收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 小身材大味道主流杀软尝苦头
12
返回列表 发新帖
楼主: saga3721
 收起左侧

[病毒样本] 小身材大味道主流杀软尝苦头

[复制链接]
kingsheet
发表于 2009-3-11 10:48:36 | 显示全部楼层
卡巴不报
回复

举报

liutianfutor
发表于 2009-3-11 11:20:36 | 显示全部楼层
上报MP
回复

举报

floozy
发表于 2009-3-12 22:52:46 | 显示全部楼层
这是个干净的~~

API Trace:
0x0040f286 ---->  Call Kernel32.VirtualAlloc ( Address:0x00000000, Size:0x00001000, AllocationType:MEM_COMMIT<0x00001000>, Protect:PAGE_EXECUTE_READWRITE<0x00000040> ) Ret:0x04a90000
0x04a90629 ---->  Call Kernel32.VirtualAlloc ( Address:0x00000000, Size:0x00003e6c, AllocationType:MEM_COMMIT<0x00001000>, Protect:PAGE_READWRITE<0x00000004> ) Ret:0x04aa0000
0x04a9065c ---->  Call Kernel32.VirtualFree ( lpAddress:0x04aa0000, dwSize:0x00000000, dwFreeType:0x00008000)
0x0040f31d ---->  Call Kernel32.VirtualFree ( lpAddress:0x04a90000, dwSize:0x00000000, dwFreeType:0x00008000)
0x0040f4f4 ---->  Call Kernel32.LoadLibraryA ( FileName:"KERNEL32.DLL"<Addr:0x0040f150> )
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileAttributesA"<Addr:0x0040e0b0> EntryPoint:0x7c8115cc)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"lstrlenA"<Addr:0x0040e0c2> EntryPoint:0x7c80be46)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"lstrcatA"<Addr:0x0040e0ca> EntryPoint:0x7c834d59)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GlobalUnlock"<Addr:0x0040e0d2> EntryPoint:0x7c80ff12)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GlobalLock"<Addr:0x0040e0de> EntryPoint:0x7c80ffa9)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GlobalAlloc"<Addr:0x0040e0e8> EntryPoint:0x7c80fdbd)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"lstrcpyA"<Addr:0x0040e0f3> EntryPoint:0x7c80be91)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetComputerNameA"<Addr:0x0040e0fb> EntryPoint:0x7c82168c)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"DeleteCriticalSection"<Addr:0x0040e10b> EntryPoint:0x7c93135a)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"InterlockedDecrement"<Addr:0x0040e120> EntryPoint:0x7c80980a)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"lstrcpynA"<Addr:0x0040e134> EntryPoint:0x7c8101a1)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LeaveCriticalSection"<Addr:0x0040e13d> EntryPoint:0x7c9210e0)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"EnterCriticalSection"<Addr:0x0040e151> EntryPoint:0x7c921000)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFileAttributesA"<Addr:0x0040e165> EntryPoint:0x7c812812)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleFileNameA"<Addr:0x0040e177> EntryPoint:0x7c80b55f)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleHandleA"<Addr:0x0040e189> EntryPoint:0x7c80b731)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ExitProcess"<Addr:0x0040e199> EntryPoint:0x7c81cafa)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"InitializeCriticalSection"<Addr:0x0040e1a4> EntryPoint:0x7c809f81)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"InterlockedIncrement"<Addr:0x0040e1bd> EntryPoint:0x7c8097f6)
0x0040f4f4 ---->  Call Kernel32.LoadLibraryA ( FileName:"USER32.DLL"<Addr:0x0040f15d> )
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetClassInfoExA"<Addr:0x0040e1d1> EntryPoint:0x77d1dd58)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"UnregisterClassA"<Addr:0x0040e1e0> EntryPoint:0x77d289a3)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"LoadIconA"<Addr:0x0040e1f0> EntryPoint:0x77d2e8f6)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"EnableWindow"<Addr:0x0040e1f9> EntryPoint:0x77d29849)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"RegisterClassExA"<Addr:0x0040e205> EntryPoint:0x77d27c39)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SendDlgItemMessageA"<Addr:0x0040e215> EntryPoint:0x77d3c2e7)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetFocus"<Addr:0x0040e228> EntryPoint:0x77d2b112)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"EndDialog"<Addr:0x0040e230> EntryPoint:0x77d24a4e)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetSysColor"<Addr:0x0040e239> EntryPoint:0x77d18e78)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"DialogBoxParamA"<Addr:0x0040e244> EntryPoint:0x77d3b144)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"OpenClipboard"<Addr:0x0040e253> EntryPoint:0x77d30277)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"EmptyClipboard"<Addr:0x0040e260> EntryPoint:0x77d30d96)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetClipboardData"<Addr:0x0040e26e> EntryPoint:0x77d30f9e)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CloseClipboard"<Addr:0x0040e27e> EntryPoint:0x77d30265)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetDlgItemTextA"<Addr:0x0040e28c> EntryPoint:0x77d6b05e)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"wsprintfA"<Addr:0x0040e29b> EntryPoint:0x77d1a8ad)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetDlgItemTextA"<Addr:0x0040e2a4> EntryPoint:0x77d3c972)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"PostMessageA"<Addr:0x0040e2b3> EntryPoint:0x77d2aafd)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetWindowTextA"<Addr:0x0040e2bf> EntryPoint:0x77d2f56b)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetDlgItem"<Addr:0x0040e2cd> EntryPoint:0x77d2436e)
0x0040f4f4 ---->  Call Kernel32.LoadLibraryA ( FileName:"GDI32.DLL"<Addr:0x0040f168> )
