裸奔两天，刚刚中的毒

1e3e

好像自动加载，不过找不到自启动项，
确认是毒

文件 Program_Files.rar 接收于 2008.11.05 21:09:50 (CET)
当前状态: 正在读取 ... 队列中 等待中 扫描中 完成 未发现 停止

结果: 5/35 (14.29%)

正在读取服务器信息中...
您的文件所排队列位置: 1.
预计开始时间为 38 和 55 秒之间.
扫描完成前请勿关闭窗口.
目前针对您的文件所进行的扫描进程已停止, 我们将会在稍后恢复.
如果您的等候时间超过 5 分钟, 请重新发送文件.
您的文件目前正在被 VirusTotal 扫描中,
结果将会稍后完成时生成.

格式化文本
打印结果

您的文件已过期或不存在.
目前服务已停止, 您的文件将会稍后的未知时间内进行扫描 (位置:
). 您可以继续等待回应 (自动读取) 或者在下面的表单内输入您的电子邮件地址, 并按下 "获取", 当扫描完成时, 系统会自动给您发送电子邮件通知.  

Email:

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.11.5.3	2008.11.05	-
AntiVir	7.9.0.26	2008.11.05	-
Authentium	5.1.0.4	2008.11.05	-
Avast	4.8.1248.0	2008.11.05	-
AVG	8.0.0.161	2008.11.05	-
BitDefender	7.2	2008.11.05	BehavesLike:Win32.Malware
CAT-QuickHeal	9.50	2008.11.04	(Suspicious) - DNAScan
ClamAV	0.94.1	2008.11.05	-
DrWeb	4.44.0.09170	2008.11.05	-
eSafe	7.0.17.0	2008.11.05	-
eTrust-Vet	31.6.6193	2008.11.05	-
Ewido	4.0	2008.11.05	-
F-Prot	4.4.4.56	2008.11.05	-
F-Secure	8.0.14332.0	2008.11.05	-
Fortinet	3.117.0.0	2008.11.05	-
GData	19	2008.11.05	-
Ikarus	T3.1.1.45.0	2008.11.05	BehavesLike.Win32.Malware
K7AntiVirus	7.10.517	2008.11.05	-
Kaspersky	7.0.0.125	2008.11.05	-
McAfee	5424	2008.11.04	-
Microsoft	1.4005	2008.11.05	-
NOD32	3588	2008.11.05	-
Norman	5.80.02	2008.11.05	-
Panda	9.0.0.4	2008.11.05	-
PCTools	4.4.2.0	2008.11.05	-
Prevx1	V2	2008.11.05	-
Rising	21.02.22.00	2008.11.05	-
SecureWeb-Gateway	6.7.6	2008.11.05	Win32.Malware.gen (suspicious)
Sophos	4.35.0	2008.11.05	-
Sunbelt	3.1.1783.2	2008.11.05	VIPRE.Suspicious
TheHacker	6.3.1.1.140	2008.11.05	-
TrendMicro	8.700.0.1004	2008.11.05	-
VBA32	3.12.8.9	2008.11.05	-
ViRobot	2008.11.5.1453	2008.11.05	-
VirusBuster	4.5.11.0	2008.11.05	-

附加信息

File size: 1062479 bytes

MD5...: 5e34e476121aec26a547e771d67f02ad

SHA1..: 606734990c7ae05e5f2bc0e8ca433fec078ecbe2

SHA256: 90ba38ddc847402ef7ea5637dea26699b37d20a0bdf1ce636813b22a28285a6b

SHA512: 75608915693d7e014b116c37d99793cb629f365e4509340de6f263c13ab6e2c1 c347f6ee0dd22e450510307d3b169d22dba90d683de98223d0d79b3e0d5c5f88

PEiD..: -

TrID..: File type identification RAR Archive (83.3%) REALbasic Project (16.6%)

PEInfo: -

packers (F-Prot): Aspack

packers (Kaspersky): PE_Patch, PE_Patch

注意: VirusTotal 是 Hispasec Sistemas 提供的免费服务. 我们不保证任何该服务的可用性和持续性. 尽管使用多种反病毒引擎所提供的检测率优于使用单一产品, 但这些结果并不保证文件无害. 目前来说, 没有任何一种解决方案可以提供 100% 的病毒和恶意软件检测率. 如果您购买了一款声称具有此能力的产品, 那么您可能已经成为受害者.

1e3e

样本如下

1e3e

刚刚发现启动项，很拙
就是创建病毒服务
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS Service]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,\
  20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,43,00,6f,00,6d,00,6d,00,6f,00,6e,\
  00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,54,00,65,00,6e,00,63,00,65,00,\
  6e,00,74,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,\
  00,65,00,00,00
"DisplayName"="DNS Service"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS Service\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS Service\Enum]
"0"="Root\\LEGACY_DNS_SERVICE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows COM+ Service]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,\
  20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,57,00,69,00,6e,00,52,00,41,00,52,\
  00,5c,00,4d,00,69,00,72,00,5c,00,33,00,62,00,35,00,62,00,30,00,63,00,66,00,\
  64,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Windows COM+ Service"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows COM+ Service\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows COM+ Service\Enum]
"0"="Root\\LEGACY_WINDOWS_COM+_SERVICE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
不知道还有没有没发现的

[ 本帖最后由 1e3e 于 2008-11-6 05:09 编辑 ]

涛声依旧

你的机器裸奔2天就中毒了?我单位的电脑裸了快二个月了,还没出现问题.为什么裸奔?因为局长大人任可拿钱去喝酒,也不愿把钱扔到这个上面.呵呵!唉!单位电脑的悲哀!

纽约的麻雀

kis8.0  红伞无视

hzyw

西风萧雨

yybcym

还是EQ强大呀

maxutao

NIS 2009，MISS[:26:]

QQ.

江民无视