过卡巴和大蜘蛛的木马样本

显示全部楼层 · 发表于 2008-7-27 00:04:50

   这是从一个被挂马的程序中提取出来的，源程序与木马只是进行了简单的合并，也就是执行源程序时木马被创建在C:\Documents and Settings\eva\Local Settings\Temp文件夹下，利用卡巴主防可以发现动作（这也是卡巴唯一的动作，利用卡巴的病毒库是扫不出病毒的）但是这个木马生成的文件叫kis_?????.exe（？代表一串随机数字）可想而之极具欺骗性。装卡巴的同志看见主防报警时很可能点允许！
   当kis_?????.exe被允许执行后将在C:\WINDOWS\system32下释放出 kb16.com  kb941644.log  wuauclt1.dll    kb16.com是键盘记录器的启动程序 wuauclt1.dll插入svchost.exe中以伪windows xp 自动更新程序执行而真正的自动更新程序只有  wuauclt1.exe  wuauclt.exe  这两个文件，根本没有 wuauclt1.dll 这一文件！
   当木马被完全启动后，将把用户的杀毒软件的启动与报警、键盘的操作、浏览的网页的地址及网页名称等全部记录在 kb941644.log 中，最后通过 wuauclt1.dll 在伪自动更新程序中发送到控制者。
   值得注意的是，一般当发现 system32 文件夹下有 *.com 时会很容易使人联想到有病毒但是此木马当 wuauclt1.dll 被成功启动后，会将 kb16.com 完全隐藏，一般用户很难发现！
   以上是我对这个木马的个人分析，有不足和错误的地方希望指证，附件的压缩包内是病毒文件，我均将文件后缀的最后一个字母去掉了。直到发帖时为止，卡巴2009_357最新病毒库仍无法扫除病毒！

显示全部楼层 · 发表于 2008-7-27 00:06:02

副在线扫毒

Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

File eva.7z received on 07.26.2008 17:16:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result:
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus       Version       Last Update       Result
AVG       8.0.0.130       2008.07.25       -
ClamAV       0.93.1       2008.07.26       -
DrWeb       4.44.0.09170       2008.07.26       -
Ewido       4.0       2008.07.26       -
F-Secure       7.60.13501.0       2008.07.26       -
Fortinet       3.14.0.0       2008.07.26       -
GData       2.0.7306.1023       2008.07.26       Win32:Spyware-gen
Kaspersky       7.0.0.125       2008.07.26       -
McAfee       5347       2008.07.25       -
Microsoft       1.3704       2008.07.26       -
Norman       5.80.02       2008.07.25       -
Panda       9.0.0.4       2008.07.26       -
PCTools       4.4.2.0       2008.07.26       -
Prevx1       V2       2008.07.26       -
Sophos       4.31.0       2008.07.26       -
Sunbelt       3.1.1536.1       2008.07.25       -
Symantec       10       2008.07.26       -
VBA32       3.12.8.1       2008.07.26       -
Additional information
File size: 235553 bytes
MD5...: 56a0bc21862116c213a76a09ebd9b388
SHA1..: 25bc3ff5abaeeaba2fe98b40a97bc5e50bc99dd7
SHA256: 7a2311d2b46c5e91d64becdf9d98393d9928e2afb5754dbd5b346fcbf29f6655
SHA512: 23c5e43905ff146e6ff42897c5c5b09dd0f84b2672bb7404168d4b1dbe0b9344
d2b80c9650915e82e973368f9f8f97217b2319b239e40051c249fdf8a81ee6cc
PEiD..: -
PEInfo: -
packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact

文件名称 :	eva.rar
文件大小 :	234512 byte
文件类型 :	RAR archive data, v1d, os
MD5 :	a036959dc51b2261285c17dbdf659a14
SHA1 :	0f1646562f1b9737d16455a5669d988034be504b

扫描结果

扫描结果 :	36%的杀软(13/36)报告发现病毒
时间 :	2008/07/27 00:08:35 (CST)

