打印室抓到的 过卡巴 小A

xxl

BitDefender 2009

This web page has been blocked by BitDefender Antivirus Real-time Protection!

The blocked web page included objects that were either infected or likely to be infected with a virus. Your system has NOT been infected.
Gen:Trojan.Heur.3074889090

SUZAKU

使用 G DATA AntiVirus 进行病毒检测
版本 20.0.2.1 (3/10/2009)
病毒特征库日期 6/17/2009
开始时间: 6/17/2009 23:28
引擎: 引擎 A (AVA 19.6000), 引擎 B (AVB 19.366)
高启发: 开启
文件: 开启
系统区域: 开启
RootKits 检测: 关闭

检测系统区域
检测选中目录和文件:
  C:\Documents and Settings\Try\桌面\Archive.rar

项目: Important.FILES.EXE
        检查档案: C:\Documents and Settings\Try\桌面\Archive.rar
        状态: 发现病毒
        病毒: Gen:Trojan.Heur.30748B9090 (Engine A)
项目: 重要文件..EXE
        检查档案: C:\Documents and Settings\Try\桌面\Archive.rar
        状态: 发现病毒
        病毒: Gen:Trojan.Heur.30748B9090 (Engine A)
项目: Archive.rar
        路径: C:\Documents and Settings\Try\桌面
        状态: 发现病毒
        病毒: Gen:Trojan.Heur.30748B9090 (2x) (Engine A)

检测执行时间: 6/17/2009 23:28
    已检测 1 个文件
    已发现 1 个病毒文件
    已发现 0 个可疑文件

taihuxian

原帖由 彼岸あ天堂 于 2009-6-17 16:28 发表
厄 请问这个你是用什么查到的哈？

是AVG
[size=1.5em]BitDefender 2009
此网页已被 BitDefender 反病毒实时防护拦截！
被拦截的网页包含（可能）已被病毒感染的对象。您的系统 未被 感染。

lorchid

创建文件    阻止
进程: j:\download\!warning\重要文件..exe
目标: C:\WINDOWS\system\smss.exe
规则: [应用程序组]AF00_所有程序过滤 -> [文件组]FD系统执行文件

加载动态链接库    允许
进程: j:\download\!warning\重要文件..exe
目标: c:\windows\system32\apphelp.dll
规则: [应用程序]*

加载动态链接库    允许
进程: j:\download\!warning\重要文件..exe
目标: c:\windows\system32\version.dll
规则: [应用程序]*

创建新进程    阻止
进程: j:\download\!warning\重要文件..exe
目标: c:\windows\system32\cmd.exe
命令行: cmd /c C:\WINDOWS\system\smss.exe
规则: [应用程序组]AF00_所有程序过滤 -> [子应用程序]AD_黑名单程序

xieyun

Virus: Gen:Trojan.Heur.30748B9090 (2x) (Engine A)

Virus found while downloading Web content.

Address: bbs.kafan.cn

jochelliu

分析看出是个恶意程序，文件行为：
1、自我复制
2、建立可执行脚本
3、在WINDOWS系统目录下创建文件
4、创建服务及驱动

• Keys Created
Name Last Write Time
LM\System\CurrentControlSet\Services\NTService 2009.01.12 14:47:55.125
LM\System\CurrentControlSet\Services\NTService\Enum 2009.01.12 14:47:55.125
LM\System\CurrentControlSet\Services\NTService\Security 2009.01.12 14:47:54.687

• Values Created
Name Type Size Value
LM\System\CurrentControlSet\Services\NTService\Description REG_SZ 238 "For the security of Windows NT servies. An important System service, If it was terminated, Windows would be Collapsed."
LM\System\CurrentControlSet\Services\NTService\DisplayName REG_SZ 38 "Windows NT Service"
LM\System\CurrentControlSet\Services\NTService\Enum\0 REG_SZ 54 "Root\LEGACY_NTSERVICE\0000"
LM\System\CurrentControlSet\Services\NTService\Enum\Count REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\NTService\Enum\NextInstance REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\NTService\ErrorControl REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\NTService\ImagePath REG_EXPAND_SZ 54 "C:\WINDOWS\system\smss.exe"
LM\System\CurrentControlSet\Services\NTService\ObjectName REG_SZ 24 "LocalSystem"
LM\System\CurrentControlSet\Services\NTService\Security\Security REG_BINARY 168 ?
LM\System\CurrentControlSet\Services\NTService\Start REG_DWORD 4 0x2
LM\System\CurrentControlSet\Services\NTService\Type REG_DWORD 4 0x10

