可怕的程序。

显示全部楼层 · 发表于 2008-8-10 22:31:35

地址                反汇编                                  文本字串
00401004 PUSH test.00406064                      s
00401009 PUSH test.00406054                      administrators
00401013 PUSH test.00406064                      s
00401018 PUSH test.0040604C                      users
0040104A PUSH test.00406064                      s
00401075 PUSH test.00406040                      操作失败
00401090 PUSH test.0040603C                      ok
00401095 PUSH test.00406030                      操作成功
004011DB PUSH EBP                               (初始 cpu 选择)
00401D72 PUSH test.004050E4                      __msvcrt_heap_select
00401DB1 PUSH test.004050CC                      __global_heap_selected
0040214E PUSH test.004053D4                      <program name unknown>
00402190 PUSH test.004053D0                      ...
004021A4 PUSH test.004053B4                      runtime error!\n\nprogram:
004021C2 PUSH test.004053B0                      \n\n
004021EA PUSH test.00405388                      microsoft visual c++ runtime library
00403D7C PUSH test.0040541C                      user32.dll
00403D93 PUSH test.00405410                      messageboxa
00403DA4 PUSH test.00405400                      getactivewindow
00403DAC PUSH test.004053EC                      getlastactivepopup


地址          反汇编                                     文本字串
00401004 PUSH test.00406064                      seinteractivelogonright
00401009 PUSH test.00406054                      administrators
00401013 PUSH test.00406064                      seinteractivelogonright
00401018 PUSH test.0040604C                      users
0040104A PUSH test.00406064                      seinteractivelogonright
00401075 PUSH test.00406040                      操作失败
00401090 PUSH test.0040603C                      ok
00401095 PUSH test.00406030                      操作成功
004011DB PUSH EBP                               (初始 cpu 选择)
00401D72 PUSH test.004050E4                      __msvcrt_heap_select
00401DB1 PUSH test.004050CC                      __global_heap_selected
0040214E PUSH test.004053D4                      <program name unknown>
00402190 PUSH test.004053D0                      ...<program name unknown>
004021A4 PUSH test.004053B4                      runtime error!\n\nprogram:
004021C2 PUSH test.004053B0                      \n\n
004021EA PUSH test.00405388                      microsoft visual c++ runtime library
00403D7C PUSH test.0040541C                      user32.dll
00403D93 PUSH test.00405410                      messageboxauser32.dll
00403DA4 PUSH test.00405400                      getactivewindowmessageboxauser32.dll
00403DAC PUSH test.004053EC                      getlastactivepopup

