U盘虫

小飞侠.net

费尔说：\hbep.pif\hbep.pif.pif    Packed.PE.Encrypt.rauq    可疑程序    还未处理
上报给费尔。。。

Norman SandBox

&#23567 : INFECTED with W32/Malware (Signature: W32/AutoRun.HHT)


[ DetectionInfo ]
   * Sandbox name: W32/Malware
   * Signature name: W32/AutoRun.HHT
   * Compressed: YES
   * TLS hooks: NO
   * Executable type: Application
   * Executable file structure: OK
   * Filetype: PE_I386

[ General information ]
   * File might be compressed.
   * Decompressing ASPack.
   * File length:        24576 bytes.
   * MD5 hash: f3fb2473a3f315cf622044b1b1c11fa7.

[ Changes to filesystem ]
   * Deletes file c:\windows\system32\mfc71.dll.
   * Deletes file C:\Program Files\Kingsoft\Kingsoft Internet Security 2008\kasbrowsershield.dll.
   * Disables protection on files protected with SFC.
   * Creates file C:\WINDOWS\SYSTEM32\Drivers\beep.sys.

[ Process/window information ]
   * Enumerates running processes.
   * Creates a mutex FANGPIWANG.
   * Checks if privilege "SeDebugPrivilege" is available.
   * Enables privilege SeDebugPrivilege.
   * Attemps to open cacls.exe c:\windows\system32\packet.dll /e /p everyone:f.
   * Attemps to open cacls.exe c:\windows\system32\pthreadVC.dll /e /p everyone:f.
   * Attemps to open cacls.exe c:\windows\system32\wpcap.dll /e /p everyone:f.
   * Attemps to open cacls.exe c:\windows\system32\drivers\npf.sys /e /p everyone:f.
   * Attemps to open cacls.exe c:\windows\system32\npptools.dll /e /p everyone:f.
   * Attemps to open cacls.exe c:\windows\system32\drivers\acpidisk.sys /e /p everyone:f.
   * Attemps to open cacls.exe c:\windows\system32\wanpacket.dll /e /p everyone:f.
   * Attemps to open cacls.exe c:\Documents and Settings\All Users\「开始」菜单\程序\启动 /e /p everyone:f.
   * Attempts to access service "Beep".
   * Enumerates running processes several parses....
   * Attempts to access service "sharedaccess".
   * Attempts to access service "McShield".
   * Disables security related services.
   * Attempts to access service "KWhatchsvc".
   * Attempts to access service "KPfwSvc".
   * Attempts to access service "Kingsoft Internet Security Common Service".
   * Attempts to access service "Symantec AntiVirus".
   * Attempts to access service "Symantec AntiVirus Drivers Services".
   * Attempts to access service "Symantec AntiVirus Definition Watcher".
   * Attempts to access service "McAfee Framework 服务".
   * Attempts to access service "Norton AntiVirus Server".



(C) 2004-2006 Norman ASA. All Rights Reserved.


文件 hbep.pif.pif 接收于 2008.11.16 18:28:24 (CET)
结果: 28/36 (77.78%)