• Values Changed
Name Type Size Value
LM\System\CurrentControlSet\Control\ServiceCurrent\ REG_DWORD/REG_DWORD 4/4 0x8/0x9

• Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\WINDOWS\system\smss.exe 57344 2009.01.12 14:47:53.390 2009.01.12 14:47:53.968 2009.01.12 14:47:53.968 0x7

• Processes Created
PId Process Name Image Name
0x36c cmd.exe C:\WINDOWS\system32\cmd.exe
0x374 smss.exe C:\WINDOWS\system\smss.exe
0x7d0 smss.exe C:\WINDOWS\system\smss.exe

• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x344 svchost.exe 0x170 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x36c cmd.exe 0x370 0x7c810867 MEM_IMAGE 0x4ad05056 MEM_IMAGE
0x374 smss.exe 0x7cc 0x7c810867 MEM_IMAGE 0x140049c3 MEM_IMAGE
0x404 svchost.exe 0x7a8 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x404 svchost.exe 0x7ac 0x7c810856 MEM_IMAGE 0x7529edb3 MEM_IMAGE
0x404 svchost.exe 0x7b8 0x7c810856 MEM_IMAGE 0x7529e44b MEM_IMAGE
0x404 svchost.exe 0x7bc 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x7d0 smss.exe 0x7d8 0x7c810867 MEM_IMAGE 0x140049c3 MEM_IMAGE
0x7d0 smss.exe 0x7dc 0x7c810856 MEM_IMAGE 0x77deb479 MEM_IMAGE

• Modules Loaded
PId Process Name Base Size Flags Image Name
0x404 svchost.exe 0x73d30000 0x17000 0x800c4004 C:\WINDOWS\system32\wbem\wbemcons.dll

• Windows Api Calls
PId Image Name Address Function ( Parameters ) | Return Value
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x358 C:\TEST\sample.exe 0x14001143 CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\system\smss.exe", bFailIfExists: 0x0)|0x1
0x374 C:\WINDOWS\system\smss.exe 0x140013dd CreateServiceA(hSCManager: 0x159a90, lpServiceName: "NTService", lpDisplayName: "Windows NT Service", dwDesiredAccess: 0xf01ff, dwServiceType: 0x10, dwStartType: 0x2, dwErrorControl: 0x1, lpBinaryPathName: "C:\WINDOWS\system\smss.exe", lpLoadOrderGroup: "(null)", lpdwTagId: 0x0, lpDependencies: 0x1400b068, lpServiceStartName: "(null)", lpPassword: 0x0)|0x159728

Rated as Suspicious

• Description
Suspicious Actions Detected
Copies self to other locations
Creates and executes scripts
Creates files in windows system directory
Creates system services or drivers

• Events Created or Opened
PId Image Name Address Event Name
0x374 C:\WINDOWS\system\smss.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX
0x7d0 C:\WINDOWS\system\smss.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX

sam.to

18/6/2009 16:44:46        Detected: Backdoor.Win32.Agent.ahun        C:\Documents and Settings\kato\桌面\Archive.rar/Important.FILES.EXE               
18/6/2009 16:44:46        Detected: Backdoor.Win32.Agent.ahun        C:\Documents and Settings\kato\桌面\Archive.rar/笭猁恅璃..EXE

SUZAKU

使用 G DATA AntiVirus 进行病毒检测
版本 20.0.2.1 (3/10/2009)
病毒特征库日期 6/18/2009
开始时间: 6/18/2009 18:55
引擎: 引擎 A (AVA 19.6012), 引擎 B (AVB 19.367)
高启发: 开启
文件: 开启
系统区域: 开启
RootKits 检测: 关闭

检测系统区域
检测选中目录和文件:
  C:\Documents and Settings\Try\桌面\Archive.rar

项目: Important.FILES.EXE
        检查档案: C:\Documents and Settings\Try\桌面\Archive.rar
        状态: 发现病毒
        病毒: Gen:Trojan.Heur.30748B9090 (Engine A)
项目: 重要文件..EXE
        检查档案: C:\Documents and Settings\Try\桌面\Archive.rar
        状态: 发现病毒
        病毒: Gen:Trojan.Heur.30748B9090 (Engine A)
项目: Archive.rar
        路径: C:\Documents and Settings\Try\桌面
        状态: 发现病毒
        病毒: Gen:Trojan.Heur.30748B9090 (2x) (Engine A)

检测执行时间: 6/18/2009 18:56
    已检测 1 个文件
    已发现 1 个病毒文件
    已发现 0 个可疑文件

╰☆綠葉子☆╮

微软杀毒···嘿嘿  这个 是内测的

kuer826

刚下就发现了 KIS8