一个很囧的样本分析实例之一个美丽的误会囧囧囧囧囧囧

显示全部楼层 · 发表于 2008-7-26 04:13:22

样本编号为test21033.exe@
虚拟机运行后

改系统时间
关任务管理器
一切操作冻结，任务管理器无法打开，丫一测试comodo阻止所有行为后鼠标仍冻结。

我强制重启后

确认后
卡巴正常启动
时间并未修改

他只是改了图标
但是程序本身没有感染，可以正常启动,网络嗅探器正常。

随便拖动一个正常程序进入虚拟机
也被改成疯字图示，但是程序依然正常

我又在卡巴关闭的情况下感染，然后强制重启
发现系统时间也是没有改变，只是图标变成疯字而已，证明该恶意样本并不具备感染特性。

真是要囧死了

下面是comodo的分析，图片和测试由丫一友情提供

首先提升自己的权限修改时间

在system32文件夹下建立图标档案

更改图示为疯，但是没有进行任何感染

由此可见，该样本充其量只是一个玩笑程序，并不是一个感染型的virus（PS：主流反病毒厂商大部分报KillAV木马），因此，我们在制作PC Security Labs的6月的流行样本包的时候将test-21033号样本剔除，此样本迷惑性极大，因为其锁住鼠标，所以通常我们在虚拟机测试病毒的时候就会自然而然地还愿快照并进行下一个样本的测试，这样就会起产生对样本特性的误判，我们实验室将在以后的测试分析中更加小心谨慎，做到严谨，认真，尽可能地减少误判和失误。

最后附上样本，也请大家关注我们PC Security Labs即将推出的6月流行样本包及测试。我们的主页是 http://www.pcsl.info/cn/index.php 多谢大家，

同时感谢我的水星兄弟阿贝苹果好弟弟虾米叶子 R7CN

[ 本帖最后由 lanvin 于 2008-7-26 11:18 编辑 ]

显示全部楼层 · 发表于 2008-7-26 05:20:00

请问这个在实机环境下会造成永久破坏吗?我的意思如果杀软或者防火墙没能防住的话.

显示全部楼层 · 发表于 2008-7-26 05:28:04

445 有提示

显示全部楼层 · 发表于 2008-7-26 05:43:58

COMODO除了锁定鼠标没有办法拦截，其他都可以拦截，包括更改图标和禁用任务管理器

Date/Time Application Action Target
2008-7-26 5:30:25 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons
2008-7-26 5:30:29 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Modify Key HKUS\S-1-5-21-436374069-113007714-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon
2008-7-26 5:30:38 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Modify Key HKLM\SOFTWARE\Classes\ocxfile\DefaultIcon
2008-7-26 5:30:41 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Modify Key HKLM\SOFTWARE\Classes\dllgfile\DefaultIcon
2008-7-26 5:30:50 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Modify File \Device\Tcp
2008-7-26 5:32:04 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:06 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:08 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:13 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:17 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:19 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:20 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:25 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:26 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:28 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:30 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:32 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:34 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:35 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:38 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:39 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:41 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:44 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:46 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:47 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:50 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:52 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:55 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:57 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:32:59 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:00 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:02 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:04 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:07 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:09 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:14 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:28 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:31 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:31 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:32 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:32 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:34 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:36 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:37 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:41 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:43 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:45 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:47 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:48 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:51 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:53 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:55 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:57 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:33:58 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:00 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:03 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:10 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:10 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:11 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:13 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:19 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:20 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:22 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:23 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:25 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:26 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:28 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:29 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:31 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:32 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:34 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:35 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:37 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:38 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:40 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:41 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:43 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:45 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:46 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:48 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:52 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:53 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:55 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:57 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:34:59 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:35:41 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Access Memory C:\WINDOWS\system32\taskmgr.exe
2008-7-26 5:37:45 C:\Documents and Settings\Administrator\桌面\test-21033\test-21033.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
End of The Report

默认的COMODO规则是不完善的

的确只是个恶作剧，修改图标，禁用任务管理器，禁用显示隐藏文件，锁定鼠标，如此而已

[ 本帖最后由 baerzake 于 2008-7-26 05:57 编辑 ]

显示全部楼层 · 发表于 2008-7-26 05:55:16

很可怕的病毒样本，不敢尝试。

显示全部楼层 · 发表于 2008-7-26 06:39:40

Detected: Trojan.Win32.KillAV.vm

显示全部楼层 · 发表于 2008-7-26 07:09:33

原帖由 Anycall-D908 于 2008-7-26 05:20 发表
请问这个在实机环境下会造成永久破坏吗?我的意思如果杀软或者防火墙没能防住的话.

因为说到底
在重启了之后他只是和你开了个玩笑，改了图标而已，并没有实施感染

显示全部楼层 · 发表于 2008-7-26 07:13:05

原帖由 baerzake 于 2008-7-26 05:43 发表
COMODO除了锁定鼠标没有办法拦截，其他都可以拦截，包括更改图标和禁用任务管理器

317539

Date/Time Application Action Target
2008-7-26 5:30:25 C:\Documents and Settings\Administrator\桌面\test-21033 ...

感谢局长提供数据

显示全部楼层 · 发表于 2008-7-26 07:17:51

对于这个样本,微点的表现很好.而且还是已知的....这个让我有点惊讶.另外这个样本过了ESS.

显示全部楼层 · 发表于 2008-7-26 07:19:26

原帖由 Anycall-D908 于 2008-7-26 07:17 发表
对于这个样本,微点的表现很好.而且还是已知的....这个让我有点惊讶.另外这个样本过了ESS.

报的蛮准
change icon

[病毒样本] 一个很囧的样本分析实例之一个美丽的误会囧囧囧囧囧囧

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

[病毒样本] 一个很囧的样本分析实例 之 一个美丽的误会 囧囧囧囧囧囧

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

[病毒样本] 一个很囧的样本分析实例之一个美丽的误会囧囧囧囧囧囧