收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 Codec.Update.v1_3368.zip
12下一页
返回列表 发新帖
查看: 3405|回复: 14
收起左侧

[病毒样本] Codec.Update.v1_3368.zip

[复制链接]
solcroft
发表于 2008-10-20 08:40:59 | 显示全部楼层 |阅读模式
avast!: Win32:Fabot [Trj]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

hzyw
头像被屏蔽
发表于 2008-10-20 08:49:35 | 显示全部楼层
沙发啊

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

kingmuro
头像被屏蔽
发表于 2008-10-20 08:54:02 | 显示全部楼层
过诺顿10.1版本   19日病毒库
回复

举报

xi889
头像被屏蔽
发表于 2008-10-20 11:06:03 | 显示全部楼层
Hello.
New malicious software was found in the attached file.
It's detection will be included in the next update. Thank you for your help.

Please quote all when answering. Do not forget to include you registration data.
-----------------
Regards, Gashkin Alexey
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: newvirus@kaspersky.com
http://www.kaspersky.com   http://www.viruslist.com


> Attachment: Codec.Update.v1_3368.rar

>
>
>   nex

[ 本帖最后由 xi889 于 2008-10-20 22:41 编辑 ]
回复

举报

08红伞威点
发表于 2008-10-20 11:46:11 | 显示全部楼层
伞上报分析.
回复

举报

mofunzone
发表于 2008-10-20 12:23:33 | 显示全部楼层
Starting the file scan:

Begin scan in 'C:\Users\morgan\Desktop\Codec.Update.v1_3368.exe.zip'
C:\Users\morgan\Desktop\
  Codec.Update.v1_3368.exe.zip
    [0] Archive type: ZIP
    --> Codec.Update.v1_3368.exe
      [DETECTION] This file has been compressed using unusual runtime compression (PCK/NSIS.M). Please verify the origin of this file.
    [WARNING]   The file was ignored!
  Codec.Update.v1_3368.exe.zip:Zone.Identifier
回复

举报

aerbeisi
发表于 2008-10-20 15:17:25 | 显示全部楼层

NOD32 痿了

回复

举报

c5132902
发表于 2008-10-20 15:20:36 | 显示全部楼层

avg kill

回复

举报

Palkia
发表于 2008-10-20 19:03:44 | 显示全部楼层
金山 0
回复

举报

浪滔天
发表于 2008-10-20 19:40:57 | 显示全部楼层
用卡巴实机运行测试了下,卡巴HIPS所有设置均为“提示”,并对在各分区下创建“autorun.inf”进行了保护设置,所有动作也设置为“提示”

2008-10-20 19:19:09 Codec.Update.v1_3368.exe 启动进程 F:\病毒样本\Codec[1].Update.v1_3368.exe\Codec.Update.v1_3368.exe   
2008-10-20 19:19:14 Codec.Update.v1_3368.exe 读取 hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows 已被允许: KLSystemData/KLStartupRegKeys/AppInit_DLLs KLSystemData/KLStartupRegKeys/AppInit_DLLs
2008-10-20 19:19:14 Codec.Update.v1_3368.exe 读取 hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows 已被允许: KLSystemData/KLStartupRegKeys/AppInit_DLLs KLSystemData/KLStartupRegKeys/AppInit_DLLs
2008-10-20 19:19:19 Generic Host Process for Win32 Services 修改 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher/TracesProcessed   
2008-10-20 19:19:19 Generic Host Process for Win32 Services 修改 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher/TracesSuccessful   
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 C:\WINDOWS\system32\SHELL32.dll 已被允许: KLSystemData/KLSystemFiles/SystemDll KLSystemData/KLSystemFiles/SystemDll
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hklm\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 已被允许: KLSystemData/KLSystemServicesRegKeys/Classes_CLSID KLSystemData/KLSystemServicesRegKeys/Classes_CLSID
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_System KLSystemData/KLSystemSecRegKeys/Policies_System
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:20 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer KLSystemData/KLSystemSecRegKeys/Policies_Explorer
2008-10-20 19:19:24 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 已被允许: KLSystemData/KLSystemSecRegKeys/Policies_Explorer2 KLSystemData/KLSystemSecRegKeys/Policies_Explorer2
2008-10-20 19:19:25 Codec.Update.v1_3368.exe 创建 C:\Documents and Settings\GWH\Local Settings\Temp\33682.exe   
2008-10-20 19:19:56 33682.exe 启动进程 C:\DOCUME~1\GWH\LOCALS~1\Temp\33682.exe   
2008-10-20 19:20:07 Codec.Update.v1_3368.exe 启动进程 c:\documents and settings\gwh\local settings\temp\33682.exe 已被允许: KLPrivileges/KLPermissionAppAccess/KLPermissionProcManage/KLStartProc KLPrivileges/KLPermissionAppAccess/KLPermissionProcManage/KLStartProc
2008-10-20 19:20:07 33682.exe 修改 C:\Documents and Settings\GWH\Local Settings\Temp\tmp60.tmp   
2008-10-20 19:20:07 Spooler SubSystem App 启动进程 C:\WINDOWS\system32\SPOOLSV.EXE   
2008-10-20 19:20:07 Services and Controller app 修改 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\ServiceCurrent/(Default)   
2008-10-20 19:20:08 Spooler SubSystem App 创建 HKEY_LOCAL_MACHINE\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER   
2008-10-20 19:20:08 Spooler SubSystem App 创建 HKEY_LOCAL_MACHINE\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER   
2008-10-20 19:20:08 Spooler SubSystem App 修改 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager/PendingFileRenameOperations   
2008-10-20 19:20:08 Codec.Update.v1_3368.exe 读取 C:\WINDOWS\win.ini 已被允许: KLSystemData/KLSystemFiles/win.ini KLSystemData/KLSystemFiles/win.ini
2008-10-20 19:20:08 33682.exe 修改 C:\Documents and Settings\GWH\Local Settings\Temp\tmp60.tmp   
2008-10-20 19:20:08 33682.exe 修改 C:\Documents and Settings\GWH\Local Settings\Temp\tmp5F.tmp   
2008-10-20 19:20:08 33682.exe 退出进程 C:\DOCUME~1\GWH\LOCALS~1\Temp\33682.exe   
2008-10-20 19:20:08 Generic Host Process for Win32 Services 修改 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher/TracesProcessed  

