有没有能穿越虚拟机的病毒？

显示全部楼层 · 发表于 2009-1-19 13:43:47

本帖最后由 107 于 2010-12-23 17:59 编辑

如题。

显示全部楼层 · 发表于 2009-1-19 13:45:16

听闻过外国某一大牛研制出了穿vmware的病毒

不过目前尚未有也没碰过

虽然是硬绑定。。。

显示全部楼层 · 发表于 2009-1-19 13:54:07

有,你碰部上,别担心那没用的

显示全部楼层 · 发表于 2009-1-19 15:22:57

肯定有，一物降一物嘛

显示全部楼层 · 发表于 2009-1-19 19:39:27

我也想知道

显示全部楼层 · 发表于 2009-1-19 20:31:56

比中linux的病毒几率还低

显示全部楼层 · 发表于 2009-1-19 20:32:52

没这么快吧

显示全部楼层 · 发表于 2009-1-19 20:52:10

这可能是你要的

显示全部楼层 · 发表于 2009-1-20 08:40:43

还没用过COMODO的CIMA，用这个来试试

：

• File Info

Name	Value
Size	22980
MD5	87d821d0b0b0fcfede0519c75ef8292f
SHA1	9a536224897d10c99250308e1136a85345af1a6f
SHA256	423ca5b173295b0a8a7db3a3500979cc22f80e0d74ec8b07af861171143b2346
Process	Exited

• Keys Created

Name	Last Write Time
LM\Software\Classes\ClsId\{014A26F5-FBAD-4549-9CA1-C38210704BD1}	2009.01.12 14:48:00.562
LM\Software\Classes\ClsId\{014A26F5-FBAD-4549-9CA1-C38210704BD1}\InProcServer32	2009.01.12 14:48:00.562

• Keys Changed• Keys Deleted• Values Created

Name	Type	Size	Value
LM\Software\Classes\ClsId\{014A26F5-FBAD-4549-9CA1-C38210704BD1}\	REG_SZ	2	""
LM\Software\Classes\ClsId\{014A26F5-FBAD-4549-9CA1-C38210704BD1}\InProcServer32\	REG_SZ	134	"C:\Program Files\Common Files\Microsoft Shared\MSINFO\System16.ins"
LM\Software\Classes\ClsId\{014A26F5-FBAD-4549-9CA1-C38210704BD1}\InProcServer32\ThreadingModel	REG_SZ	20	"Apartment"
LM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{014A26F5-FBAD-4549-9CA1-C38210704BD1}	REG_SZ	2	""

• Values Changed

Name	Type	Size	Value
CU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings	REG_BINARY/REG_BINARY	52/56	?/?

• Values Deleted• Directories Created• Directories Changed• Directories Deleted• Files Created

Name	Size	Last Write Time	Creation Time	Last Access Time	Attr
C:\Program Files\Common Files\Microsoft Shared\MSInfo\System16.ins	27588	2009.01.12 14:47:59.109	2009.01.12 14:47:59.109	2009.01.12 14:47:59.109	0x26
C:\Program Files\Common Files\Microsoft Shared\MSInfo\System16.jup	22980	2009.01.12 14:47:58.359	2009.01.12 14:47:58.921	2009.01.12 14:47:58.921	0x6

• Files Changed

Name	Size	Last Write Time	Creation Time	Last Access Time	Attr
C:\Documents and Settings\User\NTUSER.DAT	524288/786432	2009.01.12 13:45:13.906/2009.01.12 14:48:02.250	2008.08.01 05:31:04.546/2008.08.01 05:31:04.546	2009.01.12 13:45:13.906/2009.01.12 13:45:13.906	0x22/0x22

• Files Deleted• Directories Hidden• Files Hidden• Drivers Loaded• Drivers Unloaded• Processes Created• Processes Terminated• Threads Created

PId	Process Name	TId	Start	Start Mem	Win32 Start	Win32 Start Mem
0x344	svchost.exe	0x170	0x7c810856	MEM_IMAGE	0x7c910760	MEM_IMAGE
0x43c	svchost.exe	0x7b8	0x7c810856	MEM_IMAGE	0x77df9981	MEM_IMAGE
0x73c	explorer.exe	0x7d8	0x7c810856	MEM_IMAGE	0xd35620	MEM_IMAGE

• Modules Loaded

PId	Process Name	Base	Size	Flags	Image Name
0x73c	explorer.exe	0xd30000	0xc000	0x80284004	C:\Program Files\Common Files\Microsoft Shared\MSINFO\System16.ins
0x73c	explorer.exe	0x662b0000	0x58000	0x800c4004	C:\WINDOWS\system32\hnetcfg.dll
0x73c	explorer.exe	0x71a50000	0x3f000	0x80084004	C:\WINDOWS\System32\mswsock.dll
0x73c	explorer.exe	0x71a90000	0x8000	0x800c4004	C:\WINDOWS\System32\wshtcpip.dll
0x73c	explorer.exe	0x722b0000	0x5000	0x800c4004	C:\WINDOWS\system32\sensapi.dll
0x73c	explorer.exe	0x76e90000	0x12000	0x800c4006	C:\WINDOWS\system32\rasman.dll
0x73c	explorer.exe	0x76eb0000	0x2f000	0x80084006	C:\WINDOWS\system32\TAPI32.dll
0x73c	explorer.exe	0x76ee0000	0x3c000	0x800c4004	C:\WINDOWS\system32\RASAPI32.DLL
0x73c	explorer.exe	0x76f20000	0x27000	0x800c4004	C:\WINDOWS\system32\DNSAPI.dll
0x73c	explorer.exe	0x76fc0000	0x6000	0x800c4004	C:\WINDOWS\system32\rasadhlp.dll

• Windows Api Calls

PId	Image Name	Address	Function ( Parameters ) \| Return Value
0x370	C:\TEST\sample.exe	0x404b98	CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\Program Files\Common Files\Microsoft Shared\MSINFO\System16.jup", bFailIfExists: 0x0)\|0x1

• DNS Queries

DNS Query Text

yy90.net IN A +

www.126.com IN A +

• HTTP Queries

HTTP Query Text

yy90.net GET /down/gg.exe HTTP/1.1

yy90.net GET /down/ms.exe HTTP/1.1

yy90.net GET /down/wl.exe HTTP/1.1

yy90.net GET /down/zz.exe HTTP/1.1

yy90.net GET /down/mh.exe HTTP/1.1

yy90.net GET /down/gm.exe HTTP/1.1

yy90.net GET /down/ii.exe HTTP/1.1

yy90.net GET /down/qq.exe HTTP/1.1

yy90.net GET /down/rx.exe HTTP/1.1

yy90.net GET /down/sj.exe HTTP/1.1

yy90.net GET /down/wd.exe HTTP/1.1

yy90.net GET /down/tl.exe HTTP/1.1

yy90.net GET /down/fy.exe HTTP/1.1

yy90.net GET /down/zx.exe HTTP/1.1

yy90.net GET /down/hx.exe HTTP/1.1

www.126.com GET / HTTP/1.1

• Verdict

Auto Analysis Verdict

Rated as Suspicious

• Description

Suspicious Actions Detected

Copies self to other locations

Creates files in program files directory

Injects code into other processes

Registers dynamic link libraries

• Events Created or Opened

PId	Image Name	Address	Event Name
0x370	C:\TEST\sample.exe	0x77a89422	Global\crypt32LogoffEvent

显示全部楼层 · 发表于 2009-1-20 09:19:31

没有，虚拟机是模拟的

[已解决] 有没有能穿越虚拟机的病毒？

回复 1楼 ussa98077 的帖子