肥马一只。

显示全部楼层 · 发表于 2009-6-18 09:04:53

http://www.virscan.org/report/aaca4f4ed5b0955dba4251630e2a79b5.html

刚中…… 无言

显示全部楼层 · 发表于 2009-6-18 09:07:35

to avg

显示全部楼层 · 发表于 2009-6-18 09:09:21

to kaba avira kill。

Hello,

New malicious software was found in the attached file. Its detection will be included in the next update.
Thank you for your help.
Trojan-GameThief.Win32.Magania.bhlz

The file '11.exe' has been determined to be 'MALWARE'.
Our analysts named the threat TR/Redosdru.F.25. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.01.04.108.

[ 本帖最后由幸福的猪猪于 2009-6-18 14:46 编辑 ]

显示全部楼层 · 发表于 2009-6-18 09:09:54

TO AVIRA

显示全部楼层 · 发表于 2009-6-18 09:10:28

G:\virus\11.rar/11.exe detected: Trojan.Win32.Redosdru!IK

显示全部楼层 · 发表于 2009-6-18 09:30:10

MSE kill

显示全部楼层 · 发表于 2009-6-18 10:21:27

同上～

显示全部楼层 · 发表于 2009-6-18 10:42:50

kis miss
再temp下写入408000.gho文件后删除~
在系统目录下写入：ceglu.ref文件~
注册表写入：

写入服务项

[cegludi / 6to4][Running/Auto Start]
C:\WINDOWS\system32\ceglu.ref>

显示全部楼层 · 发表于 2009-6-18 11:11:19

mpav 费尔 miss

显示全部楼层 · 发表于 2009-6-18 14:04:14

分析表明是个恶意程序，行为如下：
1、在WINDOWS系统目录下创建文件
2、创建系统服务或驱动

• Keys Created
Name Last Write Time
LM\System\CurrentControlSet\Services\6to4 2009.01.12 15:12:49.625
LM\System\CurrentControlSet\Services\6to4\Enum 2009.01.12 15:12:49.625
LM\System\CurrentControlSet\Services\6to4\Parameters 2009.01.12 15:12:46.859
LM\System\CurrentControlSet\Services\6to4\Security 2009.01.12 15:12:45.515

• Values Created
Name Type Size Value
LM\System\CurrentControlSet\Services\6to4\Description REG_SZ 74 "????????????????????????????????"
LM\System\CurrentControlSet\Services\6to4\DisplayName REG_SZ 18 "anjsbia?"
LM\System\CurrentControlSet\Services\6to4\Enum\0 REG_SZ 44 "Root\LEGACY_6TO4\0000"
LM\System\CurrentControlSet\Services\6to4\Enum\Count REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\6to4\Enum\NextInstance REG_DWORD 4 0x1
LM\System\CurrentControlSet\Services\6to4\ErrorControl REG_DWORD 4 0x0
LM\System\CurrentControlSet\Services\6to4\ImagePath REG_EXPAND_SZ 90 "%SystemRoot%\System32\svchost.exe -k netsvcs"
LM\System\CurrentControlSet\Services\6to4\Module REG_SZ 38 "C:\TEST\sample.exe"
LM\System\CurrentControlSet\Services\6to4\ObjectName REG_SZ 24 "LocalSystem"
LM\System\CurrentControlSet\Services\6to4\Parameters\ServiceDll REG_EXPAND_SZ 60 "C:\WINDOWS\system32\bpohw.ref"
LM\System\CurrentControlSet\Services\6to4\Parameters\ServiceMain REG_SZ 32 "DestroyInstance"
LM\System\CurrentControlSet\Services\6to4\Security\Security REG_BINARY 168 ?
LM\System\CurrentControlSet\Services\6to4\Start REG_DWORD 4 0x2
LM\System\CurrentControlSet\Services\6to4\Type REG_DWORD 4 0x120

• Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\WINDOWS\system32\bpohw.ref 151552 2008.10.31 11:22:48.000 2007.07.27 12:00:00.000 2009.01.12 15:12:49.578 0x20

• Files Changed
Name Size Last Write Time Creation Time Last Access Time Attr
C:\WINDOWS\system32\config\AppEvent.Evt 65536/65536 2009.01.12 15:09:58.484/2009.01.12 15:12:51.515 2008.07.31 16:57:13.609/2008.07.31 16:57:13.609 2008.08.01 06:13:56.218/2009.01.12 15:12:51.515 0x20/0x20
C:\WINDOWS\system32\config\SecEvent.Evt 65536/65536 2008.07.31 16:57:14.875/2009.01.12 15:12:51.531 2008.07.31 16:57:14.875/2008.07.31 16:57:14.875 2008.07.31 16:57:14.875/2009.01.12 15:12:51.531 0x20/0x20
C:\WINDOWS\system32\config\SysEvent.Evt 65536/65536 2009.01.12 15:09:58.484/2009.01.12 15:12:51.562 2008.07.31 16:57:14.906/2008.07.31 16:57:14.906 2008.08.01 06:13:56.218/2009.01.12 15:12:51.562 0x20/0x20

• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x274 winlogon.exe 0x298 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x2ac lsass.exe 0x67c 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x348 svchost.exe 0xf8 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x3f4 svchost.exe 0x374 0x7c810856 MEM_IMAGE 0x7529edb3 MEM_IMAGE
0x3f4 svchost.exe 0x378 0x7c810856 MEM_IMAGE 0x77deb479 MEM_IMAGE
0x3f4 svchost.exe 0x384 0x7c810856 MEM_IMAGE 0x7529e44b MEM_IMAGE
0x3f4 svchost.exe 0x4f4 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE

• Modules Loaded
PId Process Name Base Size Flags Image Name
0x3f4 svchost.exe 0x10000000 0x27000 0x80084004 c:\windows\system32\bpohw.ref
0x3f4 svchost.exe 0x73d30000 0x17000 0x800c4004 C:\WINDOWS\system32\wbem\wbemcons.dll
0x3f4 svchost.exe 0x75a70000 0x21000 0x800c4006 c:\windows\system32\MSVFW32.dll
0x3f4 svchost.exe 0x76390000 0x1d000 0x80084004 C:\WINDOWS\System32\IMM32.DLL
0x3f4 svchost.exe 0x76bf0000 0xb000 0x800c4004 C:\WINDOWS\System32\PSAPI.DLL

• Windows Api Calls
PId Image Name Address Function ( Parameters ) | Return Value
0x684 C:\TEST\sample.exe 0x4018e9 CreateServiceA(hSCManager: 0x14bc48, lpServiceName: "6to4", lpDisplayName: "anjsbia?", dwDesiredAccess: 0xf01ff, dwServiceType: 0x120, dwStartType: 0x2, dwErrorControl: 0x0, lpBinaryPathName: "%SystemRoot%\System32\svchost.exe -k netsvcs", lpLoadOrderGroup: "(null)", lpdwTagId: 0x0, lpDependencies: 0x0, lpServiceStartName: "(null)", lpPassword: 0x0)|0x14acb0

Rated as Suspicious

• Description
Suspicious Actions Detected
Creates files in windows system directory
Creates system services or drivers

[病毒样本] 肥马一只。

本帖子中包含更多资源

回复 1楼 1aty 的帖子

本帖子中包含更多资源

浏览过的版块

[病毒样本] 肥马一只 。

本帖子中包含更多资源

回复 1楼 1aty 的帖子

本帖子中包含更多资源

浏览过的版块

[病毒样本] 肥马一只。