20090329 1个

killloop

Scan taken on 29 Mar 2009 03:34:18 (GMT)
A-Squared	Found Trojan-Spy.Win32.Montp.y!IK
AntiVir	Found nothing
ArcaVir	Found Trojan.Dropper.Agent.Aitv
Avast	Found Win32:Trojan-gen {Other}
AVG Antivirus	Found Agent.AWUA
BitDefender	Found Trojan.Generic.1428105
ClamAV	Found nothing
CPsecure	Found nothing
Dr.Web	Found nothing
F-Prot Antivirus	Found nothing
F-Secure Anti-Virus	Found nothing
Ikarus	Found Trojan-Spy.Win32.Montp.y
Kaspersky Anti-Virus	Found nothing
NOD32	Found nothing
Norman Virus Control	Found nothing
Panda Antivirus	Found Generic
Quick Heal	Found Trojan.Agent.irc
Sophos Antivirus	Found nothing
VirusBuster	Found nothing
VBA32	Found nothing

软件名称	引擎版本	病毒库版本	病毒库时间	扫描结果	时间
a-squared	4.0.0.32	20090329005312	2009-03-29	-	40.126
AntiVir	7.9.0.129	7.1.2.228	2009-03-27	-	1.977
Authentium	5.1.1	200903281739	2009-03-28	-	3.134
AVAST!	3.0.1	090328-0	2009-03-28	Win32:Trojan-gen {Other}	0.062
AVG	7.5.52.442	270.11.31/2028	2009-03-28	Agent.AWUA	1.969
BitDefender	7.81008.2815907	7.24478	2009-03-29	Trojan.Generic.1428105	4.933
CA (VET)	9.0.0.143	31.6.6421	2009-03-28	-	40.131
ClamAV	0.94.2	9178	2009-03-29	-	0.245
Comodo	3.8	1087	2009-03-28	-	40.127
CP Secure	1.1.0.715	2009.03.29	2009-03-29	-	7.848
Dr.Web	4.44.0.9170	2009.03.29	2009-03-29	-	4.496
F-Prot	4.4.4.56	20090328	2009-03-28	-	2.979
F-Secure	5.51.6100	2009.03.28.09	2009-03-28	-	0.098
GData	19.4291/19.279	20090329	2009-03-29	-	40.127
Ikarus	T3.1.01.48	2009.03.29.72492	2009-03-29	Trojan-Spy.Win32.Montp.y	2.953
Microsoft	1.4502	2009.03.28	2009-03-28	-	40.126
mks_vir	2.01	2009.03.29	2009-03-29	-	2.726
Norman	6.00.06	6.00.00	2009-03-27	-	8.009
nProtect	20090328.01	3381841	2009-03-28	-	40.130
Quick Heal	10.00	2009.03.28	2009-03-28	-	40.127
Sophos	2.85.0	4.40	2009-03-29	-	1.934
Sunbelt	5066	5066	2009-03-28	-	40.127
The Hacker	6.3.3.8	v00295	2009-03-28	-	40.126
VBA32	3.12.10.1	20090327.1554	2009-03-27	-	4.559
ViRobot	20090327	2009.03.27	2009-03-27	-	40.126
VirusBuster	4.5.11.10	10.102.26/1054800	2009-03-28	-	1.775
卡巴斯基	5.5.10	2009.03.28	2009-03-28	-	0.071
安博士V3	2009.03.28.02	2009.03.28	2009-03-28	-	40.140
安天	2.0.18	20090329.2252447	2009-03-29	-	0.169
江民杀毒	11.0.706	2009.03.28	2009-03-28	-	40.127
熊猫卫士	9.05.01	2009.03.28	2009-03-28	-	40.126
瑞星	20.0	21.22.60.00	2009-03-29	-	40.142
赛门铁克	1.3.0.24	20090328.003	2009-03-28	-	33.688
趋势科技	8.700-1004	5.928.15	2009-03-28	-	0.029
迈克菲	5.3.00	5567	2009-03-28	-	3.886
金山毒霸	2009.2.5.15	2009.3.28.15	2009-03-28	-	40.132
飞塔	2.81-3.117	10.214	2009-03-28	-	40.128

