MS08-067.D

小飞侠.net

MS08-067.D

费尔不爆，上报。。。。。。。

Norman SandBox

&#23567 : INFECTED with W32/Packed_Upack.H (Signature: W32/Packed_Upack.H)


[ DetectionInfo ]
   * Sandbox name: W32/Packed_Upack.H
   * Signature name: W32/Packed_Upack.H
   * Compressed: YES
   * TLS hooks: YES
   * Executable type: Application
   * Executable file structure: OK
   * Filetype: PE_I386

[ General information ]
   * Accesses executable file from resource section.
   * Decompressing UPX3.
   * Creating several executable files on hard-drive.
   * File length:        43766 bytes.
   * MD5 hash: 9f7805855ce80de5a0abb72495c965e0.

[ Changes to filesystem ]
   * Creates file C:\WINDOWS\SYSTEM32\drivers\system.exe.

[ Changes to registry ]
   * Accesses Registry key "HKCU\Software\Borland\Locales".
   * Accesses Registry key "HKLM\Software\Borland\Locales".
   * Accesses Registry key "HKCU\Software\Borland\Delphi\Locales".

[ Network services ]
   * Connects to "222.215.230.37" on port 80 (TCP).
   * Opens URL: 222.215.230.37/ip/ip.asp.

[ Network ]
   * Connection to resource "\\192.168.0.2\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.3\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.4\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.5\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.6\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.7\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.8\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.9\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.10\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.11\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.12\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.13\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.14\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.15\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.16\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.17\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.18\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.19\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.20\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.21\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.22\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.23\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.24\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.25\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.26\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.27\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.28\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.29\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.30\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.31\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.32\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.33\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.34\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.35\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.36\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.37\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.38\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.39\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.40\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.41\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.42\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.43\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.44\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.45\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.46\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.47\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.48\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.49\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.50\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.51\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.52\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.53\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.54\IPC$" with username= and password=.
   * Connection to resource "\\192.168.0.55\IPC$" with username= and password=.

[ Process/window information ]
   * Creates an event called .
   * Attemps to open C:\WINDOWS\SYSTEM32\drivers\system.exe 192.168.0.2 ht tp://58.53.128.111/p.exe.
   * Creates process "system.exe".
   * Attemps to open C:\WINDOWS\SYSTEM32\drivers\systema.exe MZP.3 ht tp://58.53.128.111/w.exe.

[ Signature Scanning ]
   * C:\WINDOWS\SYSTEM32\drivers\system.exe (5120 bytes) : no signature detection.

在线沙盘2：ht tp://www.threatexpert.com/report.aspx?md5=9f7805855ce80de5a0abb72495c965e0

