Maganias病毒更新帖（去除重复和无毒文件）（03.13第三十九次更新）

fzz8848

hj5abc

原帖由 sbbdms 于 2009-1-12 23:02 发表
0112第三次更新

继续报壳路线.

G:\0112maganias.rar
    [0] Archive type: RAR
    --> uu.exe
      [DETECTION] Is the TR/Crypt.CFI.Gen Trojan
    --> help(1).exe
      [DETECTION] Is the TR/Crypt.CFI.Gen Trojan
    --> ll.exe
      [DETECTION] Contains HEUR/Crypted suspicious code
    [WARNING]   The file was ignored!

生成物清空.

Begin scan in 'G:\0112created'
G:\0112created\7hjetrr0.dll
    [DETECTION] Is the TR/Vundo Trojan
    [NOTE]      The file was deleted!
G:\0112created\934erew0.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\amvo.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\bnmio.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\cvnmhg0.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\hg.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\mg.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\mmvo.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\mmvo0.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\nod155.tmp
    [DETECTION] Contains HEUR/Crypted suspicious code
    [NOTE]      The detection was classified as suspicious.
    [NOTE]      The file was moved to '49cf5e13.qua'!
G:\0112created\nod156.tmp
    [DETECTION] Is the TR/Crypt.CFI.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\nod157.tmp
    [DETECTION] Is the TR/Crypt.CFI.Gen Trojan
    [NOTE]      The file was deleted!
G:\0112created\rb.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was deleted!


[ 本帖最后由 hj5abc 于 2009-1-12 23:13 编辑 ]

qianwenxiang

avast 继续走性感路线 一直入库 从未超越 0
（最新的那个help.exe ll.exe uu.exe）
=＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
以上不排除我个人人品因素..

sbbdms

今天一并补上3天的样本~

28654621

D:\download\0116maganias2.rar>>help(1).exe        Packer.Agent.f.abcp        可疑程序        还未处理
D:\download\0116maganias2.rar>>zz.exe        Packer.Agent.f.efqs        可疑程序        还未处理
D:\download\0116created2.part1.rar>>nod2C7.tmp        Packer.Agent.f.abcp        可疑程序        还未处理
D:\download\0116created2.part1.rar>>nod2C9.tmp        Packer.Agent.f.efqs        可疑程序        还未处理

sbbdms

0117第八次更新

qianwenxiang

avast 顺理成章飘过（0117样本：  0117maganias.rar (728.57 KB)  ）

sbbdms

0118第十次更新

dreams521

TO KL

upside

生成物
c:\autorun.inf
c:\u26ufgv.exe %System%\rttrwq.exe
%System%\mkfght0.dll
%System%\mkfght2.dll

新進程
rttrwq.exe %System%\rttrwq.exe

調用進程
mkfght2.dll %System%\mkfght2.dll Process name: explorer.exe
mkfght0.dll %System%\mkfght0.dll Process name: dllhost.exe
mkfght0.dll %System%\mkfght0.dll Process name: IEXPLORE.EXE

增加新註冊表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
ertyuop = "%System%\rttrwq.exe"

修改註冊表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
CheckedValue = 0x00000000

木馬下載器
http://dqdq2.com/jj/cc.rar %Temp%\cc.rar