抓到一只，高质量2/37，微点杀

显示全部楼层 · 发表于 2009-3-27 14:39:42

下载faststone时发现的，该TO的就TO

a-squared	4.0.0.32	20090326052159	2009-03-26	-	40.127
AntiVir	7.9.0.129	7.1.2.222	2009-03-26	-	1.961
Authentium	5.1.1	200903262306	2009-03-26	-	1.407
AVAST!	3.0.1	090326-0	2009-03-26	-	0.896
AVG	7.5.52.442	270.11.30/2025	2009-03-26	-	1.980
BitDefender	7.81008.2815556	7.24429	2009-03-27	-	2.622
CA (VET)	9.0.0.143	31.6.6419	2009-03-27	-	40.127
ClamAV	0.94.2	9171	2009-03-27	-	0.040
Comodo	3.8	1085	2009-03-26	-	40.128
CP Secure	1.1.0.715	2009.03.27	2009-03-27	-	7.732
Dr.Web	4.44.0.9170	2009.03.27	2009-03-27	DLOADER.Trojan	4.370
F-Prot	4.4.4.56	20090326	2009-03-26	-	1.649
F-Secure	5.51.6100	2009.03.26.11	2009-03-26	-	5.001
GData	19.4255/19.277	20090327	2009-03-27	-	40.126
Ikarus	T3.1.01.48	2009.03.27.72484	2009-03-27	-	3.366
Microsoft	1.4502	2009.03.27	2009-03-27	-	40.127
mks_vir	2.01	2009.03.27	2009-03-27	-	2.712
Norman	6.00.06	6.00.00	2009-03-26	-	8.009
nProtect	20090326.01	3379984	2009-03-26	-	40.126
Quick Heal	10.00	2009.03.26	2009-03-26	-	40.127
Sophos	2.85.0	4.40	2009-03-27	Mal/Behav-116	1.954
Sunbelt	5062	5062	2009-03-26	-	43.125
The Hacker	6.3.3.7	v00292	2009-03-26	-	43.125
VBA32	3.12.10.1	20090326.1408	2009-03-26	-	1.784
ViRobot	20090325	2009.03.25	2009-03-25	-	40.127
VirusBuster	4.5.11.10	10.102.24/1054037	2009-03-26	-	1.314
卡巴斯基	5.5.10	2009.03.27	2009-03-27	-	0.047
安博士V3	2009.03.27.01	2009.03.27	2009-03-27	-	40.130
安天	2.0.18	20090326.2232597	2009-03-26	-	0.121
江民杀毒	11.0.706	2009.03.27	2009-03-27	-	40.127
熊猫卫士	9.05.01	2009.03.26	2009-03-26	-	40.128
瑞星	20.0	21.22.40.00	2009-03-27	-	40.127
赛门铁克	1.3.0.24	20090326.007	2009-03-26	-	10.083
趋势科技	8.700-1004	5.926.03	2009-03-26	-	0.026
迈克菲	5.3.00	5565	2009-03-26	-	2.706
金山毒霸	2009.2.5.15	2009.3.27.10	2009-03-27	-	40.126
飞塔	2.81-3.117	10.207	2009-03-26	-	40.127