软件名称	引擎版本	病毒库版本	病毒库时间	扫描结果	时间
a-squared	3.5.0.22	2008.07.25	2008-07-25	-	2.414
AntiVir	7.8.1.12	7.0.5.175	2008-07-25	TR/Spy.xwo.3	2.173
Arcavir	1.0.5	200807251943	2008-07-25	-	1.253
AVAST!	3.0.1	080726-0	2008-07-26	Win32:Spyware-gen [Trj]	0.712
AVG	7.5.51.442	270.5.6/1574	2008-07-25	Generic10.AXMP	1.554
BitDefender	7.60825.1392732	7.20214	2008-07-26	Trojan.Spy.XWO	4.450
CA (VET)	9.0.0.143	31.6.5983	2008-07-26	-	1.380
ClamAV	0.93.3	7832	2008-07-26	-	0.045
Comodo	2.11	2.0.0.597	2008-07-26	-	0.473
CP Secure	1.1.0.715	2008.07.26	2008-07-26	MSWord.Goomy.a	5.557
Dr.Web	4.44.0.9170	2008.07.26	2008-07-26	-	6.645
ewido	4.0.0.2	2008.07.26	2008-07-26	-	2.444
F-Prot	4.4.4.56	20080725	2008-07-25	Possible W32/Heuristic-210!Eldorado (not disinfectable)	1.474
F-Secure	5.51.6100	2008.07.25.06	2008-07-25	-	2.914
Ikarus	T3.1.01.34	2008.07.26.71165	2008-07-26	Trojan-Spy.XWO	4.607
Microsoft	1.3704	2008.07.26	2008-07-26	-	4.657
mks_vir	2.01	2008.07.26	2008-07-26	-	2.685
Norman	5.93.01	5.93.00	2008-07-25	-	5.937
nProtect	2008-07-25.00	1702673	2008-07-25	Trojan-Spy/W32.Small.28160.N	3.666
Quick Heal	9.50	2008.07.25	2008-07-25	Suspicious - DNAScan	1.624
Sophos	2.75.4	4.31	2008-07-26	Mal/Emogen-N	2.334
Sunbelt	3.1.1536.1	2166	2008-07-25	Malware.Win32.CodeAnalyzer!cobra (v)	0.436
The Hacker	6.2.96	v00389	2008-07-24	-	0.433
VBA32	3.12.8.1	20080726.0743	2008-07-26	-	1.549
ViRobot	20080726	2008.07.26	2008-07-26	-	0.406
VirusBuster	4.5.11.10	10.82.23/596818	2008-07-26	-	0.839
卡巴斯基	5.5.10	2008.07.26	2008-07-26	-	0.158
安博士V3	2008.07.26.00	2008.07.26	2008-07-26	-	0.884
江民杀毒	11.0.706	2008.07.26	2008-07-26	-	1.160
熊猫卫士	9.05.01	2008.07.26	2008-07-26	-	2.702
瑞星	20.0	20.54.52.00	2008-07-26	Backdoor.Win32.Undef.bap	0.990
赛门铁克	1.3.0.24	20080726.002	2008-07-26	-	0.149
趋势科技	8.700-1004	5.436.08	2008-07-26	-	0.049
迈克菲	5.2.00	5347	2008-07-25	-	2.289
金山毒霸	2008.1.14.15	2008.7.26.15	2008-07-26	-	0.949
飞塔	2.81-3.11	9.356	2008-07-26	PossibleThreat	1.679

注意: 就算报告发现病毒，也可能是杀软误报，请根据查毒结果自行判断

复制到剪贴板

[ 本帖最后由 vip008200587 于 2008-7-27 00:13 编辑 ]

显示全部楼层 · 发表于 2008-7-27 00:06:17

F:\VIRUS\eva.rar=]eva\wuauclt1.dl Trojan.Spy.XWO

显示全部楼层 · 发表于 2008-7-27 00:09:38

Begin scan in 'C:\Documents and Settings\Administrator\桌面\eva.rar'
C:\Documents and Settings\Administrator\桌面\eva.rar
[0] Archive type: RAR
--> eva\wuauclt1.dl
[DETECTION] Is the TR/Spy.xwo.3 Trojan
[NOTE] The file was deleted!

显示全部楼层 · 发表于 2008-7-27 00:11:34

费尔杀

显示全部楼层 · 发表于 2008-7-31 13:49:49

kb16.co
MD5: A8B81F7428E3E9F18F60C563E43C9646
经分析，在该文件中没有发现任何恶意行为。

kis_401248.ex
MD5: 7DB816E0BA9895D4A2BC6F917D6022C6
是无界浏览器，但有可疑行为。

wuauclt1.dl
MD5: F48F60C4CA26B948A7C74810990B4FA6经分析，在该文件中发现恶意代码。（cmd /a /c %s>%s&cmd /u /c type %s>%s&cmd /c del %s）

[ 本帖最后由 zwl2828 于 2008-7-31 15:17 编辑 ]

