帮我看看这个有什么动作

尤金卡巴斯基

Hello,

New malicious software was found in the attached file. Its detection will be included in the next update.
Thank you for your help.

Trojan-Spy.Win32.Agent.axde

Sincerely yours,
Gashkin Alex,
Virus Analyst.

10/1, 1st Volokolamsky Proezd, Moscow, 123060, Russia
Tel./Fax: + 7 (495) 797 8700
http://www.kaspersky.com http://www.viruslist.com

xppara

McAfee 吃剛光光了

xxl

2009-7-12 18:25:18        http://bbs.kafan.cn/attachment.p ... 2c&t=1247394302        Internet Explorer        处理错误: Trojan-Spy.Win32.Agent.axde        启发式分析计算的威胁级别值较高       
2009-7-12 18:25:18        http://bbs.kafan.cn/attachment.p ... 7394302//BO5703.exe        Internet Explorer        处理错误: Trojan-Spy.Win32.Agent.axde        启发式分析计算的威胁级别值较高       
KIS8.0 KILL
2009-7-12 18:25:18        http://bbs.kafan.cn/attachment.p ... O5703.exe//data0004        Internet Explorer        拒绝: Trojan-Spy.Win32.Agent.axde        启发式分析计算的威胁级别值较高       
2009-7-12 18:25:18        http://bbs.kafan.cn/attachment.p ... O5703.exe//data0004        Internet Explorer        检测到: Trojan-Spy.Win32.Agent.axde        启发式分析计算的威胁级别值较高

zlb1111

程序：
D:\PROGRAM FILES\360\360SE3\SHIELD\SANDBOX\360SEBOX\USER\CURRENT\LOCAL SETTINGS\TEMP\RAR$EX00.328\BO5703.EXE
木马程序生成以下文件：
1) D:\PROGRAM FILES\360\360SE3\SHIELD\SANDBOX\360SEBOX\USER\CURRENT\LOCAL SETTINGS\TEMP\MESSENGER\MQTRIG.DLL
2) D:\PROGRAM FILES\360\360SE3\SHIELD\SANDBOX\360SEBOX\USER\CURRENT\LOCAL SETTINGS\TEMP\MESSENGER\SETUP.EXE
3) D:\PROGRAM FILES\360\360SE3\SHIELD\SANDBOX\360SEBOX\DRIVE\C\WINDOWS\SYSTEM32\VSPLI.DLL
4) D:\PROGRAM FILES\360\360SE3\SHIELD\SANDBOX\360SEBOX\DRIVE\C\WINDOWS\SYSTEM32\EHKOR.EXE
是否删除木马程序及其衍生物?

周勃

• Directories Created

Name	Last Write Time	Creation Time	Last Access Time	Attr
C:\Documents and Settings\User\Local Settings\Temp\Messenger	2009.01.12 14:47:55.500	2009.01.12 14:47:55.421	2009.01.12 14:47:55.500	0x10

• Files Created

Name	Size	Last Write Time	Creation Time	Last Access Time	Attr
C:\Documents and Settings\User\Local Settings\Temp\Messenger\mqtrig.dll	140288	2007.02.16 22:43:24.000	2007.02.16 22:43:24.000	2009.01.12 14:47:55.453	0x20
C:\Documents and Settings\User\Local Settings\Temp\Messenger\setup.exe	20480	2009.07.11 06:27:56.000	2009.07.11 06:27:56.000	2009.01.12 14:47:55.484	0x20
C:\WINDOWS\system32\lifby.dll	73728	2009.07.11 06:04:58.000	2009.07.11 06:04:58.000	2009.01.12 14:47:55.484	0x20
C:\WINDOWS\system32\mjgcz.ini	43	2009.07.11 06:28:56.000	2009.07.11 06:28:56.000	2009.01.12 14:47:55.453	0x20
C:\WINDOWS\system32\mssrcid.ini	16	2009.01.12 14:48:01.468	2009.01.12 14:48:01.468	2009.01.12 14:48:01.468	0x20
C:\WINDOWS\system32\oruyb.exe	40960	2009.07.11 06:01:40.000	2009.07.11 06:01:40.000	2009.01.12 14:47:55.500	0x20

• Processes Created

PId	Process Name	Image Name
0x36c	setup.exe	C:\DOCUME~1\User\LOCALS~1\Temp\Messenger\setup.exe

• Threads Created

PId	Process Name	TId	Start	Start Mem	Win32 Start	Win32 Start Mem
0x344	svchost.exe	0x170	0x7c810856	MEM_IMAGE	0x7c910760	MEM_IMAGE
0x36c	setup.exe	0x370	0x7c810867	MEM_IMAGE	0x401f2f	MEM_IMAGE

• Windows Api Calls

PId	Image Name	Address	Function ( Parameters ) | Return Value
0x208	C:\WINDOWS\system32\oruyb.exe	0x4027d1	CreateServiceA(hSCManager: 0x1523b8, lpServiceName: "DSPLALER", lpDisplayName: "DCOM Server Process Lookup and Launcher", dwDesiredAccess: 0xf01ff, dwServiceType: 0x10, dwStartType: 0x2, dwErrorControl: 0x1, lpBinaryPathName: "C:\WINDOWS\system32\oruyb.exe", lpLoadOrderGroup: "(null)", lpdwTagId: 0x0, lpDependencies: 0x408278, lpServiceStartName: "(null)", lpPassword: 0x0)|0x152280

