隐藏在字体目录里的dll病毒

拿贝马凡

隐藏在字体目录里的dll病毒，还在字体目录中生成了一大堆.bat文件，

[Trojan.KoWin]
C:\WINDOWS\Fonts\574D3542.DLL ，并在服务中boot running。



还有病毒Trojan.ytewcxzsw.wrew2ds
2009-01-21 07:11:38 - C:\AutoRun.inf OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\cenbezn.dll OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\delnice.dll OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\delnicek.exe OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\kandoftt.dll OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\meyotme.dll OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\msosdohs.dat OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\rexljeh.dll OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\thermnc.dll OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\xsisco.dll OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\xuntxn.dll OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\yt8a.exe OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\zesttns.dll OK
2009-01-21 07:11:38 - C:\WINDOWS\system32\zesttnsk.exe OK
2009-01-21 07:11:38 - C:\yt8a.exe OK
2009-01-21 07:11:38 - D:\AutoRun.inf OK



[ 本帖最后由 拿贝马凡 于 2009-1-22 15:16 编辑 ]

mayazhimi

空的？

chenjava

全0，，，，

Palkia

又是迷你型？

拿贝马凡

第一个包，我用大部分杀软扫了，没有一个报有病毒。我是用windows清理助手提取的，反正windows助手杀不了，还是pe手杀的

[ 本帖最后由 拿贝马凡 于 2009-1-22 15:28 编辑 ]

kkgh

瑞星报第二个包

hkt988

正在扫描日志
病毒库版本: 3787 (20090121)
日期: 2009-1-21  时间: 8:42:12
已扫描的磁盘、文件夹和文件: D:\下载文件夹\病毒样本.rar;D:\下载文件夹\[Trojan.KoWin].rar
D:\下载文件夹\病毒样本.rar > RAR > C\AUTORUN.INF - INF/Autorun.gen 特洛伊木马 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\CENBEZN.DLL - Win32/PSW.OnLineGames.NSG 特洛伊木马 的变种 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\DELNICE.DLL - Win32/PSW.OnLineGames.NXI 特洛伊木马 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\DELNICEK.EXE - Win32/PSW.OnLineGames.NSG 特洛伊木马 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\KANDOFTT.DLL - Win32/PSW.OnLineGames.NXI 特洛伊木马 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\MEYOTME.DLL - Win32/PSW.OnLineGames.NSE 特洛伊木马 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\REXLJEH.DLL - 可能是 Win32/PSW.OnLineGames.NSF 特洛伊木马 的变种 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\THERMNC.DLL - Win32/PSW.OnLineGames.NXR 特洛伊木马 的变种 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\XSISCO.DLL - Win32/PSW.OnLineGames.NXI 特洛伊木马 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\XUNTXN.DLL - 可能是 Win32/PSW.OnLineGames.NSF 特洛伊木马 的变种 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\YT8A.EXE - Win32/AutoRun.ADC 蠕虫 的变种 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\ZESTTNS.DLL - Win32/PSW.OnLineGames.NXI 特洛伊木马 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\WINDOWS\SYSTEM32\ZESTTNSK.EXE - Win32/PSW.OnLineGames.NXI 特洛伊木马 的变种 - 是已删除对象的一部分
D:\下载文件夹\病毒样本.rar > RAR > C\YT8A.EXE - Win32/AutoRun.ADC 蠕虫 的变种 - 是已删除对象的一部分
已扫描的对象数: 17
发现的威胁数: 14
已清除对象数:14
完成时间: 8:42:17  总扫描时间: 5 秒 (00:00:05)

IllusionWing

KIS2009 KILLED

Kitman

Begin scan in 'C:\Users\Kitman\Desktop\瓷馮欴掛'
C:\Users\Kitman\Desktop\瓷馮欴掛\C\AUTORUN.INF
    [DETECTION] Contains recognition pattern of the WORM/TRV.A worm
    [NOTE]      A backup was created as '49cc2d96.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\YT8A.EXE
      [DETECTION] Is the TR/Drop.Cattivo.A Trojan
    [NOTE]      A backup was created as '49b02d95.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\CENBEZN.DLL
    [DETECTION] Is the TR/Thief.OnLineGames.ttyb.4 Trojan
    [NOTE]      A backup was created as '49c62d86.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\DELNICE.DLL
    [DETECTION] Is the TR/PSW.Online.bir Trojan
    [NOTE]      A backup was created as '49c42d86.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\DELNICEK.EXE
    [DETECTION] Is the TR/Agent.BACI Trojan
    [NOTE]      A backup was created as '4dc28a67.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\KANDOFTT.DLL
    [DETECTION] Is the TR/Hijacker.Gen Trojan
    [NOTE]      A backup was created as '49c62d82.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\MEYOTME.DLL
    [DETECTION] Is the TR/Hijacker.Gen Trojan
    [NOTE]      A backup was created as '49d12d86.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\REXLJEH.DLL
    [DETECTION] Is the TR/PSW.Online.bir Trojan
    [NOTE]      A backup was created as '49d02d86.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\THERMNC.DLL
    [DETECTION] Is the TR/Spy.Gen Trojan
    [NOTE]      A backup was created as '49bd2d89.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\XSISCO.DLL
    [DETECTION] Is the TR/PSW.Online.bir Trojan
    [NOTE]      A backup was created as '49c12d94.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\XUNTXN.DLL
    [DETECTION] Is the TR/PSW.O.ttyw.28672 Trojan
    [NOTE]      A backup was created as '49c62d96.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\YT8A.EXE
      [DETECTION] Is the TR/Drop.Cattivo.A Trojan
    [NOTE]      A backup was created as '4da7609e.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\ZESTTNS.DLL
    [DETECTION] Is the TR/PSW.Online.apxy Trojan
    [NOTE]      A backup was created as '49cb2d86.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!
C:\Users\Kitman\Desktop\瓷馮欴掛\C\WINDOWS\SYSTEM32\ZESTTNSK.EXE
    [DETECTION] Is the TR/Agent.BACJ Trojan
    [NOTE]      A backup was created as '4ddc608f.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!


End of the scan: 2009年1月22日  16:24
Used time: 00:05 Minute(s)

The scan has been done completely.

      4 Scanning directories
     16 Files were scanned
     14 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
     14 files were deleted
      0 files were repaired
     14 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      2 Files not concerned
      0 Archives were scanned
      0 Warnings
     14 Notes

Kitman

The file '574D3542.DLL' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of 'Flash Professional 8'.