PCSL 可疑恶意网站每日分析 20081101

显示全部楼层 · 发表于 2008-10-31 23:34:33

http://tucows.netnitco.net/files/Setup_Registry_Defender.exe
http://www.pagefactorytest.nl/vvv/components/com_jce/videos.exe
http://www.ghiath.com/files/util/RRT.exe
http://ia-scanpro.com/download/IAInstalld.exe
http://ia-scanpro.com/download/IAInstall.exe
http://www.lwstats.com/11/PLAY-MOVIE.exe

复制代码

显示全部楼层 · 发表于 2008-10-31 23:51:44

http://www.pagefactorytest.nl/vvv/components/com_jce/videos.exe 下不了

http://www.ghiath.com/files/util/RRT.exe
http://ia-scanpro.com/download/IAInstall.exe
http://www.lwstats.com/11/PLAY-MOVIE.exe

[ 本帖最后由 Kitman 于 2008-10-31 23:55 编辑 ]

显示全部楼层 · 发表于 2008-10-31 23:54:21

File ID    Filename    Size (Byte) Result
25177245    Downloads.rar 200.22 KB OK
A listing of files contained inside archives alongside their results can be found below:

File ID    Filename    Size (Byte) Result
25177246    PLAY-MOVIE.exe    140 KB    UNDER ANALYSIS
2227728    RRT.exe    49.27 KB    FALSE POSITIVE
25177237    IAInstall.exe    53 KB    UNDER ANALYSIS

File ID    Filename    Size (Byte) Result
25177248    Setup_Registry_De...er.exe    2.66 MB    UNDER ANALYSIS

[ 本帖最后由 Kitman 于 2008-11-1 00:01 编辑 ]

显示全部楼层 · 发表于 2008-10-31 23:57:17

PLAY-MOVIE.exe
报HEUR_Malware
看来楼上没开高启发...
程序:
C:\DOCUMENTS AND SETTINGS\***.18F12FE200FB45E\桌面\ANTI-VIRUS LAB\RUN VIRUS LAB\DOWNLOADS\IAINSTALL.EXE
木马程序生成以下文件:
1) C:\SANDBOX\***\DEFAULTBOX\DRIVE\C\PROGRAM FILES\COMMON FILES\FILE.EXE
2) C:\SANDBOX\***\DEFAULTBOX\USER\CURRENT\APPLICATION DATA\MICROSOFT\WINDOWS\WINLOGON.EXE
3) C:\SANDBOX\***\DEFAULTBOX\DRIVE\C\PROGRAM FILES\COMMON FILES\INTERNETANTIVIRUSPRO.EXE
是否删除木马程序及其衍生物?
IAINSTALL.EXE过红伞扫描，运行时报生成物、同时微点报可疑文件..

RRT是啥东西...没看出来...

没时间到虚拟机看了...总之沙盘啥都没看出来........

[ 本帖最后由 aarwwefdds 于 2008-11-1 00:05 编辑 ]

显示全部楼层 · 发表于 2008-11-1 00:00:52

有開~ 启发都要上報

显示全部楼层 · 发表于 2008-11-1 00:09:50

RRT脱壳后红伞报

不过RRT到底是啥没看出来，FakeAV?
部分东西
0000C438 0040D238    0 Software\Microsoft\Windows\CurrentVersion\
0000C494 0040D294    0 SOFTWARE\Policies\Microsoft\Internet Explorer\
0000C52C 0040D32C    0 \shell\add\command
0000C558 0040D358    0 :\program files\Internet explorer\iexplore http://
0000C5C4 0040D3C4    0 en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6
0000CCA8 0040DAA8    0 Explorer\Advanced\Folder\Hidden\NOHIDDEN
0000CD00 0040DB00    0 CheckedValue
0000CD20 0040DB20    0 Explorer\Advanced\Folder\Hidden\SHOWALL
0000CD74 0040DB74    0 NoRun
0000CD84 0040DB84    0 System\CurrentControlSet\Services\SharedAccess
0000CDE8 0040DBE8    0 Start
0000CDF8 0040DBF8    0 System\CurrentControlSet\Services\wscsvc
0000CE50 0040DC50    0 NoBrowserContextMenu
0000CE80 0040DC80    0 System\CurrentControlSet\Services\wuauserv
0000CF70 0040DD70    0 HomePage
0000CF88 0040DD88    0 Restrictions
0000D5D0 0040E3D0    0 SOFTWARE\Classes\
0000D608 0040E408    0 \shell\open
0000D624 0040E424    0 \shell\open\command
0000D650 0040E450    0 "%1"
0000D660 0040E460    0 \shell\print
0000D680 0040E480    0 \shell\print\command
0000D6B0 0040E4B0    0 /p "%1"
0000D6C8 0040E4C8    0 &Install
0000D6E0 0040E4E0    0 \shell\add
0000D6FC 0040E4FC    0 /a "%1"
0000D714 0040E514    0 \shell\new\command
0000D740 0040E540    0 /n "%1"
0000D758 0040E558    0 \DefaultIcon
0000D780 0040E580    0 Invalid parameter list passed to CreateAdditionalEXEAssociations - expected Name/Text/Command
0000D840 0040E640    0 Error - attempt to create additional associations before class defined.
0000D8D4 0040E6D4    0 \shell\
0000D8F4 0040E6F4    0 \command

显示全部楼层 · 发表于 2008-11-1 08:56:15

Hello,

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Ilya Tolstikhin
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

[ 本帖最后由 syfwxmh 于 2008-11-1 08:58 编辑 ]

显示全部楼层 · 发表于 2008-11-1 08:57:18

以上为文件解压后上报结果

[已鉴定] PCSL 可疑恶意网站每日分析 20081101

回复 4楼 aarwwefdds 的帖子