hupigeon

qianwenxiang

14206937

Begin scan in 'C:\Documents and Settings\Administrator\桌面\360safenew.rar'
C:\Documents and Settings\Administrator\桌面\360safenew.rar
    [0] Archive type: RAR
      --> 360safenew.exe
          [DETECTION] Is the TR/Buzus.iij Trojan
    [NOTE]      A backup was created as '4919fd11.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!

fzz8848

2楼好快

[ 本帖最后由 fzz8848 于 2008-10-6 19:57 编辑 ]

linjw

Begin scan in 'D:\360safenew.rar'
D:\360safenew.rar
    [0] Archive type: RAR
      --> 360safenew.exe
          [DETECTION] Is the TR/Buzus.iij Trojan
    [NOTE]      A backup was created as '4919fd46.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!

wangjay1980

TO KL

Hello,

360safenew.exe_ - Backdoor.Win32.Hupigon.eixq

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Andrey Ladikov
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.



> Attachment: 360safenew.zip

[ 本帖最后由 wangjay1980 于 2008-10-6 21:33 编辑 ]

wrq

Access to the data has been denied!
Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL:  http://bbs.kafan.cn/attachment.p ... c5&t=1223294461
Information:  Is the TR/Buzus.iij Trojan  


--------------------------------------------------------------------------------
Generated by AntiVir WebGuard 8.0.15.0, AVE 8.1.1.35, VDF 7.0.6.236

wangjay1980

http://www.threatexpert.com/repo ... f6b55a9b736f7f1641a

Heartstrings

Linux下 无反应。。。。。。。就是好啊。。

wangjay1980

Visit ThreatExpert web site

|

Close Report

Submission Summary:

• Submission details:
  • Submission received: 6 October 2008, 23:01:26
  • Processing time: 5 min 59 sec
  • Submitted sample:
    • File MD5: 0x8A1CA9EB42CC6F6B55A9B736F7F1641A
    • Filesize: 398,848 bytes
    • Alias: New Malware.ix [McAfee]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.

Technical Details:

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File MD5	Alias
1	%ProgramFiles%\360safe\360safenew.exe	398,848 bytes	0x8A1CA9EB42CC6F6B55A9B736F7F1641A	New Malware.ix [McAfee]

• Note:
  • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

• The following directory was created:
  • %ProgramFiles%\360safe

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
360safenew.exe	%ProgramFiles%\360safe\360safenew.exe	794,624 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	794,624 bytes

• There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
Remote_Procedure_Call(RPS)	RpsCs	"Stopped"	%ProgramFiles%\360safe\360safenew.exe

Registry Modifications

• The following Registry Keys were created:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote_Procedure_Call(RPS)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote_Procedure_Call(RPS)\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote_Procedure_Call(RPS)\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote_Procedure_Call(RPS)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote_Procedure_Call(RPS)\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote_Procedure_Call(RPS)\Enum

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000\Control]
    • *NewlyCreated* = 0x00000000
    • ActiveService = "Remote_Procedure_Call(RPS)"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000]
    • Service = "Remote_Procedure_Call(RPS)"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "RpsCs"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)]
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote_Procedure_Call(RPS)\Enum]
    • 0 = "Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote_Procedure_Call(RPS)\Security]
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Remote_Procedure_Call(RPS)]
    • Type = 0x00000110
    • Start = 0x00000002
    • ErrorControl = 0x00000000
    • ImagePath = "%ProgramFiles%\360safe\360safenew.exe"
    • DisplayName = "RpsCs"
    • ObjectName = "LocalSystem"
    • Description = "�ṩ�ս��ӳ����� (endpoint mapper) �Լ����� RPS ����"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000\Control]
    • *NewlyCreated* = 0x00000000
    • ActiveService = "Remote_Procedure_Call(RPS)"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000]
    • Service = "Remote_Procedure_Call(RPS)"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "RpsCs"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)]
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote_Procedure_Call(RPS)\Enum]
    • 0 = "Root\LEGACY_REMOTE_PROCEDURE_CALL(RPS)\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote_Procedure_Call(RPS)\Security]
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote_Procedure_Call(RPS)]
    • Type = 0x00000110
    • Start = 0x00000002
    • ErrorControl = 0x00000000
    • ImagePath = "%ProgramFiles%\360safe\360safenew.exe"
    • DisplayName = "RpsCs"
    • ObjectName = "LocalSystem"
    • Description = "�ṩ�ս��ӳ����� (endpoint mapper) �Լ����� RPS ����"
  • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    • ProxyEnable = 0x00000000

• The following Registry Values were modified:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
    • Directory = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
    • CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
    • CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
    • CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
    • CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
    • (Default) = 0x0000000C
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
    • (Default) = 0x0000000C
  • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    • Cookies = "%Profiles%\LocalService\Cookies"
    • History = "%Profiles%\LocalService\Local Settings\History"

Other details

• Analysis of the file resources indicate the following possible country of origin:

China

• To mark the presence in the system, the following Mutex object was created:
  • waxbnd

• The following Host Name was requested from a host database:
  • 74297.rhelper.com

• There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
74297.rhelper.com [td]8001[/td][tr][/tr]

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 8001:

00000000 | 4854 5450 00                            | HTTP.[/td]

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.
The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2008 ThreatExpert. All rights reserved.

BING126

McAfee        New Malware.ix