winres.exe_

显示全部楼层 · 发表于 2009-7-4 15:35:04

6C1850F8734D51C64238AB5634C42261

https://www.virustotal.com/anali ... 4bb1a393-1246693130

to kl

Hello,

New malicious software was found in the attached file. Its detection will be included in the next update.
Thank you for your help.

Trojan-Dropper.Win32.Agent.aven

[ 本帖最后由 sam.to 于 2009-7-4 16:55 编辑 ]

显示全部楼层 · 发表于 2009-7-4 15:35:48

TO MPAV

显示全部楼层 · 发表于 2009-7-4 15:35:54

to 江民

显示全部楼层 · 发表于 2009-7-4 15:36:33

to avira

显示全部楼层 · 发表于 2009-7-4 15:37:39

过卡巴和蜘蛛

显示全部楼层 · 发表于 2009-7-4 15:57:14

恶意程序
1、创建动态链接库
2、WINDOWS系统目录下创建文件
3、xz.ub9.net 网址访问

• Keys Created
Name Last Write Time
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 2009.01.12 15:12:43.812
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID 2009.01.12 15:12:43.812
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 2009.01.12 15:12:43.859
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib 2009.01.12 15:12:43.812
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version 2009.01.12 15:12:43.812
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID 2009.01.12 15:12:43.812
LM\Software\Classes\ClsId\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} 2009.01.12 15:12:43.906
LM\Software\Classes\ClsId\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 2009.01.12 15:12:43.906
LM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS 2009.01.12 15:12:50.781
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer 2009.01.12 15:12:50.781
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 2009.01.12 15:12:51.234

• Keys Changed
• Keys Deleted
• Values Created
Name Type Size Value
CU\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE REG_SZ 8 "yes"
CU\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error REG_SZ 6 "no"
CU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest REG_SZ 8 "yes"
CU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run REG_SZ 62 "C:\WINDOWS\system32\msjnxx.exe"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ REG_SZ 78 "Microsoft WinSock Control, version 6.0"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ REG_SZ 66 "C:\WINDOWS\system32\MSWINSCK.OCX"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel REG_SZ 20 "Apartment"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ REG_SZ 4 "0"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ REG_SZ 14 "132497"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ REG_SZ 40 "MSWinsock.Winsock.1"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ REG_SZ 72 "C:\WINDOWS\system32\MSWINSCK.OCX, 1"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ REG_SZ 78 "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ REG_SZ 8 "1.0"
LM\Software\Classes\ClsId\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ REG_SZ 36 "MSWinsock.Winsock"
LM\Software\Classes\ClsId\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ REG_SZ 74 "Winsock General Property Page Object"
LM\Software\Classes\ClsId\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ REG_SZ 66 "C:\WINDOWS\system32\MSWINSCK.OCX"
LM\Software\Microsoft\Internet Explorer\Main\Use FormSuggest REG_SZ 8 "yes"
LM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS\CheckedValue REG_DWORD 4 0x0
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\exec REG_SZ 64 "C:\WINDOWS\system32\msjgwvk.exe"

• Values Changed
Name Type Size Value
CU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load REG_SZ/REG_SZ 2/64 ""/"C:\WINDOWS\system32\mshcgge.exe"
CU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 REG_DWORD/REG_DWORD 4/4 0x1/0x0
LM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto REG_SZ/REG_SZ 4/4 "1"/"0"
LM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue REG_DWORD/REG_DWORD 4/4 0x1/0x0

• Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\WINDOWS\Fonts\cooecp.tlb 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\Fonts\logcde.dll 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\Fonts\services.exe 34304 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\Fonts\windef.dll 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\Fonts\windef.Log 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\Fonts\winpaged.ocx 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\system32\msflbvn.exe 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\system32\msfytp.exe 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\system32\mshamiru.exe 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\system32\mshcgge.exe 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\system32\msicjhyv.exe 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\system32\msjgwvk.exe 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\system32\msjnxx.exe 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2
C:\WINDOWS\system32\MSWINSCK.OCX 62496 2009.01.12 15:12:42.687 2009.01.12 15:12:42.578 2009.01.12 15:12:42.578 0x20
C:\WINDOWS\system32\mswzob.exe 128000 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.01 06:08:49.937 0x2

• Files Changed
Name Size Last Write Time Creation Time Last Access Time Attr
C:\WINDOWS\system32\config\software 8912896/8912896 2009.01.12 15:10:01.953/2009.01.12 15:12:44.078 2008.07.31 16:55:51.593/2008.07.31 16:55:51.593 2009.01.12 15:10:01.953/2009.01.12 15:10:01.953 0x20/0x20

• Processes Created
PId Process Name Image Name
0x378 services.exe
0x610 services.exe C:\WINDOWS\fonts\services.exe

