来自精睿(vc52).网络安全------------djy0550病毒样本

chima287

一个病毒样本文件 new18.exe 接收于 2009.01.23 02:44:23 (CET)反病毒引擎 版本 最后更新 扫描结果
a-squared 4.0.0.73 2009.01.23 -
AhnLab-V3 5.0.0.2 2009.01.22 -
AntiVir 7.9.0.60 2009.01.22 TR/Hijacker.Gen
Authentium 5.1.0.4 2009.01.22 W32/Heuristic-KPP!Eldorado
Avast 4.8.1281.0 2009.01.22 -
AVG 8.0.0.229 2009.01.22 PSW.OnlineGames.BNSV
BitDefender 7.2 2009.01.23 -
CAT-QuickHeal 10.00 2009.01.22 -
ClamAV 0.94.1 2009.01.22 -
Comodo 942 2009.01.22 -
DrWeb 4.44.0.09170 2009.01.23 -
eSafe 7.0.17.0 2009.01.22 Suspicious File
eTrust-Vet 31.6.6322 2009.01.23 -
F-Prot 4.4.4.56 2009.01.22 W32/Heuristic-KPP!Eldorado
F-Secure 8.0.14470.0 2009.01.22 -
Fortinet 3.117.0.0 2009.01.22 -
GData 19 2009.01.23 -
Ikarus T3.1.1.45.0 2009.01.23 -
K7AntiVirus 7.10.601 2009.01.22 -
Kaspersky 7.0.0.125 2009.01.23 Heur.Trojan.Generic
McAfee 5503 2009.01.22 -
McAfee+Artemis 5503 2009.01.22 Generic!Artemis
Microsoft 1.4205 2009.01.22 -
NOD32 3791 2009.01.22 a variant of Win32/PSW.OnLineGames.NTZ
Norman 5.93.01 2009.01.22 -
nProtect 2009.1.8.0 2009.01.22 -
Panda 9.5.1.2 2009.01.22 -
PCTools 4.4.2.0 2009.01.22 -
Prevx1 V2 2009.01.23 Rootkit
Rising 21.13.32.00 2009.01.22 Trojan.PSW.Win32.GameOL.ucz
SecureWeb-Gateway 6.7.6 2009.01.22 Trojan.Hijacker.Gen
Sophos 4.37.0 2009.01.23 -
Sunbelt 3.2.1835.2 2009.01.16 Trojan-PSW.OnlineGames
Symantec 10 2009.01.23 Infostealer.Onlinegame
TheHacker 6.3.1.5.226 2009.01.22 -
TrendMicro 8.700.0.1004 2009.01.22 Mal_OLGM-6
VBA32 3.12.8.11 2009.01.22 -
ViRobot 2009.1.22.1574 2009.01.22 -
VirusBuster 4.5.11.0 2009.01.22 -

附加信息
File size: 15136 bytes
MD5...: 4812d208918f7d0b3890e5aa3002dfea
SHA1..: c649dbefc2d23a28ae8e6caf0f2d7e04376af8e6
SHA256: 33167a0429605d3b2d4d6417b0d6e048d8300b63c3b9678afc53e81f60496a78
SHA512: 9f7a5216ed3c47e8e44075cccd114af1f3e8ce2cc828957eff1b6e20a25bfa6a<BR>3d2b34da288f709e09a8065bfb1dace257069a3fa1e2a749f9d384e63fd818ec<BR>
ssdeep: 384:XDU3TSrcUQ1JIeswTzdOuclqM3819f3OnJX:XIjSBQTVU/ENng<BR>
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification<BR>UPX compressed Win32 Executable (39.5%)<BR>Win32 EXE Yoda's Crypter (34.3%)<BR>Win32 Executable Generic (11.0%)<BR>Win32 Dynamic Link Library (generic) (9.8%)<BR>Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x410df0<BR>timedatestamp.....: 0x49773a7d (Wed Jan 21 15:08:45 2009)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0xd000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0xe000 0x3000 0x3000 7.80 12ada0502e333a115a10feefcbe45a12<BR>.rsrc 0x11000 0x1000 0x200 3.41 210f774265c7b2850dd6be8829f2f825<BR><BR>( 4 imports ) <BR>> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>> MSVCRT.dll: memset<BR>> SHLWAPI.dll: PathFileExistsA<BR>> USER32.dll: wsprintfA<BR><BR>( 0 exports ) <BR>
packers (Kaspersky): PE_Patch.UPX, UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=CFC23F99203C87033B8300FB2DE876004DA254D4' target='_blank'>http://info.prevx.com/aboutprogr ... 2DE876004DA254D4<;/a>
packers (F-Prot): embedded
packers (Authentium): embedded

Palkia

跟你刚才那个帖里的一个重复了
Rising 21.13.32.00 2009.01.22 Trojan.PSW.Win32.GameOL.ucz

尤金卡巴斯基

To KL

尤金卡巴斯基

Hello,

new18.exe_ - Trojan-GameThief.Win32.OnLineGames.bkru

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.
The answer is relevant to the latest bases from update sources.

Best regards, Sergey Prokudin
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

hn1001

2009-1-25 8:02:08        C:\Documents and Settings\Administrator\桌面\new18.rar        2        1        0        已完成

hfghy

fs8直接过？？我晕

xyao

微点

Sherry.ai

To KL

sgsrun

程序：
C:\DOCUMENTS AND SETTINGS\SHANG\LOCAL SETTINGS\TEMP\RAR$EX00.515\NEW18.EXE
木马程序生成以下文件：
1) C:\WINDOWS\SYSTEM32\COMRES.DLL
2) C:\WINDOWS\FONTS\COMRES.DLL
3) C:\WINDOWS\FONTS\CTM11006.TTF
是否删除木马程序及其衍生物?




微点的

JusticeH

BitDefender 上報