【原创】KIS2010(build 437)HIPS防御能力测试【Kafan Virlist 5.22】【STOP停测】

syfwxmh

样本PM，其余发到相应的帖子里

jefffire

真相是总分340.。。

yu88480

我倒是更加关心新版在WIN7等新系统下的表现。

jefffire

恩知道了

syfwxmh

不清楚，是不是又出新版本了

syfwxmh

……………………分数是310
Sorry it is 310 instead of 410, my mistake

jefffire

崩溃了，百度mp3上不去，threatexpert也上不去。。。。。
梦幻你那儿能上么，为什么我总是连接超时
http://www.threatexpert.com/repo ... 5e3ddc22466085dd149

jefffire

。。。 。。。有把柄了

syfwxmh

这个不是我测的，我从来不测试CLT

syfwxmh

Submission details:
Submission received: 10 May 2009, 03:03:37
Processing time: 6 min 46 sec
Submitted sample:
File MD5: 0x37DDC659DBA3A5E3DDC22466085DD149
File SHA-1: 0xE13268B89B7B0FFB9A665A053DF237648946CF7C
Filesize: 13,128 bytes
Alias & packer info:
Suspicious.MH690 [Symantec]
New Malware.aj [McAfee]
BKDR_AGENT.IGK [Trend Micro]
Generic.PWS.Games [Ikarus]
Packed/Upack [AhnLab]
packed with: PE_Patch [Kaspersky Lab]
Summary of the findings:
What's been found Severity Level
Produces outbound traffic.  
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).  
Contains characteristics of an identified security risk.  




Technical Details:


Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:
Security Risk Description
Trojan-PWS.OnLineGames.GEN Trojan-PWS.OnLineGames.GEN is a trojan that drops a dll and tries to steal vital information from the infected machine with regards to various online games and then tries to send that information to the author of the trojan.




File System Modifications

The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%\Sys843.dll
%System%\828.log  24,064 bytes MD5: 0x3CD9C2F38E231E07651F2A3672B6CF59
SHA-1: 0x38DE873187383FD5B66DAD8BCA90D0F28D975AAD VirTool:WinNT/Rootkitdrv.GI [Microsoft]
2 %System%\qq.dll  0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)


Notes:
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Memory Modifications

There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 90,112 bytes


The following module was loaded into the address space of other process(es):
Module Name Module Filename Address Space Details
qq.dll %System%\qq.dll Process name: svchost.exe
Process filename: %System%\svchost.exe
Address space: 0x71000000 - 0x71009000


There was a new service created in the system:
Service Name Display Name Status Service Filename
6to4 ɵ�ӵ��⼦ "Running" %System%\svchost.exe -k netsvcs




Registry Modifications

The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSRMCTRLVIP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSRMCTRLVIP\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSRMCTRLVIP\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msrmctrlvip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msrmctrlvip\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msrmctrlvip\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSRMCTRLVIP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSRMCTRLVIP\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSRMCTRLVIP\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msrmctrlvip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msrmctrlvip\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msrmctrlvip\Enum
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "6to4"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000]
Service = "6to4"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "ɵ�ӵ��⼦"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSRMCTRLVIP\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "msrmctrlvip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSRMCTRLVIP\0000]
Service = "msrmctrlvip"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "msrmctrlvip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSRMCTRLVIP]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Enum]
0 = "Root\LEGACY_6TO4\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Parameters]
ServiceDll = "%System%\qq.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4]
Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "ɵ�ӵ��⼦"
ObjectName = "LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msrmctrlvip\Enum]
0 = "Root\LEGACY_MSRMCTRLVIP\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msrmctrlvip\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msrmctrlvip]
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\Beep.sys"
DisplayName = "msrmctrlvip"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "6to4"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000]
Service = "6to4"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "ɵ�ӵ��⼦"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSRMCTRLVIP\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "msrmctrlvip"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSRMCTRLVIP\0000]
Service = "msrmctrlvip"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "msrmctrlvip"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSRMCTRLVIP]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum]
0 = "Root\LEGACY_6TO4\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters]
ServiceDll = "%System%\qq.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4]
Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "ɵ�ӵ��⼦"
ObjectName = "LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msrmctrlvip\Enum]
0 = "Root\LEGACY_MSRMCTRLVIP\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msrmctrlvip\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msrmctrlvip]
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\Beep.sys"
DisplayName = "msrmctrlvip"


Other details

The following Host Name was requested from a host database:
huangweiming.3322.org
There was registered attempt to establish connection with the remote host. The connection details are:
Remote Host Port Number
huangweiming.3322.org 8888





Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8888:
00000000 | 210A 0000 0000 2E00 0000 0316 780C 0000 | !...........x...
00000010 | FF00 0000 0043 6F6D 7075 7465 724E 616D | .....ComputerNam
00000020 | 6500 C9B5 D7D3 B5C4 C8E2 BCA6 0000      | e.............