注意: 就算报告发现病毒，也可能是杀软误报，请根据查毒结果自行判断

复制到剪贴板

显示全部楼层 · 发表于 2009-3-27 14:53:23

过咖啡,但是蜘蛛杀

显示全部楼层 · 发表于 2009-3-27 14:56:49

卡巴启发拒绝: HEUR:Trojan.Win32.Generic

显示全部楼层 · 发表于 2009-3-27 14:57:39

DR.WEB
VipSetup_xiaolaoshu.exe - probably infected with DLOADER.Trojan

显示全部楼层 · 发表于 2009-3-27 15:00:29

出站UDP包，注入IE

显示全部楼层 · 发表于 2009-3-27 15:01:19

Ultra String Reference Plugin
Address Disassembly                            Text String
13154620 push 1315237C                         Microsoft_2009_1028_System
131546EA push 1315236C                         usr123451.exe
1315470C push 1315235C                         usr123452.exe
1315471A push 13152350                         wininet.dllusr123452.exe
1315473D push 13152334                         InternetQueryDataAvailable
13154745 push 13152320                         InternetReadFile
13154754 push 1315230C                         InternetCloseHandleInternetReadFile
13154763 push 131522FC                         InternetOpenA
13154772 push 131522E8                         InternetConnectA
13154781 push 131522D4                         HttpOpenRequestA
13154790 push 131522C0                         HttpSendRequestA
1315479F push 131522A8                         InternetQueryOptionA
13154902 push 13152298                         www.baidu.com
13154907 push 1315228C                         HTTP/1.1
13154913 push 13152288                         GETHTTP/1.1
13154919 mov    dword ptr [ebp-7C], 131521E0    image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
13154B3F push 131521D0                         Shell32.dll
13154B4A push 131521C0                         ShellExecuteA
13154B66 push 131521B8                         open
13154B9A push 131521A4                         c:\systemlog1.txt
13154BB2 push 13152190                         c:\systemlog2.txt
13154DBD push 13152430                         C:\Programe Files\
13154DC5 push 13152410                         C:\Programe Files\Common Files\C:\Programe Files\
13154E4B push 1315237C                         Microsoft_2009_1028_System
13154F19 push 131523FC                         ?szid=%s&szoid=%s
13154FB3 push 131523DC                         \Internet Explorer\IEXPLORE.EXE?szid=%s&szoid=%s
131550C0 push 131523CC                         KERNEL32.dll
131550CB push 131523B8                         CreateRemoteThread
13155168 push 1315236C                         usr123451.exe
13155186 push 1315235C                         usr123452.exe
13155194 mov    esi, 131521A4                   c:\systemlog1.txt
131551B7 mov    esi, 13152190                   c:\systemlog2.txt
13155226 push 131521D0                         Shell32.dll
13155234 push 131521C0                         ShellExecuteA
131552AB push 131521D0                         Shell32.dll
131552BD push 131521C0                         ShellExecuteA
131553CB push 13152398                         %s?szid=%s&systype=%d&oid=%s
13155550 push 13152488                         No window
1315592F push 131524C4                         <%s>
13155969 push 131524BC                         </%s>
13155B20 push 13152528                         Temporary Internet Files
13155B57 push 131524F4                         pic123456~_`123utrzxswe_123_56_werttwws_tyu^&#@$dddTemporary Internet Files
13155CEA push 131525B8                         .exe
1315602D mov    esi, 131524B8                   \
13156155 mov    esi, 131524B8                   \
1315628D mov    esi, 13152608                   pvimvo67:woo
13156312 push 131525F8                         XivzgvKilxvhhZ
13156399 mov    esi, 131525F4                   "
131563DB push 131525EC
131564E0 push 13152688                         Microsoft Vista
13156506 push 13152660                         Microsoft Windows Server 2003 family
13156527 push 13152648                         Microsoft Windows XP
13156547 push 13152630                         Microsoft Windows 2000 Microsoft Windows XP
13156568 push 13152618                         Microsoft Windows NT
13156614 push 131526B4                         COMSPEC%
13156627 push 131526AC                         /c del COMSPEC%
1315664F push 131526A4                         > nul
13156684 mov    dword ptr [ebp-74], 1315269C    Open
1315677C mov    dword ptr [esp], 131526E4       syslistview32
131567CD mov    dword ptr [esp], 131526D8       folderview
13156828 mov    dword ptr [esp], 131526C4       shelldll_defview
13156914 push 131525C4                         .lnk
131569CE push 131524CC                         %s\%s
13156BE3 mov    esi, 131524B8                   \
13156D1A mov    esi, 131524B8                   \
13156ED4 push 131526F8                         tuiguangid
13156FC8 push 13152714                         downloadcountadr
13156FFA push 13152704                         rebootcountadr
131570F8 push 13152740                         picnum