反病毒引擎 版本 最后更新 扫描结果
AhnLab-V3 2008.11.14.3 2008.11.16 -
AntiVir 7.9.0.31 2008.11.16 TR/Crypt.FKM.Gen
Authentium 5.1.0.4 2008.11.15 W32/OnlineGames.A.gen!GSA
Avast 4.8.1281.0 2008.11.16 Win32:Ressdt-F
AVG 8.0.0.199 2008.11.16 Killav
BitDefender 7.2 2008.11.16 DeepScan:Generic.Malware.P!VdldPk!g.AB1472F1
CAT-QuickHeal 10.00 2008.11.15 Worm.AutoRun.rsy
ClamAV 0.94.1 2008.11.15 -
DrWeb 4.44.0.09170 2008.11.16 DLOADER.Trojan
eSafe 7.0.17.0 2008.11.16 Suspicious File
eTrust-Vet 31.6.6210 2008.11.14 -
Ewido 4.0 2008.11.16 -
F-Prot 4.4.4.56 2008.11.15 W32/OnlineGames.A.gen!GSA
F-Secure 8.0.14332.0 2008.11.16 Worm.Win32.AutoRun.ruz
Fortinet 3.117.0.0 2008.11.15 PossibleThreat
GData 19 2008.11.16 DeepScan:Generic.Malware.P!VdldPk!g.AB1472F1
Ikarus T3.1.1.45.0 2008.11.16 Trojan-PWS.Win32.LdPinch
K7AntiVirus 7.10.526 2008.11.15 Worm.Win32.AutoRun.ruz
Kaspersky 7.0.0.125 2008.11.16 Worm.Win32.AutoRun.ruz
McAfee 5435 2008.11.15 W32/Autorun.worm.gen
Microsoft 1.4104 2008.11.16 Worm:Win32/Autorun.gen!DI
NOD32 3615 2008.11.15 a variant of Win32/AutoRun.WC
Norman 5.80.02 2008.11.14 W32/AutoRun.HHT
Panda 9.0.0.4 2008.11.16 Generic Malware
PCTools 4.4.2.0 2008.11.16 -
Prevx1 V2 2008.11.16 P2P Share Worm
Rising 21.03.42.00 2008.11.14 Worm.Win32.DownLoad.jw
SecureWeb-Gateway 6.7.6 2008.11.16 Trojan.Crypt.FKM.Gen
Sophos 4.35.0 2008.11.16 Mal/Behav-204
Sunbelt 3.1.1801.2 2008.11.14 VIPRE.Suspicious
Symantec 10 2008.11.16 Packed.Generic.181
TheHacker 6.3.1.1.155 2008.11.15 W32/AutoRun.ruz
TrendMicro 8.700.0.1004 2008.11.14 -
VBA32 3.12.8.9 2008.11.15 Worm.Win32.AutoRun.ruz
ViRobot 2008.11.15.1470 2008.11.15 -
VirusBuster 4.5.11.0 2008.11.16 -
附加信息
File size: 24576 bytes
MD5...: f3fb2473a3f315cf622044b1b1c11fa7
SHA1..: 42912e6f069de97b61925a6e2eb2f1eee2594161
SHA256: 579579a24dff91b7ca724751782b83d09779818ef5b840f6c2e3be17674f7bd1
SHA512: 17a879220aa0ce1e0540d0e629d74bfe1384cc5c6679b8ad7119ab7580904a6a
4802109f83a690653835a476ec9f51bec2962f9972eee589bdb92f7a25cbf072
PEiD..: ASPack v2.12
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1314b001
timedatestamp.....: 0x490cfaaf (Sun Nov 02 00:56:15 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x3000 0x1000 7.95 e6fd1ce3b586778b2d601fa893a0ce8e
0x4000 0x1000 0x600 6.24 eef0766f9534a3d9ad045423e31bc15f
0x5000 0x2000 0xe00 7.46 e1add3aec6faf388f05d54bea97eaa31
0x7000 0x1000 0x1000 0.01 f95f106fe79dca7992aae963168ba3bf
0x8000 0x2000 0x200 1.53 5bb655c9c3493a88c64f1e2dd2a717ff
.nah 0xa000 0x1000 0x200 3.27 b7d2bfeefde9a7f75f86d5c8b795be6f
.aspack 0xb000 0x3000 0x2200 5.36 6d60459f01ed5b771ee3fe5153402997
.adata 0xe000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 1 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA

( 0 exports )

ThreatExpert info: ht tp://www.threatexpert.com/report.aspx?md5=f3fb2473a3f315cf622044b1b1c11fa7

The following Internet Connection was established:
Server Name Server Port Connect as User Connection Password
x.cdd6.co  m 80 (null) (null)


The following GET requests were made:
dd/x.gif
dd/1.exe
dd/2.exe
dd/3.exe
dd/4.exe
dd/5.exe
dd/6.exe
dd/7.exe
dd/8.exe
dd/9.exe
dd/10.exe





Prevx info: ht tp://info.prevx.com/aboutprogramtext.asp?PX5=02F1DAA10016F22A606700FF1C301E00856F6980
packers (F-Prot): Aspack
packers (Authentium): Aspack
packers (Avast): ASPack


