卡巴说没有威胁

显示全部楼层 · 发表于 2007-1-6 09:55:56

一直要访问网络的木马

[ 本帖最后由 ALEXBLAIR 于 2007-1-8 19:01 编辑 ]

显示全部楼层 · 发表于 2007-1-6 11:59:10

File:  msauth.rar
Status:  INFECTED/MALWARE
MD5  249f105043cb6492f1c43ee8fa7e4e00
Packers detected:  NAKEDPACK

Scanner results
Scan taken on 06 Jan 2007 04:01:20 (GMT)
AntiVir  Found HEUR/Crypted
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found Backdoor.SDBot.GT
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found W32/Ircbot1.gen
F-Secure Anti-Virus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found a variant of Win32/Rbot
Norman Virus Control  Found nothing
VirusBuster  Found nothing
VBA32  Found Backdoor.Bifrose.15 (probable variant)

[:11:]

显示全部楼层 · 发表于 2007-1-6 12:03:42

Antivirus Version Update Result
AntiVir 7.3.0.21 01.05.2007 TR/Agent.63488
Authentium 4.93.8 12.30.2006 W32/Ircbot1.gen
Avast 4.7.892.0 12.30.2006  no virus found
AVG 386 01.05.2007  no virus found
BitDefender 7.2 01.06.2007 Backdoor.SDBot.GT
CAT-QuickHeal 9.00 01.05.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 01.06.2007  no virus found
DrWeb 4.33 01.05.2007  no virus found
eSafe 7.0.14.0 01.05.2007 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.107 01.06.2007  no virus found
eTrust-Vet 30.3.3306 01.06.2007  no virus found
Ewido 4.0 01.05.2007  no virus found
Fortinet 2.82.0.0 01.06.2007 suspicious
F-Prot 3.16f 01.05.2007 W32/Ircbot1.gen
F-Prot4 4.2.1.29 01.05.2007 W32/CrazyCrunch-based!Maximus
Ikarus T3.1.0.27 01.05.2007  no virus found
Kaspersky 4.0.2.24 01.06.2007  no virus found
McAfee 4933 01.05.2007  no virus found
Microsoft 1.1904 01.06.2007  no virus found
NOD32v2 1959 01.05.2007 a variant of Win32/Rbot
Norman 5.80.02 12.31.2007  no virus found
Panda 9.0.0.4 01.05.2007 Suspicious file
Prevx1 V2 01.06.2007 Worm.Ircbot.Gen
Sophos 4.13.0 01.05.2007  no virus found
Sunbelt 2.2.907.0 01.05.2007 VIPRE.Suspicious
TheHacker 6.0.3.143 01.05.2007  no virus found
UNA 1.83 01.04.2007  no virus found
VBA32 3.11.1 01.06.2007 suspected of Backdoor.Bifrose.15
VirusBuster 4.3.19:9 01.05.2007 no virus found

显示全部楼层 · 发表于 2007-1-6 13:52:37

明显是病毒一个，运行后在C:\WINDOWS\system32下创建msauth.exe，也就是原来的那个文件，然后把原来的删除；

在注册表写入下面的信息：

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corp TLS Certificates  Data: msauth.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Corp TLS Certificates  Data: msauth.exe
HKLM\SOFTWARE\Microsoft\Ole\Microsoft Corp TLS Certificates  Data: msauth.exe
HKLM\SYSTEM\ControlSet001\Control\Lsa\Microsoft Corp TLS Certificates  Data: msauth.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corp TLS Certificates  Data: msauth.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Corp TLS Certificates  Data: msauth.exe
HKCU\SOFTWARE\Microsoft\Ole\Microsoft Corp TLS Certificates  Data: msauth.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\Microsoft Corp TLS Certificates  Data: msauth.exe

修改host文件，将常见的反病毒网站屏蔽：

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com

[ 本帖最后由 dikex 于 2007-1-6 13:55 编辑 ]

显示全部楼层 · 发表于 2007-1-6 13:54:54

Backdoor.Win32.Rbot.bua

显示全部楼层 · 发表于 2007-1-6 14:33:02

试了试

NOD要开高启发才能查出

显示全部楼层 · 发表于 2007-1-6 16:36:02

Kaspersky Internet Security 6.0
The requested URL http://uni.kpfans.com/bbs/attachment.php?aid=20998 is infected with Backdoor.Win32.Rbot.bub virus

显示全部楼层 · 发表于 2007-1-6 16:39:19

kav6没有反应……
更新有延迟？难道又是地震惹的祸？

显示全部楼层 · 发表于 2007-1-6 16:40:53

楼上的升级到最新就可杀，这个2分钟前的升级杀了

显示全部楼层 · 发表于 2007-1-6 16:43:17

果然，刚刚升级完毕，可以杀了

[病毒样本] 卡巴说没有威胁

本帖子中包含更多资源

评分