文件 arpw.rar 接收于 2008.11.11 06:29:10 (CET)
结果: 28/36 (77.78%)
反病毒引擎 版本 最后更新 扫描结果
AhnLab-V3 2008.11.11.0 2008.11.10 -
AntiVir 7.9.0.29 2008.11.10 TR/Expl.IMG-WMF.EX.2
Authentium 5.1.0.4 2008.11.10 W32/D_Downloader!GSA
Avast 4.8.1248.0 2008.11.10 Win32:SdBot-gen44
AVG 8.0.0.161 2008.11.11 HackTool.FUV
BitDefender 7.2 2008.11.11 MemScan:Exploit.MS08-067.D
CAT-QuickHeal 9.50 2008.11.11 Win32.VirTool.DelfInject.gen!X.2
ClamAV 0.94.1 2008.11.11 Exploit.MS08-067
DrWeb 4.44.0.09170 2008.11.10 -
eSafe 7.0.17.0 2008.11.10 Win32.Looked.gen
eTrust-Vet 31.6.6203 2008.11.11 -
Ewido 4.0 2008.11.10 -
F-Prot 4.4.4.56 2008.11.10 W32/D_Downloader!GSA
F-Secure 8.0.14332.0 2008.11.11 W32/Packed_Upack.H
Fortinet 3.117.0.0 2008.11.11 -
GData 19 2008.11.11 MemScan:Exploit.MS08-067.D
Ikarus T3.1.1.45.0 2008.11.11 Trojan-Spy.Win32.Banker.anv
K7AntiVirus 7.10.521 2008.11.10 Generic.Packed.Upack
Kaspersky 7.0.0.125 2008.11.11 Exploit.Win32.IMG-WMF.fk
McAfee 5430 2008.11.10 New Malware.n
Microsoft 1.4104 2008.11.11 Exploit:Win32/MS08067.gen!A
NOD32 3601 2008.11.11 Win32/Exploit.MS08-067.A
Norman 5.80.02 2008.11.10 W32/Packed_Upack.H
Panda 9.0.0.4 2008.11.10 Suspicious file
PCTools 4.4.2.0 2008.11.10 Packed/Upack
Prevx1 V2 2008.11.11 -
Rising 21.03.10.00 2008.11.11 Hack.Exploit.Win32.MS08-067.c
SecureWeb-Gateway 6.7.6 2008.11.10 Trojan.Expl.IMG-WMF.EX.2
Sophos 4.35.0 2008.11.11 Mal/Delf-M
Sunbelt 3.1.1785.2 2008.11.11 Trojan.Win32.Packed.gen (v)
Symantec 10 2008.11.11 -
TheHacker 6.3.1.1.147 2008.11.10 W32/Behav-Heuristic-060
TrendMicro 8.700.0.1004 2008.11.11 Cryp_Upack
VBA32 3.12.8.9 2008.11.10 suspected of Embedded.Exploit.Win32.IMG-WMF.ex
ViRobot 2008.11.11.1460 2008.11.11 -
VirusBuster 4.5.11.0 2008.11.10 Packed/Upack
附加信息
File size: 43397 bytes
MD5...: fa4bc03dd0794f3d16fb598ab3868927
SHA1..: 25b5effe00dc63bfa79fcc5a12ce84b01973c522
SHA256: 28e4669a71c2a62d8326c75d9b19bc2a104ed6b333b107c7a8e477bd97f39592
SHA512: afdce8aa133d8b98e64016675d378bff5a0cf3b4e31833bbb53d719e977640f6
ee582815094252a7bfe52dd8f23efee04fd3b720c1263370a193fe01fd36c196
PEiD..: -
TrID..: File type identification
RAR Archive (83.3%)
REALbasic Project (16.6%)
PEInfo: -
packers (Avast): Upack, UPX
packers (Kaspersky): UPack, PE_Patch.UPX, UPX
packers (F-Prot): UPack
packers (Authentium): UPack


VirSCAN.org Scanned Report :
Scanned time   : 2008/11/11 13:29:03 (CST)
Scanner results: 44%的杀软(17/39)报告发现病毒
File Name      : arpw.rar
File Size      : 43397 byte
File Type      : RAR archive data, v1d, os
MD5            : fa4bc03dd0794f3d16fb598ab3868927
SHA1           : 25b5effe00dc63bfa79fcc5a12ce84b01973c522
Online report  : ht tp://virscan.org/report/78a02eab3190851675bb1468d5ce8bea.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.0.0.23        2008.11.03        2008-11-03  1.53   -
安博士V3       2008.11.11.01   2008.11.11        2008-11-11  0.97   -
AntiVir        7.9.0.29        7.1.0.65          2008-11-10  1.54   TR/Expl.IMG-WMF.EX.2
安天           2.0.18          20081108.1564159  2008-11-08  0.12   -
Arcavir        1.0.5           200811061144      2008-11-06  1.31   -
Authentium     5.1.1           200811102045      2008-11-10  1.69   W32/D_Downloader!GSA (Possible)
AVAST!         3.0.1           081110-1          2008-11-10  0.74   -
AVG            7.5.52.442      270.9.0/1780      2008-11-10  2.93   -
BitDefender    7.60825.2124262 7.21800           2008-11-11  4.40   MemScan:Exploit.MS08-067.D
CA (VET)       9.0.0.143       31.6.6203         2008-11-11  5.09   -
ClamAV         0.94            8606              2008-11-11  0.09   Exploit.MS08-067
Comodo         2.11            2.0.0.703         2008-11-10  0.42   -
CP Secure      1.1.0.715       2008.11.11        2008-11-11  6.46   -
Dr.Web         4.44.0.9170     2008.11.10        2008-11-10  3.91   -
ewido          4.0.0.2         2008.11.10        2008-11-10  3.31   -
F-Prot         4.4.4.56        20081110          2008-11-10  1.53   W32/D_Downloader!GSA (generic, not disinfectable)
F-Secure       5.51.6100       2008.11.11.01     2008-11-11  3.79   -
飞塔           2.81-3.117      9.700             2008-11-10  0.43   -
GData          19.1470/19.99   20081111          2008-11-11  2.72   -
ViRobot        20081110        2008.11.10        2008-11-10  0.40   -
Ikarus         T3.1.01.45      2008.11.11.71832  2008-11-11  3.40   Trojan-Spy.Win32.Banker.anv
江民杀毒       11.0.706        2008.11.10        2008-11-10  1.32   -
卡巴斯基       5.5.10          2008.11.11        2008-11-11  0.09   -不爆？是引擎，还是更新不同步？
金山毒霸       2008.9.8.18     2008.11.10.20     2008-11-10  0.73   -
迈克菲         5.3.00          5430              2008-11-10  2.46   New Malware.n
Microsoft      1.4104          2008.11.11        2008-11-11  4.13   Exploit:Win32/MS08067.gen!A
mks_vir        2.01            2008.11.10        2008-11-10  2.81   -
Norman         5.93.01         5.93.00           2008-11-10  5.23   W32/Packed_Upack.H
熊猫卫士       9.05.01         2008.11.10        2008-11-10  2.74   Suspicious file
趋势科技       8.700-1004      5.648.01          2008-11-10  0.78   Cryp_Upack
Quick Heal     9.50            2008.11.11        2008-11-11  2.04   Win32.VirTool.DelfInject.gen!X.2
瑞星           20.0            21.03.10.00       2008-11-11  1.65   Hack.Exploit.Win32.MS08-067.c
Sophos         2.80.0          4.35              2008-11-11  2.04   Mal/Delf-M
Sunbelt        3.1.1785.2      4374              2008-11-04  1.40   Trojan.Win32.Packed.gen (v)
赛门铁克       1.3.0.24        20081110.003      2008-11-10  0.10   -
nProtect       2008-11-10.00   2384701           2008-11-10  5.85   -
The Hacker     6.3.1.1         v00147            2008-11-10  0.47   W32/Behav-Heuristic-060
VBA32          3.12.8.9        20081109.2030     2008-11-09  1.99   Embedded.Exploit.Win32.IMG-WMF.ex (suspicious)
VirusBuster    4.5.11.10       10.92.3/671409    2008-11-10  1.00   -

