昨晚中标

aerbeisi

NOD32失守，目前我全盘exe被感染，昨晚卡巴也是杀不了的，今天卡巴可以查出，但是清不了毒。还有这个毒变态在被感染的exe被加入了强制重启命令，只要我点了被感染的exe，马上重启，顺便再中一次毒。o(∩_∩)o...哈哈

文件 LSASS.rar 接收于 2008.11.25 05:15:10 (CET)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.11.24.3	2008.11.24	-
AntiVir	7.9.0.35	2008.11.24	HEUR/Malware
Authentium	5.1.0.4	2008.11.24	W32/SelfStarterInternetTrojan!Maximus
Avast	4.8.1281.0	2008.11.24	-
AVG	8.0.0.199	2008.11.24	-
BitDefender	7.2	2008.11.25	Generic.Malware.Sdld.5E3488C7
CAT-QuickHeal	10.00	2008.11.25	-
ClamAV	0.94.1	2008.11.25	-
DrWeb	4.44.0.09170	2008.11.24	-
eSafe	7.0.17.0	2008.11.24	Suspicious File
eTrust-Vet	31.6.6226	2008.11.25	-
Ewido	4.0	2008.11.24	-
F-Prot	4.4.4.56	2008.11.24	W32/SelfStarterInternetTrojan!Maximus
F-Secure	8.0.14332.0	2008.11.25	-
Fortinet	3.117.0.0	2008.11.25	-
GData	19	2008.11.25	-
Ikarus	T3.1.1.45.0	2008.11.25	Win32.SuspectCrc
K7AntiVirus	7.10.532	2008.11.24	-
Kaspersky	7.0.0.125	2008.11.25	Trojan-Downloader.Win32.Banload.ygl
McAfee	5444	2008.11.24	-
McAfee+Artemis	5444	2008.11.24	Generic!Artemis
Microsoft	1.4104	2008.11.25	-
NOD32	3637	2008.11.24	-
Norman	5.80.02	2008.11.24	-
Panda	9.0.0.4	2008.11.24	Suspicious file
PCTools	4.4.2.0	2008.11.24	-
Prevx1	V2	2008.11.25	-
Rising	21.05.10.00	2008.11.25	-
SecureWeb-Gateway	6.7.6	2008.11.24	Heuristic.Malware
Sophos	4.35.0	2008.11.24	Mal/Heuri-E
Sunbelt	3.1.1823.2	2008.11.22	Virus.Win32.Xorer.F (vf)
Symantec	10	2008.11.25	Downloader
TheHacker	6.3.1.1.162	2008.11.25	-
TrendMicro	8.700.0.1004	2008.11.25	PAK_Generic.001

随便挑了一个被感染的exe，选了个文件比较小的。有清毒的没，能清毒的我就换上杀毒，无法清毒，就重装程序了。颇有熊猫和磁碟机的风范。某杀软的确报了xorer，:-)

文件 Lingoes.rar 接收于 2008.11.25 05:29:38 (CET)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.11.24.3	2008.11.24	-
AntiVir	7.9.0.35	2008.11.24	-
Authentium	5.1.0.4	2008.11.24	W32/SelfStarterInternetTrojan!Maximus
Avast	4.8.1281.0	2008.11.24	-
AVG	8.0.0.199	2008.11.24	-
BitDefender	7.2	2008.11.25	Generic.Malware.Sdld.5E3488C7
CAT-QuickHeal	10.00	2008.11.25	-
ClamAV	0.94.1	2008.11.25	-
DrWeb	4.44.0.09170	2008.11.24	-
eSafe	7.0.17.0	2008.11.24	Suspicious File
eTrust-Vet	31.6.6226	2008.11.25	-
Ewido	4.0	2008.11.24	-
F-Prot	4.4.4.56	2008.11.24	W32/SelfStarterInternetTrojan!Maximus
F-Secure	8.0.14332.0	2008.11.25	-
Fortinet	3.117.0.0	2008.11.25	-
GData	19	2008.11.25	-
Ikarus	T3.1.1.45.0	2008.11.25	-
K7AntiVirus	7.10.532	2008.11.24	-
Kaspersky	7.0.0.125	2008.11.25	Trojan-Downloader.Win32.Banload.ygl
McAfee	5444	2008.11.24	-
McAfee+Artemis	5444	2008.11.24	-
Microsoft	1.4104	2008.11.25	-
NOD32	3637	2008.11.24	-
Norman	5.80.02	2008.11.24	-
Panda	9.0.0.4	2008.11.24	Suspicious file
PCTools	4.4.2.0	2008.11.24	-
Prevx1	V2	2008.11.25	-
Rising	21.05.10.00	2008.11.25	-
SecureWeb-Gateway	6.7.6	2008.11.24	-
Sophos	4.35.0	2008.11.24	Mal/Heuri-E
Sunbelt	3.1.1823.2	2008.11.22	Virus.Win32.Xorer.F (vf)
Symantec	10	2008.11.25	Downloader

kingmuro

aerbeisi

lingoes清毒了吗？呵呵

aerbeisi

希望比较渺茫，查到的基本上都是启发。

aerbeisi

• Submission details:
  • Submission received: 25 November 2008, 15:47:24
  • Processing time: 6 min 11 sec
  • Submitted sample:
    • File MD5: 0x8381F4529A05B6AA2EA0821E64777A41
    • Filesize: 10,240 bytes
    • Alias & packer info:
      • Downloader [Symantec]
      • Mal/Heuri-E, Mal/Emogen-P [Sophos]
      • packed with: PE_Patch.UPX [Kaspersky Lab]

• Summary of the findings:

What's been found	Severity Level
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File MD5	Alias
1	[file and pathname of the sample #1]	10,240 bytes	0x8381F4529A05B6AA2EA0821E64777A41	Downloader [Symantec] Mal/Heuri-E, Mal/Emogen-P [Sophos] packed with PE_Patch.UPX [Kaspersky Lab]

Memory Modifications

• There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	45,056 bytes

Registry Modifications

• The following Registry Keys were deleted: （删安全模式注册表）
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

• The following Registry Values were deleted:
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    • (Default) = "DiskDrive"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    • (Default) = "DiskDrive"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    • (Default) = "DiskDrive"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    • (Default) = "DiskDrive"

Other details

• Analysis of the file resources indicate the following possible country of origin:（原产地）

China

• To mark the presence in the system, the following Mutex object was created:
  • I AM RUNNING

• A system request is initiated to shut down the system to a point at which it is safe to turn off the power.（关机）

Redevil

卡巴两个都杀
至于清除
楼主自己慢慢来吧

aerbeisi

我昨晚上报卡巴的。

西风萧雨

解压没反应，运行微点报警拦截了～～～

西风萧雨

快倒是很快，但是这样的结果也太～～～

aerbeisi

自动分析的比较矬。