來一个假破解

显示全部楼层 · 发表于 2009-2-28 23:17:33

9366c6c9c54e96f6354bbc761a8318dd crack.ex2e

28/2/2009 23:17:14 Detected: Worm.Win32.Downloader.aaz C:\Documents and Settings\kato\桌面\crack.ex2e/PE_Patch.UPX/UPX

显示全部楼层 · 发表于 2009-2-28 23:18:57

名称: Trojan.OnineGames.Gen.111
类型: Mutant

描述:

文件:
c:\users\administrator\desktop\crack.ex2e

显示全部楼层 · 发表于 2009-2-28 23:19:04

'TR/Spy.Gen' [trojan]

显示全部楼层 · 发表于 2009-2-28 23:21:27

rs psw.gameol

显示全部楼层 · 发表于 2009-2-28 23:29:05

盗号的
Ultra String Reference
Address Disassembly                            Text String
0040141E push 00404544                         k
00401433 push 00404387                         virtualalloc
00401554 push 00404394                         virtualfree
00401774 push 00404040                         rtlzeromemory
00401788 push 00404544                         k
004017A2 push 004040A0                         getmodulehandlea
004017B6 push 0040455E                         user32.dll
004017C5 push 0040455E                         user32.dll
004017E5 push 004043FB                         callnexthookex
004017F9 push 00404569                         ole32.dll
00401808 push 00404569                         ole32.dll
00401828 push 00404497                         stringfromguid2
0040183C push 00404573                         advapi32.dll
0040184B push 00404573                         advapi32.dll
0040186B push 004044B5                         regdeletekeya
0040187F push 00404580                         shell32.dll
0040188E push 00404580                         shell32.dll
004018AB push 0040451E                         shellexecutea
004018BC push 0040458C                         psapi.dll
004018CB push 0040458C                         psapi.dll
004018E8 push 0040452D                         getmoduleinformation
00401910 push 00404544                         k
00401926 push 00404394                         virtualfree
004019BA push 00404131                         freelibrary
00401C0E push 004045A0                         selfdel.bat
00401C76 push 00401B80                         :repeat\n\n
00401C84 push 00401B8A                         del "
00401C9E push 00401B90                         "
00401CAC push 00401B92                         \n\nif exist "
00401CC6 push 00401B9F                         " goto repeat\n\n
00401CD4 push 00401BAF                         rmdir "
00401CEE push 00401BB7                         "\n\ndel "
00401D08 push 00401BC0                         "\n\n
00401D49 push 004045AC                         open
00401DCC push 004045B1                         %08x.dll
00401DFE push ebp                            (initial cpu selection)
00401E44 push 00405020                         dnf.exe
00401E86 push 004045BA                         \
00401F56 push 0040516B                         http://dnf.88888888666666.com/awsse455656/post.asp
00401F69 push 0040516B                         http://dnf.88888888666666.com/awsse455656/post.asp
00401F79 push 0040537B                         http://dnf.88888888666666.com/gggggz/d2232312/post.asp
00401F8C push 0040537B                         http://dnf.88888888666666.com/gggggz/d2232312/post.asp
00401F9C push 0040558B                         http://dnf.88888888666666.com/24-ue38ue39/post.asp
00401FAF push 0040558B                         http://dnf.88888888666666.com/24-ue38ue39/post.asp
00402102 push 004045BC                         explorer.exe
00402264 push 004045C9                         \ntoskrnl.exe
0040234E push 0040515B                         yt6e2r5re4
0040237D push 0040515B                         yt6e2r5re4
0040238E push 004045D7                         verify_code
0040239A push 004045D7                         verify_code
004023B1 push 004045D7                         verify_code
004023F8 push 0040516B                         http://dnf.88888888666666.com/awsse455656/post.asp
00402425 push 0040516B                         http://dnf.88888888666666.com/awsse455656/post.asp
00402436 push 004045E3                         post_url1
00402442 push 004045E3                         post_url1
00402459 push 004045E3                         post_url1
004024D2 push 0040537B                         http://dnf.88888888666666.com/gggggz/d2232312/post.asp
004024FF push 0040537B                         http://dnf.88888888666666.com/gggggz/d2232312/post.asp
00402510 push 004045ED                         post_url2
0040251C push 004045ED                         post_url2
00402533 push 004045ED                         post_url2
004025AC push 0040558B                         http://dnf.88888888666666.com/24-ue38ue39/post.asp
004025D6 push 0040558B                         http://dnf.88888888666666.com/24-ue38ue39/post.asp
004025E7 push 004045F7                         post_url3
004025F3 push 004045F7                         post_url3
0040260A push 004045F7                         post_url3
004026C9 push 00404601                         post_url4
004026D5 push 00404601                         post_url4
004026EC push 00404601                         post_url4
00402765 push 004059AB                         ge
00402792 push 004059AB                         ge
004027A3 push 0040460B                         source_flag
004027AF push 0040460B                         source_flag
004027C6 push 0040460B                         source_flag
00402936 push 00405124                         clsid\
0040295C push 00404617                         \inprocserver32
004029B9 push 00404627                         apartment
004029C6 push 00404627                         apartment
004029CF push 00404631                         threadingmodel
004029FE push 00404640                         software\microsoft\windows\currentversion\explorer\shellexecutehooks
00402A4B push 00404685                         software\microsoft\windows\currentversion\shellserviceobjectdelayload
00402A64 push 004046CB                         %08x
00402ACB push 004046D0                         software\microsoft\windows nt\currentversion\windows
00402B06 push 00404705                         appinit_dlls
00402B5F push 00404705                         appinit_dlls
00402B9B push 00404712                         ,
00402BD7 push 00404705                         appinit_dlls
00402C0D push 00404705                         appinit_dlls
00402C2F push 00404714                         kernel32.dll
00402C3E push 00404721                         exitprocess
00402CBA push 00405000                         dhfnbyk
004091B5 push 100035FE                         $

显示全部楼层 · 发表于 2009-2-28 23:32:46

运行了一下

显示全部楼层 · 发表于 2009-2-28 23:53:40

BitDefender 2009

This web page has been blocked by BitDefender Antivirus Real-time Protection!

The blocked web page included objects that were either infected or likely to be infected with a virus. Your system has NOT been infected.

显示全部楼层 · 发表于 2009-3-1 00:06:53

DR.WEB
crack.ex2e - infected with Trojan.PWS.Gamania.17197

显示全部楼层 · 发表于 2009-3-1 00:18:02

C:\Documents and Settings\GUNDAM\桌面\crack.zip » ZIP » crack.ex2e - a variant of Win32/PSW.OnLineGames.NTM trojan
所以说杀软还是不报注册机和crack的好，就算报了，该用还是用，这回真来个毒，很可能习惯性忽略杀软的警报，直接运行了。

[ 本帖最后由 leonfg 于 2009-3-1 00:19 编辑 ]

显示全部楼层 · 发表于 2009-3-1 00:48:45

社会工程学？

[病毒样本] 來一个假破解

本帖子中包含更多资源

本帖子中包含更多资源