KOI9009

卡巴
2008/11/11 14:55:50        检测到: Exploit.Win32.IMG-WMF.fk        Maxthon Browser                http://bbs.kafan.cn/attachment.p ... //PE_Patch.UPX//UPX

linjw

Begin scan in 'D:\arpw.rar'
D:\arpw.rar
    [0] Archive type: RAR
      --> arpw.exe
        --> Object
          [2] Archive type: RSRC
          --> Object
            [DETECTION] Is the TR/Expl.IMG-WMF.EX.2 Trojan
    [NOTE]      A backup was created as '49892d5b.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!

kkgh

诺顿启发杀掉

will

Multi Command-Line Scanner Report
-------------------------------------------------------------------------   
D:\Desk\Samples\Collect\MCLS\arpw.exe   
Type: DOS Executable Generic / Extension: .EXE   
MD5 Hash: 9F7805855CE80DE5A0ABB72495C965E0   

A-squared ----- Trojan-Spy.Win32.Banker.anv!IK    
Avast ----- Win32:SdBot-gen44 [Trj]    
Avg ----- HackTool.FUV     
Antivir ----- TR/Expl.IMG-WMF.EX.2    
BitDefender ----- MemScan:Exploit.MS08-067.D    
ClamWin ----- Exploit.MS08-067    
Dr.Web ----- Nothing   
Eset ----- Win32/Exploit.MS08-067.A trojan    
Ikarus ----- Trojan-Spy.Win32.Banker.anv    
Jiangmin ----- Nothing   
Kingsoft ----- Nothing   
Vba32 ----- Embedded.Exploit.Win32.IMG-WMF.ex    

*** 9/12 antivirus engines found virus in this file ***   
-------------------------------------------------------------------------   

Task done @ 2008/11/11 二 17:05:26.31   

Palkia

已删除: 木马程序 Trojan-Downloader.Win32.Banload.xub        文件: C:\Documents and Settings\Administrator\桌面\arpw.rar/arpw.exe

BING126

McAfee  New Malware.n

allinwonderi

[发现安全风险： ]        <W32/D_Downloader!GSA (not disinfectable, 普通)>        C:\Test\arpw.rar->arpw.exe->(UPack)

allinwonderi