反病毒引擎	版本	最后更新	扫描结果
a-squared	4.0.0.101	2009.03.29	Trojan-Spy.Win32.Montp.y!IK
AhnLab-V3	5.0.0.2	2009.03.28	Win-Trojan/Xema.variant
AntiVir	7.9.0.129	2009.03.27	-
Antiy-AVL	2.0.3.1	2009.03.29	-
Authentium	5.1.2.4	2009.03.28	-
Avast	4.8.1335.0	2009.03.28	Win32:Trojan-gen {Other}
AVG	8.5.0.285	2009.03.28	Agent.AWUA
BitDefender	7.2	2009.03.29	Trojan.Generic.1428105
CAT-QuickHeal	10.00	2009.03.28	Trojan.Agent.irc
ClamAV	0.94.1	2009.03.29	-
Comodo	1087	2009.03.28	-
DrWeb	4.44.0.09170	2009.03.29	-
eSafe	7.0.17.0	2009.03.27	-
eTrust-Vet	31.6.6421	2009.03.27	-
F-Prot	4.4.4.56	2009.03.28	-
F-Secure	8.0.14470.0	2009.03.28	-
Fortinet	3.117.0.0	2009.03.28	PossibleThreat
GData	19	2009.03.29	Trojan.Generic.1428105
Ikarus	T3.1.1.48.0	2009.03.29	Trojan-Spy.Win32.Montp.y
K7AntiVirus	7.10.684	2009.03.28	Trojan.Win32.Malware.3
Kaspersky	7.0.0.125	2009.03.29	-
McAfee	5567	2009.03.28	-
McAfee+Artemis	5567	2009.03.28	Generic!Artemis
McAfee-GW-Edition	6.7.6	2009.03.28	-
Microsoft	1.4502	2009.03.28	Trojan:Win32/Meredrop
NOD32	3972	2009.03.28	-
Norman	6.00.06	2009.03.27	-
nProtect	2009.1.8.0	2009.03.29	Trojan-Dropper/W32.Agent.1403160
Panda	10.0.0.10	2009.03.29	Generic Trojan
PCTools	4.4.2.0	2009.03.28	-
Prevx1	V2	2009.03.29	-
Rising	21.22.60.00	2009.03.29	Dropper.Win32.Nodef.bj
Sophos	4.40.0	2009.03.29	-
Sunbelt	3.2.1858.2	2009.03.28	Trojan.1
Symantec	1.4.4.12	2009.03.29	-
TheHacker	6.3.3.8.295	2009.03.28	Trojan/Agent.bwnd
TrendMicro	8.700.0.1004	2009.03.28	-
VBA32	3.12.10.1	2009.03.27	-
ViRobot	2009.3.27.1666	2009.03.27	Trojan.Win32.Agent.916762

江湖的fans

瑞星杀掉

黑衣~魂

TO DW

sbbdms

Kaspersky miss
TO KL

Hello,


waigua.exe

No malicious code was found in this file.

>From: lovefuwa0411@qq.com
>Sent: Mar 29 2009 10:33AM
>To: "New Virus" <newvirus@kaspersky.com>
>Subject: virus
>
>
>
Regards, Tatarinov Ivan
Virus Analyst

10/1, 1st Volokolamsky Proezd, Moscow, 123060, Russia
Tel./Fax: + 7 (495) 797 8700
http://www.kaspersky.com http://www.viruslist.com

[ 本帖最后由 sbbdms 于 2009-3-29 14:55 编辑 ]

saga3721

红伞运行报'TR/PSW.49152.52 [trojan]'

Palkia

上报金山

sbbdms

Hello,


waigua.exe

No malicious code was found in this file.

>From: lovefuwa0411@qq.com
>Sent: Mar 29 2009 10:33AM
>To: "New Virus" <newvirus@kaspersky.com>
>Subject: virus
>
>
>
Regards, Tatarinov Ivan
Virus Analyst

10/1, 1st Volokolamsky Proezd, Moscow, 123060, Russia
Tel./Fax: + 7 (495) 797 8700
http://www.kaspersky.com http://www.viruslist.com

SUZAKU

卡巴斯基杀毒报告

扫描文件数：6

查杀（病毒、木马）数：0

详细杀毒报告列表：
无

kxmp

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

waigua.rar : Not detected by Sandbox (Signature: NO_VIRUS)

[ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS

[ General information ]
    * File length:         1030021 bytes.
    * MD5 hash: fa3e4aa5783bdc9c05bfa7c94eec1523.