13157156 push 13152734                         picadr%d
131571B1 push 13152728                         picmode%d
13157264 push 13152768                         \*
131573A7 push 13152798                         *
13157408 push 1315277C                         %02X%02X%02X%02X%02X%02X
1315741A push 1315276C                         000000000000
1315745F push 131527A8                         %08x
13157479 push 1315279C                         00000000
131574CC mov    esi, 131524B8                   \
13157565 push 131524B8                         \
1315758B push 131524B8                         \
1315777A mov    esi, 131527D4                   r
13157846 push 13150990                         r
13157846 push 13150990                         RmgvimvgJfvibWzgzZezrozyov
13157872 push 131509D0                         r
13157872 push 131509D0                         RmgvimvgIvzwUrov
13157898 push 13150A10                         r
13157898 push 13150A10                         RmgvimvgXolhvSzmwov
131578BE push 13150A50                         r
131578BE push 13150A50                         RmgvimvgLkvmZ
131578E4 push 13150A90                         r
131578E4 push 13150A90                         RmgvimvgXlmmvxgZ
13157912 push 13150AD0                         SggkLkvmIvjfvhgZ
1315793A push 13150B10                         SggkHvmwIvjfvhgZ
13157962 push 13150B50                         r
13157962 push 13150B50                         RmgvimvgJfvibLkgrlmZ
13157B67 mov    edi, 131526F4                   \\
13157D68 push 131528DC                         /
13157DCA push 131528DC                         /
13157EFF push 1315228C                         HTTP/1.1
13157F0B push 13152288                         GETHTTP/1.1
13157F11 mov    dword ptr [ebp-50], 13152800    image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\nAccept-Language: zh-cn\nAccept-Encoding: gzip, deflate
1315907B push 13150D40                         bad allocation
1315E14F mov    dword ptr [ebp+8], 13152A5C    bad exception
1315E47F push 13152A7C                         KERNEL32.DLL
1315E48E push 13152A6C                         EncodePointer
1315E4EB push 13152A7C                         KERNEL32.DLL
1315E4FA push 13152A8C                         DecodePointer
1315E596 push 13152A7C                         KERNEL32.DLL
1315E5B8 push 13152A6C                         EncodePointer
1315E5CC push 13152A8C                         DecodePointer
1315E7FB push 13152A7C                         KERNEL32.DLL
1315E81C push 13152ABC                         FlsAlloc
1315E824 push 13152AB0                         FlsGetValueFlsAlloc
1315E831 push 13152AA4                         FlsSetValueFlsGetValueFlsAlloc
1315E83E push 13152A9C                         FlsFreeFlsSetValueFlsGetValueFlsAlloc
1315F9AD mov    eax, 13152B5C                   Unknown exception
1315FA1F push 13152B80                         mscoree.dllruntime error
1315FA2E push 13152B70                         CorExitProcess
1315FD5E push 13153128                         Runtime Error!\n\nProgram:
1315FDA6 push 13153110                         <program name unknown>
1315FDEB push 1315310C                         ...<program name unknown>
1315FE13 push 13153108                         \n\n
1315FE5A push 131530E0                         Microsoft Visual C++ Runtime Library
13160B41 push ebp                            (Initial CPU selection)
13160E44 push 13153144                         e+000
13161707 push 1315317C                         KERNEL32
13161716 push 13153160                         IsProcessorFeaturePresent
13162903 push 13153914                         kernel32.dll
13162912 push 131538EC                         InitializeCriticalSectionAndSpinCount
131635FF push 131542C0                         USER32.DLL
1316361D push 131542B4                         MessageBoxAUSER32.DLL
1316362F mov    dword ptr [esp], 131542A4       GetActiveWindowMessageBoxAUSER32.DLL
13163644 mov    dword ptr [esp], 13154290       GetLastActivePopup
13163680 push 13154274                         GetUserObjectInformationA
13163698 push 1315425C                         GetProcessWindowStationGetUserObjectInformationA
13165890 push 13154324                         1#SNAN
131658A8 push 1315431C                         1#IND
131658B7 push 13154314                         1#INF
131658E3 push 1315430C                         1#QNAN
131664BB push 1315432C                         CONOUT$
13166C20 push 13150D00                         \n

显示全部楼层 · 发表于 2009-3-27 15:36:00

to VB

显示全部楼层 · 发表于 2009-3-27 15:38:01

很巧，偶用的就是主杀SOPHOS，辅杀绿色版大蜘蛛5.0

显示全部楼层 · 发表于 2009-3-27 17:00:32

KV09过上报

显示全部楼层 · 发表于 2009-3-27 17:45:31

卡巴检测到：病毒 Heur.Trojan.Generic (修改) URL: http://bbs.kafan.cn/attachment.p ... etup_xiaolaoshu.exe

[病毒样本] 抓到一只，高质量2/37，微点杀

本帖子中包含更多资源

本帖子中包含更多资源