(创建 inf 文件,这里出现在 c 盘 创建 inf 的提示时点了“立即允许”,但接下来在其他盘下创建时卡巴没提示,直接被允许,个人认为卡巴的HIPS在某些特定设置下存在bug )
2008-10-20 19:20:16 Spooler SubSystem App 创建 C:\autorun.inf 已被允许: KLPrivateData/禁止分区自动运行/ KLPrivateData/禁止分区自动运行/
2008-10-20 19:20:16 Spooler SubSystem App 创建 D:\autorun.inf 已被允许: KLPrivateData/禁止分区自动运行/ KLPrivateData/禁止分区自动运行/
2008-10-20 19:20:16 Spooler SubSystem App 创建 E:\autorun.inf 已被允许: KLPrivateData/禁止分区自动运行/ KLPrivateData/禁止分区自动运行/
2008-10-20 19:20:16 Spooler SubSystem App 创建 F:\autorun.inf 已被允许: KLPrivateData/禁止分区自动运行/ KLPrivateData/禁止分区自动运行/
2008-10-20 19:20:16 Spooler SubSystem App 创建 G:\autorun.inf 已被允许: KLPrivateData/禁止分区自动运行/ KLPrivateData/禁止分区自动运行/
2008-10-20 19:20:16 Spooler SubSystem App 创建 H:\autorun.inf 已被允许: KLPrivateData/禁止分区自动运行/ KLPrivateData/禁止分区自动运行/
2008-10-20 19:20:16 Spooler SubSystem App 创建 I:\autorun.inf 已被允许: KLPrivateData/禁止分区自动运行/ KLPrivateData/禁止分区自动运行/
2008-10-20 19:20:16 Spooler SubSystem App 创建 J:\autorun.inf 已被允许: KLPrivateData/禁止分区自动运行/ KLPrivateData/禁止分区自动运行/
2008-10-20 19:20:17 Generic Host Process for Win32 Services 修改 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher/TracesProcessed   
2008-10-20 19:20:25 Codec.Update.v1_3368.exe 访问其它进程内存 c:\windows\system32\ctfmon.exe 已被允许: KLPrivileges/KLPermissionAppAccess/KLPermissionProcEmbed/KLReadProcMem KLPrivileges/KLPermissionAppAccess/KLPermissionProcEmbed/KLReadProcMem

(到这里手动结束出现的程序界面,没继续)
2008-10-20 19:20:31 Codec.Update.v1_3368.exe 退出进程 c:\windows\system32\ctfmon.exe 已被允许: KLPrivileges/KLPermissionAppAccess/KLPermissionProcManage/KLStopProc KLPrivileges/KLPermissionAppAccess/KLPermissionProcManage/KLStopProc
2008-10-20 19:20:33 Codec.Update.v1_3368.exe 退出进程 F:\病毒样本\Codec[1].Update.v1_3368.exe\Codec.Update.v1_3368.exe   


这个 autorun.inf 卡巴报“ Worm.Win32.AutoRun.qin ”,但在被卡巴自动删除后 Spooler SubSystem App  会不断自动重新创建,由于第一次出现创建的提示时点了“立即允许”,在自动创建时卡巴不再有提示。



autorun.inf 内容:

[autorun]
shellexecute="resycled\boot.com h:"
shell\Open\command="resycled\boot.com h:"
shell=Open


生成物

[ 本帖最后由 浪滔天 于 2008-10-20 19:43 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-7-16 10:48 , Processed in 0.128217 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表