Rootkit.Win32.InsApc.m postcard.exe

Nblock

Recently, a new Worm/Trojan has been very "popular" in our Net world. This worm uses email and various phishing Web sites to spread and infect computers. When the worm breaks into the system, it installs a kernel driver to protect itself. With the help of the driver, it then injects and runs malicious code from the legitimate process "services.exe". So, it can bypass firewalls easily and open a back door for the bad guys.

This worm contains an SMTP client engine and a peer-to-peer client component. Obviously, these components are prepared for spamming or mass-mailing purposes.

During my research, I found that this worm used variousrootkit techniques to protect itself (such as hiding files, registers, ports, and the like), so it's not easily detected and removed. The worm also used a custom packer and encryption to protect itself. In the driver that the worm dropped, we learned that it employs a user-mode APC to inject malicious code (embedded) into the process named "services.exe".




http://blog.csdn.net/Kendiv/archive/2008/10/15/3078531.aspx

Kaspersky

-

-

Email-Worm.Win32.Zhelatin.afy

Rising

-

-

Worm.Mail.Win32.Zhelatin.aga

yurius

McAfee 已自动阻止和删除 病毒。

关于此 病毒
已检测到: W32/Nuwar@MM (病毒), W32/Nuwar@MM (病毒)
位置: C:\Documents and Settings\xxx\桌面\virus\postcard.exe

病毒是一种可以自我复制的程序，可能会损害您的计算机、危害其安全性并损坏重要文件。

hzyw

mofunzone

Starting the file scan:

Begin scan in 'C:\Users\morgan\Desktop\postcard.rar'
C:\Users\morgan\Desktop\
  postcard.rar
    [0] Archive type: RAR
    --> postcard.exe
      [DETECTION] Contains recognition pattern of the WORM/Zhelatin.ZM worm
    [NOTE]      The file was deleted!

aerbeisi

F:\postcard.rar > RAR > postcard.exe - Win32/Nuwar.DG 蠕虫 的变种

欠妳緈諨

Sherry.ai

Worm.Mail.Win32.Zhelatin.aga瑞星秒

kingmuro

诺顿10.1版本  杀

niu880601

运行w32tm.exe,意图改时间!

lingbo110120

postcard.exe - Win32/Nuwar.DG 蠕虫 的变种
NOD KILL