样本1

显示全部楼层 · 发表于 2008-10-4 18:13:33

今天去BT上下载生化危机4安装的时候发现的

NOD32和X星居然不报

显示全部楼层 · 发表于 2008-10-4 18:20:44

在 C:\Documents and Settings\Administrator\桌面\is-0C696.rar->is-0C696.tmp 中发现 Adware/Clicker.dji 病毒, 已删除

显示全部楼层 · 发表于 2008-10-4 18:23:24

kaspersky
not-a-virus:Adware.win32.navi

显示全部楼层 · 发表于 2008-10-4 18:24:05

发现病毒: Adware.Navi.C (引擎 A)
文件: is-0C696[1].rar
目录: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GHUFWLMB
进程: Maxthon.exe

显示全部楼层 · 发表于 2008-10-4 18:31:05

紅傘報啟發：HEUR/Malware

显示全部楼层 · 发表于 2008-10-4 20:06:38

McAfee miss

显示全部楼层 · 发表于 2008-10-4 20:09:33

C:\Documents and Settings\Administrator\桌面\is-0C696.rar>>is-0C696.tmp Adware.Navi.ulsf.dll 广告程序还未处理

显示全部楼层 · 发表于 2008-10-4 20:28:20

看来真的是广告软件..
广告软件名称:AdWare.Win32.Navi.m
程序:
C:\DOCUMENTS AND SETTINGS\***.18F12FE200FB45E\桌面\ANTI-VIRUS LAB\RUN VIRUS LAB\IS-0C696\IS-0C696.TMP
是广告软件!
已成功阻止其运行,是否要删除此文件?

