估计很多杀软误报，帮我用手动hips测试下

germany05400

压缩包里是3个互不相关的单独文件。”重建图标缓存.exe“从“博士WIN7风格包 1.0 Build 090106”提取出来的；“疑难杂症处理.exe”从推荐的辅助杀毒的“疑难杂症处理合集”里提取的；”fix.exe“从“通用病毒杀灭机1.2动物家园版”作者的网盘里提取出来的。

都是红伞报，卡巴未报。帮我用手动hips测试下是否都是误报，最好能给出具体的恶意动作。谢谢了！


更新：”重建图标缓存.exe“小红伞又发邮件过来说是误报！！！

[ 本帖最后由 germany05400 于 2009-1-23 16:48 编辑 ]

saga3721

手动HIPS没有，上报红伞就比较方便，看来红伞认为是毒。
We received the following archive files:



File ID  Filename Size (Byte) Result
25239975  files.rar 70.01 KB OK

A listing of files contained inside archives alongside their results can be found below:

File ID  Filename Size (Byte) Result
3718903  fix.exe  50 KB  MALWARE
25231693  ############.exe  9.29 KB  MALWARE
25216557  ############.exe  52 KB  MALWARE


Please find a detailed report concerning each individual sample below:

Filename Result
fix.exe  MALWARE

The file 'fix.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Doreg. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.02.51.

Filename Result
############.exe  MALWARE

The file '############.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Packed.7599. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.06.105.

Filename Result
############.exe  MALWARE

The file '############.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Agent.awpw. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.01.01.15.


--------------------------------------------------------------------------------
Please note that you will receive an email which will contain the results shown above. In case the final outcome of the analysis is not yet finished for all files the notification will be sent once ready.

germany05400

上传给Automated Analysis System没看出来什么动作呀

江湖的fans

TO  KL    看看！

TO  KV

germany05400

希望有人帮偶分析下恶意的动作

JusticeH

疑難雜症處理.exe：
在c:根目錄下建立文件 met.bat
調用cmd、regsvr32進程
修改登錄值、刪除登錄值
結束後刪除met.bat

重建圖標.exe：
調用csrss.exe

fix.exe：
調用conime...就沒了

以上三個都沒連網動作

germany05400

觉得不像病毒丫？？？

czf610632747

ESS不报

JusticeH

疑難雜症被報病毒，倒是覺得情有可原

補一下BitDefender的掃描結果
重建图标缓存.exe Trojan.Agent.ALNY
疑难杂症处理.exe Trojan.Packed.7599

germany05400

就是不知道是不是杀毒软件集体误报