(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

This file is not flagged as malicious by the Norman Sandbox Information Center. However, we can not guarantee that the file is harmless. If you still suspect the file to be malicious and if you urgently need to know for sure, please submit it to your local Norman support department for manual analysis.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

kxmp

Submission Summary:
Submission details:
Submission received: 29 March 2009, 22:12:16
Processing time: 10 min 7 sec
Submitted sample:
File MD5: 0xAACA1EB2EF0DBAD6440891A87DD7C534
File SHA-1: 0xE6988028273464342C114B1F22B286ABA50ABE13
Filesize: 1,402,585 bytes
Alias:
Trojan:Win32/Meredrop [Microsoft]
Trojan-Spy.Win32.Montp.y [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
Summary of the findings:

What's been found Severity Level
Downloads/requests other files from Internet.  
Registers a 32-bit in-process server DLL.  
Contains characteristics of an identified security risk.  




Technical Details:


Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk Description
Trojan-PWS.Stealer.HF This trojan steals login and password information stored on an infected machine and sends the stolen information to the attacker without the users permission.




File System Modifications

The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %ProgramFiles%\WAIGUA\Script\XX.Script  1,510 bytes MD5: 0x20A29DAE88F0BE599C9DE92D7498DF0F
SHA-1: 0xE3B7CEA4ACBA88FE2F7766DDEB72EE466BE5328F (not available)
2 %ProgramFiles%\WAIGUA\Tes.dll  188,416 bytes MD5: 0x13525467781BFCB558372E19DC32FFF6
SHA-1: 0xA4739E6C3E2A96E5401B25FFF8A5C301E4ED528B packed with PE_Patch.UPX [Kaspersky Lab]
3 %ProgramFiles%\WAIGUA\XX.ini  1,585 bytes MD5: 0x98FAFA20AF8ADEC66AAA3C1E08AFF235
SHA-1: 0x4A513448891F6DC1399973B4257A4A9271091FDA (not available)
4 %ProgramFiles%\WAIGUA\Ѱ��.exe  863,744 bytes MD5: 0xD1716CE62F3475E5F83EC7C825513D3C
SHA-1: 0xF2C7A9E9088414A3CE4AA1A66E764EC54F716FB8 (not available)
5 %FontsDir%\gzqqxx01.dat  42 bytes MD5: 0xFDB2399D052C1A7E43F1F0C0AEFA8E48
SHA-1: 0x3615E7CE14A0CEA160FBB96A12014DB46433D957 (not available)
6 %FontsDir%\oefhemdi.dll  49,152 bytes MD5: 0xDFE595335726A370A8BF28A5221BFF62
SHA-1: 0x896B0DEB8394E1D4A7FC8EDCC43A7648A5084A9C PWS-QQPass.dll [McAfee]
Mal/Behav-010, Mal/Behav-027 [Sophos]
PWS:Win32/OnLineGames.CQ [Microsoft]
Generic.PWS.Games [Ikarus]
Win-Trojan/OnlineGameHack.49152.FY [AhnLab]
7 [file and pathname of the sample #1]  1,402,585 bytes MD5: 0xAACA1EB2EF0DBAD6440891A87DD7C534
SHA-1: 0xE6988028273464342C114B1F22B286ABA50ABE13 Trojan:Win32/Meredrop [Microsoft]
Trojan-Spy.Win32.Montp.y [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
8 %System%\YingInstall\409.ini  3,829 bytes MD5: 0x743F4CFCFAAEF1A3BDAF49C23F69E5EB
SHA-1: 0xF3EC13632490C6D20EDB7BAE8CA11544952AC047 (not available)
9 %Windir%\Ying-UnInstall.exe  450,048 bytes MD5: 0x23BA5FA2CC6714373B37A189BDD4BC18
SHA-1: 0x9CADD66B8F1145BFA5DD0CA459CCA7739AA186DE (not available)


Notes:
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
The following directories were created:
%ProgramFiles%\WAIGUA
%ProgramFiles%\WAIGUA\Config
%ProgramFiles%\WAIGUA\Script
%System%\YingInstall


Memory Modifications

There were new processes created in the system:

Process Name Process Filename Main Module Size
xxwg.exe %ProgramFiles%\WAIGUA\xxwg.exe 81,920 bytes
[generic host process] [generic host process filename] 20,480 bytes
ying-uninstall.exe %Windir%\ying-uninstall.exe 475,136 bytes
[filename of the sample #1] [file and pathname of the sample #1] 634,880 bytes


Notes:
[generic host process filename] is a full path filename of [generic host process].
The following modules were loaded into the address space of other process(es):

Module Name Module Filename Address Space Details
oefhemdi.dll %FontsDir%\oefhemdi.dll Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x19C0000 - 0x19CF000
oefhemdi.dll %FontsDir%\oefhemdi.dll Process name: msmsgs.exe
Process filename: %ProgramFiles%\messenger\msmsgs.exe
Address space: 0xBA0000 - 0xBAF000
oefhemdi.dll %FontsDir%\oefhemdi.dll Process name: dllhost.exe
Process filename: %System%\dllhost.exe
Address space: 0x2530000 - 0x253F000
oefhemdi.dll %FontsDir%\oefhemdi.dll Process name: sdnsmain.exe
Process filename: %Windir%\dns\sdnsmain.exe
Address space: 0x1620000 - 0x162F000
oefhemdi.dll %FontsDir%\oefhemdi.dll Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x1B30000 - 0x1B3F000
oefhemdi.dll %FontsDir%\oefhemdi.dll Process name: Ѱ��.exe
Process filename: %ProgramFiles%\waigua\���.exe
Address space: 0x390000 - 0x39F000




Registry Modifications

The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{334E586E-C2FF-44DB-953D-1C6B988C638F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{334E586E-C2FF-44DB-953D-1C6B988C638F}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{334E586E-C2FF-44DB-953D-1C6B988C638F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{334E586E-C2FF-44DB-953D-1C6B988C638F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\YingSoft
HKEY_LOCAL_MACHINE\SOFTWARE\YingSoft\YingInstall
HKEY_LOCAL_MACHINE\SOFTWARE\YingSoft\YingInstall\Ѱ�����
HKEY_LOCAL_MACHINE\SOFTWARE\YingSoft\YingInstall\Ѱ�����\WAIGUA
HKEY_LOCAL_MACHINE\SOFTWARE\YingSoft\YingInstall\Ѱ�����\WAIGUA\1.1
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}\VersionIndependentProgID]
(Default) = "QQXX.qqxxatl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}\TypeLib]
(Default) = "{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}\ProgID]
(Default) = "QQXX.qqxxatl.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}\InprocServer32]
(Default) = "%FontsDir%\oefhemdi.dll"
ThreadingModel = "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}]
(Default) = "qqxxatl Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{334E586E-C2FF-44DB-953D-1C6B988C638F}\TypeLib]
(Default) = "{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}"
Version = "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{334E586E-C2FF-44DB-953D-1C6B988C638F}\ProxyStubClsid32]
(Default) = "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{334E586E-C2FF-44DB-953D-1C6B988C638F}\ProxyStubClsid]
(Default) = "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{334E586E-C2FF-44DB-953D-1C6B988C638F}]
(Default) = "Iqqxxatl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}\1.0\0\win32]
(Default) = "%FontsDir%\oefhemdi.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}\1.0\HELPDIR]
(Default) = "%FontsDir%\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}\1.0\FLAGS]
(Default) = "0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FBB7ADFA-C76C-4BD4-864D-F438D2DDCE80}\1.0]
(Default) = "QQXX 1.0 Type Library"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl\CurVer]
(Default) = "QQXX.qqxxatl.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl\CLSID]
(Default) = "{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl]
(Default) = "qqxxatl Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl.1\CLSID]
(Default) = "{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQXX.qqxxatl.1]
(Default) = "qqxxatl Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C} = ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
%FontsDir%\oefhemdi.dll = "{E58B05EE-6CA5-42E1-A0CE-82169DDEE42C}"
[HKEY_LOCAL_MACHINE\SOFTWARE\YingSoft\YingInstall\Ѱ�����\WAIGUA\1.1]
ProgramFolder = ""
[HKEY_LOCAL_MACHINE\SOFTWARE\YingSoft\YingInstall\Ѱ�����\WAIGUA]
Path = "%ProgramFiles%\WAIGUA"
Version = "1.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\YingSoft\YingInstall]
LastVersion = "5.8"