原来双击貌似运行不了的程序还是可以运行的！

tgzw1680

只有红伞咖啡认识，如果不是误报。。。。。。。那么就是一个伪装的xp升级程序，copy出来是双击无反应，服务启动。。。。高手分析吧

疯子乖乖

看看的！！！！！！！！！！！！！！

nosferatu

wuaucpl.exe         MALWARE

The file 'wuaucpl.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Drop.Agent.svp. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates

幸福的猪猪

kaba kill   >Trojan-Spy.Win32.Agent.akbj

hddu

EQ测试，运行一会儿退出，无日志。

ledled

to VB

kingsheet

卡巴   检测到：木马程序 Trojan-Spy.Win32.Agent.akbj        URL: http://bbs.kafan.cn/attachment.p ... 548648//wuaucpl.exe

左手

和你一样的结果

saga3721

'TR/Dldr.Agent.oxg' [trojan]

smallyou93

这里的才是本体吧

http://www.hervalley.com/ezupks/09.htm

释放文件：
%sys32dir%wuaucpl.exe
%sys32dir%\temp.77dat

创建服务：

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuaucpl]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):77,00,75,00,61,00,75,00,63,00,70,00,6c,00,2e,00,65,00,78,00,\
  65,00,00,00
"DisplayName"="Windows Update AutoUpdate Service"
"ObjectName"="LocalSystem"
"Description"="Windows Update AutoUpdate Control Service."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuaucpl\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuaucpl\Enum]
"0"="Root\\LEGACY_WUAUCPL\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

调出cmd，删除自身