显示全部楼层 · 发表于 2008-7-31 13:54:06

Avira AntiVir Personal
Report file date: 2008年7月31日  13:53
Scanning for 1369550 virus strains and unwanted programs.
Licensed to:    Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform:       Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Boot mode:       Normally booted
Username:       Administrator
Computer name: 007
Version information:
BUILD.DAT    : 8.1.0.326    16933 Bytes 2008-7-11 12:57:00
AVSCAN.EXE : 8.1.4.7    315649 Bytes 2008-6-26 02:57:53
AVSCAN.DLL : 8.1.4.0       40705 Bytes 2008-5-26 01:56:40
LUKE.DLL    : 8.1.4.5    164097 Bytes 2008-6-12 06:44:19
LUKERES.DLL : 8.1.4.0       12033 Bytes 2008-5-26 01:58:52
ANTIVIR0.VDF  : 6.40.0.0 11030528 Bytes 2007-7-18 04:33:34
ANTIVIR1.VDF  : 7.0.5.1    8182784 Bytes 2008-6-24 07:54:15
ANTIVIR2.VDF  : 7.0.5.20    142336 Bytes 2008-6-30 23:20:53
ANTIVIR3.VDF  : 7.0.5.23    17408 Bytes 2008-6-30 03:24:47
Engineversion : 8.1.1.6
AEVDF.DLL    : 8.1.0.5    102772 Bytes 2008-7-9 02:46:50
AESCRIPT.DLL  : 8.1.0.46    283002 Bytes 2008-7-8 00:33:29
AESCN.DLL    : 8.1.0.22    119157 Bytes 2008-7-9 02:46:50
AERDL.DLL    : 8.1.0.20    418165 Bytes 2008-7-9 02:46:50
AEPACK.DLL : 8.1.1.6    364918 Bytes 2008-7-9 02:46:50
AEOFFICE.DLL  : 8.1.0.20    192891 Bytes 2008-7-9 02:46:50
AEHEUR.DLL : 8.1.0.35    1298806 Bytes 2008-7-8 00:33:29
AEHELP.DLL : 8.1.0.15    115063 Bytes 2008-7-9 02:46:50
AEGEN.DLL    : 8.1.0.29    307573 Bytes 2008-7-9 02:46:50
AEEMU.DLL    : 8.1.0.6    430451 Bytes 2008-7-9 02:46:50
AECORE.DLL : 8.1.1.3    172404 Bytes 2008-7-9 02:46:50
AEBB.DLL    : 8.1.0.1       53617 Bytes 2008-4-24 02:50:42
AVWINLL.DLL : 1.0.0.12    15105 Bytes 2008-7-9 02:40:05
AVPREF.DLL : 8.0.2.0       38657 Bytes 2008-5-16 03:28:01
AVREP.DLL    : 7.0.0.1    155688 Bytes 2008-6-30 08:35:20
AVREG.DLL    : 8.0.0.1       33537 Bytes 2008-5-9 05:26:40
AVARKT.DLL : 1.0.0.23    307457 Bytes 2008-2-12 02:29:23
AVEVTLOG.DLL  : 8.0.0.16    119041 Bytes 2008-6-12 06:27:49
SQLITE3.DLL : 3.3.17.1    339968 Bytes 2008-1-22 11:28:02
SMTPLIB.DLL : 1.2.0.23    28929 Bytes 2008-6-12 06:49:40
NETNT.DLL    : 8.0.0.1       7937 Bytes 2008-1-25 06:05:10
RCIMAGE.DLL : 8.0.0.51    2371841 Bytes 2008-6-12 07:48:07
RCTEXT.DLL : 8.0.52.0    86273 Bytes 2008-6-27 07:34:37
Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\61a4dcc4.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: high
Start of the scan: 2008年7月31日  13:53
Starting the file scan:
Begin scan in 'C:\Documents and Settings\Administrator\桌面\eva.rar'
C:\Documents and Settings\Administrator\桌面\eva.rar
[NOTE]    The file was moved to '48f253d6.qua'!

End of the scan: 2008年7月31日  13:53
Used time: 00:25 Minute(s)
The scan has been done completely.
   0 Scanning directories
   4 Files were scanned
   0 viruses and/or unwanted programs were found
   1 Files were classified as suspicious:
   0 files were deleted
   0 files were repaired
   1 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   3 Files not concerned
   1 Archives were scanned
   0 Warnings
   1 Notes

显示全部楼层 · 发表于 2008-7-31 14:44:27

我晚上去测试卡巴2009

显示全部楼层 · 发表于 2008-7-31 15:03:42

经过分析你上传的3个程序均无危害（KB16.com无任何动作，无威胁代码，那个可执行程序只有写入注册表的动作，没有其他动作，所以不能判断其含有恶意行为），但那个dll含有部分恶意代码。但因你上传的其他3个文件均无法触发他，所以无法判断是否过了卡巴HIPS，所以为了进行测试，请上传本体病毒

显示全部楼层 · 发表于 2008-7-31 17:06:47

NOD 没反应啊

[病毒样本] 过卡巴和大蜘蛛的木马样本

本帖子中包含更多资源

BD