
* **Locates window "Error [class TMessageForm]" on desktop.
* File length:    613888 bytes.
* MD5 hash: c96353344444cb3477c74ca76482244b.

[ Changes to registry ]
* Accesses Registry key "HKCU\Software\Borland\Locales".
* Accesses Registry key "HKLM\Software\Borland\Locales".
* Accesses Registry key "HKCU\Software\Borland\Delphi\Locales".

[ Process/window information ]
* Creates an event called .

(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

This file is not flagged as malicious by the Norman Sandbox Information Center. However, we can not guarantee that the file is harmless. If you still suspect the file to be malicious and if you urgently need to know for sure, please submit it to your local Norman support department for manual analysis.

************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

显示全部楼层 · 发表于 2008-6-24 12:40:02

AhnLab-V3	2008.6.24.0	2008.06.23	-
AntiVir	7.8.0.59	2008.06.23	Worm/Autorun.eal
Authentium	5.1.0.4	2008.06.24	W32/Infostealer.A!Maximus
Avast	4.8.1195.0	2008.06.23	-
AVG	7.5.0.516	2008.06.24	-
BitDefender	7.2	2008.06.24	-
CAT-QuickHeal	9.50	2008.06.23	-
ClamAV	0.93.1	2008.06.24	-
DrWeb	4.44.0.09170	2008.06.23	-
eSafe	7.0.15.0	2008.06.23	-
eTrust-Vet	31.6.5897	2008.06.23	-
Ewido	4.0	2008.06.23	-
F-Prot	4.4.4.56	2008.06.23	W32/Infostealer.A!Maximus
F-Secure	7.60.13501.0	2008.06.20	Worm.Win32.AutoRun.eal
Fortinet	3.14.0.0	2008.06.23	W32/AutoRun.EAL!worm
GData	2.0.7306.1023	2008.06.24	Worm.Win32.AutoRun.eal
Ikarus	T3.1.1.26.0	2008.06.24	Virus.Worm.Win32.AutoRun.eal
Kaspersky	7.0.0.125	2008.06.24	Worm.Win32.AutoRun.eal
McAfee	5323	2008.06.23	-
Microsoft	1.3604	2008.06.24	-
NOD32v2	3211	2008.06.24	Win32/Delf.NFD
Norman	5.80.02	2008.06.23	-
Panda	9.0.0.4	2008.06.23	Suspicious file
Prevx1	V2	2008.06.24	-
Rising	20.50.02.00	2008.06.23	-
Sophos	4.30.0	2008.06.24	Mal/Behav-053
Sunbelt	3.0.1153.1	2008.06.15	-
Symantec	10	2008.06.24	-
TheHacker	6.2.92.359	2008.06.24	W32/AutoRun.eal
TrendMicro	8.700.0.1004	2008.06.23	-
VBA32	3.12.6.8	2008.06.23	Worm.Win32.AutoRun.eal
VirusBuster	4.5.11.0	2008.06.23	-
Webwasher-Gateway	6.6.2	2008.06.24	Worm.Autorun.eal

显示全部楼层 · 发表于 2008-6-24 12:41:52

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

1.com : Not detected by Sandbox (Signature: W32/AutoRun.DZW)

[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: W32/AutoRun.DZW
* Compressed: NO
* TLS hooks: YES
* Executable type: Application
* Executable file structure: OK

[ General information ]
* **Locates window " [class CabinetWClass]" on desktop.
* File length:    407040 bytes.
* MD5 hash: 1d1fd7bc74724e5f77659d4d0be56269.

[ Changes to filesystem ]
* Creates file C:\DOCUME~1\SANDBOX\blabla.dat.

[ Changes to registry ]
* Accesses Registry key "HKCU\Software\Borland\Locales".
* Accesses Registry key "HKLM\Software\Borland\Locales".
* Accesses Registry key "HKCU\Software\Borland\Delphi\Locales".
* Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System".
* Sets value "DisableRegistryTools"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System".
* Creates key "HKCU\Software\Policies\Microsoft\Windows\System".
* Sets value "DisableCMD"="" in key "HKCU\Software\Policies\Microsoft\Windows\System".

[ Network services ]
* Opens URL: http://www.wo709394.cn/game.php.
* Connects to "www.wo709394.cn" on port 80 (TCP).
* Opens URL: www.wo709394.cn/game.php.

[ Process/window information ]
* Creates an event called .
* Creates a mutex Recy.
* Attemps to open LOG.BAT CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /registry /deny everyone /full.
* Creates process "CMD.EXE".
* Attemps to open Explorer.exe c:\.
* Creates process "Explorer.exe".
* Attemps to open iexplore.exe http://www.wo709394.cn/game.php.
* Creates process "iexplore.exe".
* Creates process "net.EXE".
* Attempts to access service "Driver_Service".

(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

显示全部楼层 · 发表于 2008-6-24 12:42:40

AhnLab-V3	2008.6.24.0	2008.06.23	Win-Trojan/Xema.variant
AntiVir	7.8.0.59	2008.06.23	Worm/Autorun.eam.1
Authentium	5.1.0.4	2008.06.24	-
Avast	4.8.1195.0	2008.06.23	Win32:Trojan-gen {Other}
AVG	7.5.0.516	2008.06.24	Worm/Generic.ICA
BitDefender	7.2	2008.06.24	-
CAT-QuickHeal	9.50	2008.06.23	-
ClamAV	0.93.1	2008.06.24	-
DrWeb	4.44.0.09170	2008.06.23	-
eSafe	7.0.15.0	2008.06.23	-
eTrust-Vet	31.6.5897	2008.06.23	-
Ewido	4.0	2008.06.23	-
F-Prot	4.4.4.56	2008.06.23	-
F-Secure	7.60.13501.0	2008.06.20	Worm.Win32.AutoRun.eam
Fortinet	3.14.0.0	2008.06.23	W32/AutoRun.EAM!worm
GData	2.0.7306.1023	2008.06.24	Worm.Win32.AutoRun.eam
Ikarus	T3.1.1.26.0	2008.06.24	Worm.Autorun.eam.1
Kaspersky	7.0.0.125	2008.06.24	Worm.Win32.AutoRun.eam
McAfee	5323	2008.06.23	-
Microsoft	1.3604	2008.06.24	-
NOD32v2	3211	2008.06.24	Win32/Delf.NFE
Norman	5.80.02	2008.06.23	W32/AutoRun.DZW
Panda	9.0.0.4	2008.06.23	Suspicious file
Prevx1	V2	2008.06.24	-
Rising	20.50.02.00	2008.06.23	Trojan.Win32.Delf.fbw
Sophos	4.30.0	2008.06.24	Mal/Generic-A
Sunbelt	3.0.1153.1	2008.06.15	-
Symantec	10	2008.06.24	-
TheHacker	6.2.92.359	2008.06.24	W32/AutoRun.eam
TrendMicro	8.700.0.1004	2008.06.23	-
VBA32	3.12.6.8	2008.06.23	Worm.Win32.AutoRun.eam
VirusBuster	4.5.11.0	2008.06.23	-
Webwasher-Gateway	6.6.2	2008.06.24	Worm.Autorun.eam.1

显示全部楼层 · 发表于 2008-6-24 15:41:16

显示全部楼层 · 发表于 2008-6-24 21:21:07

瑞星病毒查杀结果报告

清除病毒种类列表：

病毒： Trojan.Win32.Delf.fbw

MAC 地址：00:11:5B:F3:6D:69

用户来源：互联网

软件版本：20.50.10

[病毒样本] 归来一贴

本帖子中包含更多资源

本帖子中包含更多资源

3/1