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77ef0000, SymName:"CreateSolidBrush"<Addr:0x0040e2d7> EntryPoint:0x77ef61a5)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77ef0000, SymName:"DeleteObject"<Addr:0x0040e2e7> EntryPoint:0x77ef6bfa)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77ef0000, SymName:"SetBkColor"<Addr:0x0040e2f3> EntryPoint:0x77ef5e29)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77ef0000, SymName:"SetTextColor"<Addr:0x0040e2fd> EntryPoint:0x77ef5d77)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77ef0000, SymName:"CreateFontIndirectA"<Addr:0x0040e309> EntryPoint:0x77efecbe)
0x0040f4f4 ---->  Call Kernel32.LoadLibraryA ( FileName:"MSVCRT.DLL"<Addr:0x0040f172> )
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"_stricmp"<Addr:0x0040e31c> EntryPoint:0x77c1624e)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"realloc"<Addr:0x0040e324> EntryPoint:0x77bfc437)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"calloc"<Addr:0x0040e32b> EntryPoint:0x77bfc0c3)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"free"<Addr:0x0040e331> EntryPoint:0x77bfc21b)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"[email=??3@YAXPAX@Z]??3@YAXPAX@Z"<Addr:0x0040e335[/email]> EntryPoint:0x77bf9cdd)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"strstr"<Addr:0x0040e341> EntryPoint:0x77c17c60)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"time"<Addr:0x0040e347> EntryPoint:0x77c1aecf)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"srand"<Addr:0x0040e34b> EntryPoint:0x77c071bc)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"rand"<Addr:0x0040e350> EntryPoint:0x77c071d3)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x77be0000, SymName:"[email=??2@YAPAXI@Z]??2@YAPAXI@Z"<Addr:0x0040e354[/email]> EntryPoint:0x77bf9cc5)
0x0040f4f4 ---->  Call Kernel32.LoadLibraryA ( FileName:"WS2_32.DLL"<Addr:0x0040f17d> )
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:2 EntryPoint:0x00000002)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:52 EntryPoint:0x00000034)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:11 EntryPoint:0x0000000b)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:57 EntryPoint:0x00000039)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:14 EntryPoint:0x0000000e)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:51 EntryPoint:0x00000033)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:3 EntryPoint:0x00000003)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, SymName:"WSACloseEvent"<Addr:0x0040e383> EntryPoint:0x71a265e8)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:4 EntryPoint:0x00000004)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, SymName:"WSAEventSelect"<Addr:0x0040e395> EntryPoint:0x71a264d9)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, SymName:"WSACreateEvent"<Addr:0x0040e3a3> EntryPoint:0x71a2655d)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:116 EntryPoint:0x00000074)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:9 EntryPoint:0x00000009)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:21 EntryPoint:0x00000015)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:111 EntryPoint:0x0000006f)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:23 EntryPoint:0x00000017)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:16 EntryPoint:0x00000010)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:19 EntryPoint:0x00000013)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, SymName:"WSAEnumNetworkEvents"<Addr:0x0040e3d4> EntryPoint:0x71a2657d)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, SymName:"WSAWaitForMultipleEvents"<Addr:0x0040e3e8> EntryPoint:0x71a22c6f)
0x0040f53a ---->  Call Kernel32.GetProcAddress ( hModule:0x71a20000, FuncOrder:115 EntryPoint:0x00000073)
0x0040f48c ---->  Call Kernel32.VirtualProtect ( lpAddress:0x00401000, Size:0x00001400, NewProtect:0x00001400 )
0x0040f48c ---->  Call Kernel32.VirtualProtect ( lpAddress:0x00403000, Size:0x0000073a, NewProtect:0x0000073a )
0x00401008 ---->  Call Kernel32.GetModuleHandleA ( ModuleName:0x00000000 )
0x00401050 ---->  Call Ws2_32.WSAStartup (VersionRequested:0x00000101 WSAData:0x0012fe30 Result:SUCCESS)
0x00401063 ---->  Call User32.GetSysColor ( "" )
0x0040106c ---->  Call User32.GetSysColor ( "" )
0x00401078 ---->  Call Gdi32.CreateSolidBrush ( "" )
0x0040193b ---->  Call Gdi32.CreateFontIndirectA ( "" )
0x0040199b ---->  Call Gdi32.CreateFontIndirectA ( "" )
0x004010ac ---->  Call Kernel32.GetModuleFileNameA ( Return Module Name:"C:\Matrix\bin\ip2_CHS.ex_.mxe" )
0x004019c5 ---->  Call User32.GetClassInfoExA ( "#32770" )
0x004019d9 ---->  Call User32.LoadIconA ( "" )
0x004019ed ---->  Call User32.RegisterClassExA ( "" )
0x0040102d ---->  Call User32.DialogBoxParamA
0x004010ca ---->  Call Gdi32.DeleteObject ( "" )
0x004010d2 ---->  Call Gdi32.DeleteObject ( "" )
0x004010da ---->  Call Gdi32.DeleteObject ( "" )
0x00401a01 ---->  Call User32.UnregisterClassA ( "IP2" )
0x004010e5 ---->  Call Ws2_32.WSACleanup (Result:SUCCESS)
0x0040103a ---->  Call Kernel32.ExitProcess ( ExitCode:0x00000000)

唯一有可能出问题的,就是 DialogBoxParamA 的User-define的函数
回复

举报

Sebastian
发表于 2009-3-13 17:11:51 | 显示全部楼层
Dear Sir or Madam,


Thank you for your recent inquiry.

We could not find a virus in the attachment you have sent us. This is a false positive. We will take out the pattern recognition in one of our next updates.

We thank you for your assistance.

Attachment(s) you sent:
- XX.rar
--
Freundliche Gruesse / Best regards
Avira GmbH
回复

举报

12
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-12-23 07:14 , Processed in 0.088358 second(s), 3 queries , Redis On.

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表