od插件看到的

显示全部楼层 · 发表于 2008-8-10 23:03:03

够哥们~~~~~~~~~~~~~~~~~~~

VirSCAN.org Scanned Report :
Scanned time : 2008/08/10 22:57:35 (CST)
Scanner results: 全部的杀毒软件报告没有发现病毒!
File Name    : test.exe
File Size    : 36864 byte
File Type    : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5          : 84c5a5db6144bf2373e683c9ed90cca9
SHA1          : 1e5e87c79aab55f941f444a7a97cf7aee39cb311
Online report  : http://virscan.org/report/05393b34b3276313b5fcb0481cbcbfac.html
Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    3.5.0.22       2008.08.09       2008-08-09  2.71 -
安博士V3    2008.08.09.00 2008.08.09       2008-08-09  1.10 -
AntiVir       7.8.1.19       7.0.5.235       2008-08-09  2.15 -
Arcavir       1.0.5          200808101016    2008-08-10  1.20 -
AVAST!       3.0.1          080809-0       2008-08-09  0.68 -
AVG          7.5.51.442    270.6.0/1602    2008-08-09  1.51 -
BitDefender 7.60825.1436199 7.20444          2008-08-10  2.66 -
CA (VET)    9.0.0.143    31.6.6021       2008-08-09  1.88 -
ClamAV       0.93.3       7999             2008-08-10  0.01 -
Comodo       2.11          2.0.0.612       2008-08-10  0.50 -
CP Secure    1.1.0.715    2008.08.10       2008-08-10  6.04 -
Dr.Web       4.44.0.9170    2008.08.10       2008-08-10  3.04 -
ewido       4.0.0.2       2008.08.04       2008-08-04  3.00 -
F-Prot       4.4.4.56       20080809       2008-08-09  0.98 -
F-Secure    5.51.6100    2008.08.10.01    2008-08-10  2.98 -
飞塔          2.81-3.11    9.388          2008-08-05  2.68 -
ViRobot       20080801       2008.08.01       2008-08-01  0.41 -
Ikarus       T3.1.01.34    2008.08.10.71249  2008-08-10  3.19 -
江民杀毒    11.0.706       2008.08.10       2008-08-10  1.47 -
卡巴斯基    5.5.10       2008.08.10       2008-08-10  0.04 -
金山毒霸    2008.1.14.15 2008.8.10.15    2008-08-10  0.64 -
迈克菲       5.2.00       5357             2008-08-08  2.43 -
Microsoft    1.3807       2008.08.10       2008-08-10  4.71 -
mks_vir       2.01          2008.08.09       2008-08-09  2.56 -
Norman       5.93.01       5.93.00          2008-08-08  4.70 -
熊猫卫士    9.05.01       2008.08.10       2008-08-10  2.31 -
趋势科技    8.700-1004    5.466.23       2008-08-10  0.05 -
Quick Heal    9.50          2008.08.08       2008-08-08  1.83 -
瑞星          20.0          20.56.41.00    2008-08-08  0.83 -
Sophos       2.77.0       4.32             2008-08-10  1.79 -
Sunbelt       3.1.1538.1    2186             2008-08-08  0.42 -
赛门铁克    1.3.0.24       20080803.002    2008-08-03  0.05 -
nProtect    2008-08-08.00 1761388          2008-08-08  4.69 -
The Hacker    6.2.96       v00395          2008-08-08  0.44 -
VBA32       3.12.8.3       20080809.1019    2008-08-09  1.17 -
VirusBuster 4.5.11.10    4.5.11/          0010-00-00  0.81 -

[ 本帖最后由 ahzsmzkf 于 2008-8-11 00:37 编辑 ]

显示全部楼层 · 发表于 2008-8-10 23:49:34

原帖由 syfwxmh 于 2008-8-10 21:47 发表
明天我找工程师确认

等你的好消息

原帖由 主动防御 于 2008-8-10 21:28 发表
Hello.
No malicious software was found in the attached file.

估计这个工程师有问题。。。。。。。。。。。。

是不是Namestnikov Yury回信?

显示全部楼层 · 发表于 2008-8-10 23:50:48

饿作锯
把人关在门外的，要进去很放入

显示全部楼层 · 发表于 2008-8-10 23:54:06

Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.10 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.10 -
DrWeb 4.44.0.09170 2008.08.10 -
eSafe 7.0.17.0 2008.08.10 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.10 -
F-Prot 4.4.4.56 2008.08.10 -
F-Secure 7.60.13501.0 2008.08.10 -
Fortinet 3.14.0.0 2008.08.10 -
GData 2.0.7306.1023 2008.08.10 -
Ikarus T3.1.1.34.0 2008.08.10 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.10 -
NOD32v2 3343 2008.08.10 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.10 -
PCTools 4.4.2.0 2008.08.10 -
Prevx1 V2 2008.08.10 Suspicious
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.10 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.10 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.10 -
Webwasher-Gateway 6.6.2 2008.08.10 -

http://www.virustotal.com/analis ... 8d5e97a1d645386aa2d

显示全部楼层 · 发表于 2008-8-11 00:00:42

自己的pc不让你进了，我高不东这算不算病毒~~~~~~~~~~~~~~~~~

显示全部楼层 · 发表于 2008-8-11 00:22:30

这个就是进行了删除用户的操作
正常情况下用户也有这样的操作
估计杀软会MISS

显示全部楼层 · 发表于 2008-8-11 00:34:57

卡巴不杀是对的.
不是病毒.只是玩笑程序.

显示全部楼层 · 发表于 2008-8-11 00:36:23

这个玩笑开大了...

显示全部楼层 · 发表于 2008-8-11 00:49:45

利用lsass.exe干坏事........

对于没有消息防御、对lsass.exe又不管不问的ssm肯定是挂惨了

[病毒样本] 可怕的程序。

回复 48楼 hwwgo 的帖子