• Processes Terminated
• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x2ac lsass.exe 0x724 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x348 svchost.exe 0xf8 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x378 services.exe 0x374 0x7c810867 MEM_FREE 0x0 MEM_FREE
0x610 services.exe 0x310 0x7c810867 MEM_IMAGE 0x422800 MEM_IMAGE
0x610 services.exe 0x448 0x7c810856 MEM_IMAGE 0x7dd1724f MEM_IMAGE
0x610 services.exe 0x7bc 0x7c810856 MEM_IMAGE 0x771d3e0f MEM_IMAGE

• Modules Loaded
• Windows Api Calls
• DNS Queries
DNS Query Text
xz.ub9.net IN A +

• HTTP Queries
HTTP Query Text
xz.ub9.net GET /new.html HTTP/1.1

• Verdict
Auto Analysis Verdict
Rated as Suspicious

• Description
Suspicious Actions Detected
Creates files in windows system directory
Registers dynamic link libraries

• Mutexes Created or Opened
PId Image Name Address Mutex Name
0x378 C:\WINDOWS\fonts\services.exe 0x771ba3ae _!MSFTHISTORY!_
0x378 C:\WINDOWS\fonts\services.exe 0x771bc23d WininetProxyRegistryMutex
0x378 C:\WINDOWS\fonts\services.exe 0x771bc2dd WininetStartupMutex
0x378 C:\WINDOWS\fonts\services.exe 0x771d9710 c:!documents and settings!user!cookies!
0x378 C:\WINDOWS\fonts\services.exe 0x771d9710 c:!documents and settings!user!local settings!history!history.ie5!
0x378 C:\WINDOWS\fonts\services.exe 0x771d9710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x378 C:\WINDOWS\fonts\services.exe 0x777904d3 WininetStartupMutex
0x610 C:\WINDOWS\fonts\services.exe 0x771ba3ae _!MSFTHISTORY!_
0x610 C:\WINDOWS\fonts\services.exe 0x771bc23d WininetProxyRegistryMutex
0x610 C:\WINDOWS\fonts\services.exe 0x771bc2dd WininetStartupMutex
0x610 C:\WINDOWS\fonts\services.exe 0x771d96e1 c:!documents and settings!user!cookies!
0x610 C:\WINDOWS\fonts\services.exe 0x771d96e1 c:!documents and settings!user!local settings!history!history.ie5!
0x610 C:\WINDOWS\fonts\services.exe 0x771d96e1 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x610 C:\WINDOWS\fonts\services.exe 0x77267e1b ZonesCacheCounterMutex
0x610 C:\WINDOWS\fonts\services.exe 0x77267e1b ZonesLockedCacheCounterMutex
0x610 C:\WINDOWS\fonts\services.exe 0x772689fc ZonesCounterMutex
0x610 C:\WINDOWS\fonts\services.exe 0x777904d3 WininetStartupMutex

显示全部楼层 · 发表于 2009-7-4 15:59:53

程序：
C:\DOCUMENTS AND SETTINGS\\桌面\WINRES.EXE
木马程序生成以下文件：
1) C:\WINDOWS\FONTS\SERVICES.EXE
2) C:\WINDOWS\FONTS\WINDEF.DLL
3) C:\WINDOWS\FONTS\WINDEF.LOG
4) C:\WINDOWS\FONTS\LOGCDE.DLL
是否删除木马程序及其衍生物?

显示全部楼层 · 发表于 2009-7-4 16:03:15

过微点AV，费尔
EQ拦截
2009-07-04 15:56:49 文件保护(创建文件)    操作:阻止并结束进程
进程路径:C:\Documents and Settings\Administrator\桌面\winres.exe
文件路径:C:\WINDOWS\fonts\services.exe
2009-07-04 15:56:49 文件保护(创建文件)    操作:阻止并结束进程
进程路径:C:\Documents and Settings\Administrator\桌面\winres.exe
文件路径:C:\WINDOWS\fonts\services.exe
2009-07-04 15:56:49 文件保护(创建文件)    操作:阻止并结束进程
进程路径:C:\Documents and Settings\Administrator\桌面\winres.exe
文件路径:C:\WINDOWS\fonts\services.exe
2009-07-04 15:56:49 应用程序保护(运行应用程序)    操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\winres.exe
文件路径:C:\WINDOWS\system32\regsvr32.exe
命令行:/s C:\WINDOWS\system32\MSWINSCK.OCX

显示全部楼层 · 发表于 2009-7-4 16:29:09

生成物还真多啊

显示全部楼层 · 发表于 2009-7-4 16:31:50

下载时卡巴2010启发干掉，是蠕虫

[病毒样本] winres.exe_

本帖子中包含更多资源