相关代码分析：
00054728 10055328    0 Software
00054734 10055334    0 SYSTEM
0005473C 1005533C    0 SECURITY
00054754 10055354    0 Hardware
00054760 10055360    0 Interface
0005476C 1005536C    0 FileType
00054778 10055378    0 Component Categories
00054790 10055390    0 CLSID
00054798 10055398    0 AppID
000547C0 100553C0    0 Delete
000547C8 100553C8    0 NoRemove
000547D4 100553D4    0 ForceRemove
0005483F 1005543F    0 ?vector<T> too long
00054854 10055454    0 SELECT * FROM domain WHERE '%s' LIKE domain AND type=4
0005488C 1005548C    0 \host.db
00054898 10055498    0 SELECT lastshow FROM config where (%d-lastshow)>timespan
000548D4 100554D4    0 UPDATE config SET lastshow=%d
000548F4 100554F4    0 UPDATE advertise SET showcnt=showcnt+1 WHERE idx=%d
00054928 10055528    0 SELECT idx,adv FROM advertise WHERE %s ORDER BY showcnt ASC
00054964 10055564    0 UPDATE domain SET visitcnt=visitcnt+1 WHERE %s
00054994 10055594    0 OR domainidx=%d
000549A8 100555A8    0 domainidx=%d
000549B8 100555B8    0 SELECT domainidx FROM domain WHERE '%s' LIKE domain AND type=3
00054A34 10055634    0 UPDATE domain SET visitcnt=0 WHERE domainidx=%d
00054A68 10055668    0 UPDATE advertise SET showcnt=showcnt+1, lastshow=%d WHERE idx=%d
00054AB0 100556B0    0 SELECT A.* FROM advertise AS A LEFT JOIN domain AS B on A.domainidx = B.domainidx WHERE (%s) AND (%d-A.lastshow)>B.timespan AND B.visitcnt>B.visitlimit ORDER BY type DESC, showcnt ASC
00054B68 10055768    0 OR A.domainidx=%d
00054B7C 1005577C    0 A.domainidx=%d
00054B90 10055790    0 SELECT domainidx FROM domain WHERE '%s' LIKE domain AND type>=0 AND type<3
00054C6C 1005586C    0 HKEY_CURRENT_CONFIG
00054C80 10055880    0 HKEY_DYN_DATA
00054C90 10055890    0 HKEY_PERFORMANCE_DATA
00054CA8 100558A8    0 HKEY_USERS
00054CB4 100558B4    0 HKEY_LOCAL_MACHINE
00054CC8 100558C8    0 HKEY_CURRENT_USER
00054CDC 100558DC    0 HKEY_CLASSES_ROOT
00054E18 10055A18    0 bad cast
00054EAC 10055AAC    0 \Implemented Categories
00054EC4 10055AC4    0 \Required Categories
00054EDC 10055ADC    0 CLSID\
000550D4 10055CD4    0 SELECT * FROM config
000550F4 10055CF4    0 regcode
000550FC 10055CFC    0 svrhost
00055104 10055D04    0 win.ini
0005510C 10055D0C    0 install
00055118 10055D18    0 Mozilla/4.0 (compatible; )
00055134 10055D34    0 welcome.asp?id=%s&code=%s
00055150 10055D50    0 thanks.asp?id=%s&code=%s
00055180 10055D80    0 regsvr32.exe
00055194 10055D94    0 /%s?id=%s
000551A0 10055DA0    0 %s\%s
000551A8 10055DA8    0 /ver.htm
000551B4 10055DB4    0 null.zip
000551C0 10055DC0    0 zipfile
000551C8 10055DC8    0 /data.ver
000551D8 10055DD8    0 change
000551E0 10055DE0    0 start
000551E8 10055DE8    0 Software\Microsoft\Internet Explorer\Main\Start Page
00055220 10055E20    0 sqlcheck
0005522C 10055E2C    0 vercheck
00055238 10055E38    0 explorer.exe
0005526C 10055E6C    0 https
0005528E 10055E8E    0 Content-Disposition: form-data; name="%s"
000552CE 10055ECE    0 Content-Disposition: form-data; name="%s"; filename="%s"
0005530C 10055F0C    0 response failed...
00055320 10055F20    0 connection failed...
00055338 10055F38    0 request failed...
00055358 10055F58    0 list<T> too long
0005536C 10055F6C    0 open internet failed...
00055384 10055F84    0 connect failed...
0005539C 10055F9C    0 handle not opened...
000553B4 10055FB4    0 add cookie failed...
000553D0 10055FD0    0 http://
000553D8 10055FD8    0 https://
000553E4 10055FE4    0 additional header failed...
00055400 10056000    0 Accept: */*
00055414 10056014    0 HTTP/1.0
00055420 10056020    0 Content-Type: application/x-www-form-urlencoded
00055460 10056060    0 Content-Type: multipart/form-data; boundary=--MULTI-PARTS-FORM-DATA-BOUNDARY
000554B0 100560B0    0 request failed
000554C0 100560C0    0 Content-Length: %d
000554D8 100560D8    0 --MULTI-PARTS-FORM-DATA-BOUNDARY
00055560 10056160    0 invalid string position
00055578 10056178    0 string too long
000665FC 100671FC    0 .?AVCZipException@@
0006CF21 1006F121    0 SVRHOST.PopBlocker.1 = s 'PopBlocker Class'
0006CF53 1006F153    0    CLSID = s '{7648AC4A-76F6-4d95-B2C4-F0DBD88E5DD5}'
0006CF8D 1006F18D    0 SVRHOST.PopBlocker = s 'PopBlocker Class'
0006CFBD 1006F1BD    0    CLSID = s '{7648AC4A-76F6-4d95-B2C4-F0DBD88E5DD5}'
0006CFF3 1006F1F3    0    CurVer = s 'SVRHOST.PopBlocker.1'
0006D01C 1006F21C    0 NoRemove CLSID
0006D031 1006F231    0    ForceRemove {7648AC4A-76F6-4d95-B2C4-F0DBD88E5DD5} = s 'PopBlocker Class'
0006D083 1006F283    0    ProgID = s 'SVRHOST.PopBlocker.1'
0006D0A9 1006F2A9    0    VersionIndependentProgID = s 'SVRHOST.PopBlocker'
0006D0DF 1006F2DF    0    ForceRemove 'Programmable'
0006D0FE 1006F2FE    0    InprocServer32 = s '%MODULE%'
0006D126 1006F326    0    val ThreadingModel = s 'Both'
0006D14F 1006F34F    0    'TypeLib' = s '{86A0CBDE-F9A4-490f-971F-58A21912BEB8}'
0006D1A1 1006F3A1    0 NoRemove SOFTWARE
0006D1B9 1006F3B9    0    NoRemove Microsoft
0006D1D4 1006F3D4    0    NoRemove Windows
0006D1EF 1006F3EF    0    NoRemove CurrentVersion
0006D20C 1006F40C    0    {
0006D213 1006F413    0       NoRemove Explorer
0006D22B 1006F42B    0       {
0006D233 1006F433    0       NoRemove 'Browser Helper Objects'
0006D25C 1006F45C    0       {
0006D265 1006F465    0       ForceRemove {7648AC4A-76F6-4d95-B2C4-F0DBD88E5DD5}
0006D64E 1006F84E    0 stdole2.tlbWWW
0006D868 1006FA68    0 SVRHOSTLIBWW
0006D880 1006FA80    0 PopBlockerWWd
0006D898 1006FA98    0 IPopBlockerW
0006D8A6 1006FAA6    0 svrhost 1.0 Type LibraryWW
0006D8C2 1006FAC2    0 PopBlocker ClassWW
0006D8D6 1006FAD6    0 IPopBlocker InterfaceW
0006D8F2 1006FAF2    0 Created by MIDL version 6.00.0361 at Fri Nov 17 15:14:22 2006
0006DA74 1006FC74    0 svrhost Module
0006DAEC 1006FCEC    0 svrhost
0006DB90 1006FD90    0 svrhost.DLL
这可真多...应该是和IE有关的广告软件吧

显示全部楼层 · 发表于 2008-10-4 21:11:57

RS20.64.50未杀！

显示全部楼层 · 发表于 2008-10-4 21:14:59

Kaspersky Lab
拒绝访问
无法返回请求的网页

试图访问的网页：

http://bbs.kafan.cn/attachment.php?aid=
370856&k=f97567645ff5471cf0035cea3bfea3b
9&t=1223125993

发生下列错误：

请求的对象被感染，发现下列病毒 not-a-virus:AdWare.Win32.Navi

如有疑问，请联系您的技术支持
创建日期：
Sat Oct 04 21:13:57 2008
Kaspersky Lab

[病毒样本] 样本1

本帖子中包含更多资源

3/0