• DNS Queries

DNS Query Text

www.baidupn.cn IN A +

• HTTP Queries

HTTP Query Text

www.baidupn.cn GET /up/update.htm HTTP/1.0

www.baidupn.cn GET /page/gt.asp?ver=1072&id=0&cid=0&src=init&k=1234 HTTP/1.1

• Verdict

Auto Analysis Verdict

Suspicious+

• Description

Suspicious Actions Detected

Creates files in windows system directory

Creates system services or drivers

• Mutexes Created or Opened

PId	Image Name	Address	Mutex Name
0x380	C:\WINDOWS\system32\rundll32.exe	0x928acf	USMSVC_CLICK555
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x76ee3a34	RasPbFile
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x771ba3ae	_!MSFTHISTORY!_
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x771bc21c	WininetConnectionMutex
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x771bc23d	WininetProxyRegistryMutex
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x771bc2dd	WininetStartupMutex
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x771d96e1	c:!documents and settings!localservice!cookies!
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x771d96e1	c:!documents and settings!localservice!local settings!history!history.ie5!
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x771d96e1	c:!documents and settings!localservice!local settings!temporary internet files!content.ie5!
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x77267e1b	ZonesCacheCounterMutex
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x77267e1b	ZonesLockedCacheCounterMutex
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x772689fc	ZonesCounterMutex
0x560	C:\WINDOWS\system32\rundll32.exe	0x928acf	USMSVC_CLICK555

• Events Created or Opened

PId	Image Name	Address	Event Name
0x208	C:\WINDOWS\system32\oruyb.exe	0x77de5f48	Global\SvcctrlStartEvent_A3752DX
0x380	C:\WINDOWS\system32\rundll32.exe	0x77a89410	Global\crypt32LogoffEvent
0x3e4	C:\WINDOWS\system32\net1.exe	0x77de5f48	Global\SvcctrlStartEvent_A3752DX
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x76b443c5	DINPUTWINMM
0x3f4	C:\WINDOWS\system32\oruyb.exe	0x77de5f48	Global\SvcctrlStartEvent_A3752DX
0x560	C:\WINDOWS\system32\rundll32.exe	0x77a89422	Global\crypt32LogoffEvent

wcj20236

微点主防杀。。。

allinwonderi

[ General information ]
    * Creating several executable files on hard-drive.
    * Application uses MFC.DLL.
    * File length:       141356 bytes.
    * MD5 hash: c65cf37bd0fba699c9a6a139dd1dd717.

[ Changes to filesystem ]
    * Creates directory C:\WINDOWS\TEMP\.
    * Creates file C:\WINDOWS\TEMP\nsw8624.tmp.
    * Deletes file C:\WINDOWS\TEMP\nsw8624.tmp.
    * Creates directory C:\WINDOWS.
    * Creates directory C:\WINDOWS\TEMP.
    * Creates directory C:\WINDOWS\TEMP\Messenger.
    * Creates file C:\WINDOWS\TEMP\Messenger\mqtrig.dll.
    * Creates file C:\WINDOWS\TEMP\Messenger\nvsys.ini.
    * Creates file C:\WINDOWS\TEMP\Messenger\setup.exe.
    * Creates file C:\WINDOWS\TEMP\Messenger\sysmain.dat.
    * Creates file C:\WINDOWS\TEMP\Messenger\sysvc.dat.

[ Process/window information ]
    * Creates process "setup.exe"".

[ Signature Scanning ]
    * C:\WINDOWS\TEMP\Messenger\mqtrig.dll (140288 bytes) : no signature detection.
    * C:\WINDOWS\TEMP\Messenger\nvsys.ini (43 bytes) : no signature detection.
    * C:\WINDOWS\TEMP\Messenger\setup.exe (20480 bytes) : no signature detection.
    * C:\WINDOWS\TEMP\Messenger\sysmain.dat (73728 bytes) : no signature detection.
    * C:\WINDOWS\TEMP\Messenger\sysvc.dat (40960 bytes) : no signature detection.

allinwonderi

Suspicious Files and Miscellaneous Uploads
Thank you for your submission. Below you can see the current status of the uploaded files.

A listing of files alongside their results can be found below:

File ID	Filename	Size (Byte)	Result
25396249	BO5703.exe	138.04 KB	UNDER ANALYSIS

Please find a detailed report concerning each individual sample below:

Filename	Result
BO5703.exe	UNDER ANALYSIS

The file 'BO5703.exe' has been determined to be 'UNDER ANALYSIS'.

Please note that you will receive an email which will contain theresults shown above. In case the final outcome of the analysis is notyet finished for all files the notification will be sent once ready.

[ 本帖最后由 allinwonderi 于 2009-7-12 19:59 编辑 ]

自制照片

是可以的啊，可能楼主的瑞星病毒库没有升级，建议先升级，进入安全模式再看看。