VirSCAN.org Scanned Report :
Scanned time   : 2008/11/17 01:28:32 (CST)
Scanner results: 62%的杀软(24/39)报告发现病毒
File Name      : hbep.pif.pif
File Size      : 24576 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : f3fb2473a3f315cf622044b1b1c11fa7
SHA1           : 42912e6f069de97b61925a6e2eb2f1eee2594161
Online report  : ht tp://virscan.org/report/3195e6affb9c5fa62e9e77645f448701.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.0.0.26        20081116201907    2008-11-16  3.25   Trojan-PWS.Win32.LdPinch!IK
安博士V3       2008.11.17.00   2008.11.17        2008-11-17  1.08   -
AntiVir        7.9.0.31        7.1.0.90          2008-11-16  1.52   TR/Crypt.FKM.Gen
安天           2.0.18          20081114.1573099  2008-11-14  0.12   -
Arcavir        1.0.5           200811141318      2008-11-14  1.20   -
Authentium     5.1.1           200811151321      2008-11-15  1.06   W32/OnlineGames.A.gen!GSA (Possible)
AVAST!         3.0.1           081115-1          2008-11-15  0.01   Win32:JunkPoly [Cryp]
AVG            7.5.52.442      270.9.4/1792      2008-11-16  1.74   -
BitDefender    7.81008.2192408 7.21901           2008-11-17  2.04   DeepScan:Generic.Malware.P!VdldPk!g.AB1472F1
CA (VET)       9.0.0.143       31.6.6210         2008-11-14  5.23   -
ClamAV         0.94.1          8636              2008-11-15  0.02   -
Comodo         2.11            2.0.0.708         2008-11-16  0.43   -
CP Secure      1.1.0.715       2008.11.14        2008-11-14  6.43   -
Dr.Web         4.44.0.9170     2008.11.16        2008-11-16  3.57   DLOADER.Trojan
ewido          4.0.0.2         2008.11.16        2008-11-16  3.10   -
F-Prot         4.4.4.56        20081115          2008-11-15  1.06   W32/OnlineGames.A.gen!GSA (generic, not disinfectable)
F-Secure       5.51.6100       2008.11.16.01     2008-11-16  0.05   Worm.Win32.AutoRun.ruz [AVP]
飞塔           2.81-3.117      9.714             2008-11-15  0.20   PossibleThreat
GData          19.1548/19.108  20081116          2008-11-16  4.03   Worm.Win32.AutoRun.ruz [Engine:A]
ViRobot        20081115        2008.11.15        2008-11-15  0.42   -
Ikarus         T3.1.01.45      2008.11.16.71865  2008-11-16  3.46   Trojan-PWS.Win32.LdPinch
江民杀毒       11.0.706        2008.11.16        2008-11-16  1.33   Packed.PE-Encrypt
卡巴斯基       5.5.10          2008.11.16        2008-11-16  0.03   Worm.Win32.AutoRun.ruz
金山毒霸       2008.9.8.18     2008.11.13.23     2008-11-13  0.81   -
迈克菲         5.3.00          5435              2008-11-15  2.49   W32/Autorun.worm.gen
Microsoft      1.4104          2008.11.16        2008-11-16  4.82   Worm:Win32/Autorun.gen!DI
mks_vir        2.01            2008.11.16        2008-11-16  2.70   -
Norman         5.93.01         5.93.00           2008-11-14  5.10   W32/AutoRun.HHT
熊猫卫士       9.05.01         2008.11.16        2008-11-16  2.96   Generic Malware     
趋势科技       8.700-1004      5.654.33          2008-11-16  0.04   -
Quick Heal     10.00           2008.11.15        2008-11-15  2.64   Worm.AutoRun.rsy
瑞星           20.0            21.03.42.00       2008-11-14  0.92   Worm.Win32.DownLoad.jw
Sophos         2.80.0          4.35              2008-11-17  2.06   Mal/Behav-204
Sunbelt        4474            4474              2008-11-04  0.93   VIPRE.Suspicious
赛门铁克       1.3.0.24        20081116.003      2008-11-16  0.40   Packed.Generic.181
nProtect       2008-11-14.00   2541461           2008-11-14  3.22   -
The Hacker     6.3.1.1         v00155            2008-11-15  0.43   W32/AutoRun.ruz
VBA32          3.12.8.9        20081115.1534     2008-11-15  1.32   Worm.Win32.AutoRun.ruz
VirusBuster    4.5.11.10       10.93.4/671777    2008-11-16  2.05   -

leonfg

看到结果了 就不下了

Anycall-D908

情况如图

sam.to

我都是

sysfc6

nod32杀

BING126

McAfee  杀了。。

Palkia

C:\Documents and Settings\Administrator\桌面\样本上报.rar>>hbep.pif\hbep.pif.pif        Packed.PE.Encrypt.rauq        可疑程序        还未处理