[病毒样本] 1

显示全部楼层 · 发表于 2009-8-3 00:36:41

42-49 to kl,ll

显示全部楼层 · 发表于 2009-8-3 11:43:17

1.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)

[ DetectionInfo ]
* Filename: C:\analyzer\scan\1.exe.
* Sandbox name: W32/Malware.
* Signature name: NO_VIRUS.
* Compressed: YES.
* TLS hooks: YES.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* Anti debug/emulation code present.
* **Locates window "NULL [class OLLYDBG]" on desktop.
* **Locates window "NULL [class GBDYLLO]" on desktop.
* **Locates window "NULL [class pediy06]" on desktop.
* Accesses executable file from resource section.
* Drops files in %WINSYS% folder.
* File length: 566784 bytes.
* MD5 hash: 5850faefcdc5422bbfb331b4287d194c.

[ Changes to filesystem ]
* Deletes file C:\WINDOWS\system32\verclsid.exe.
* Deletes file C:\WINDOWS\system32\sysyhzt9.dll.
* Creates file C:\WINDOWS\system32\sysyhzt9.dll.

[ Changes to registry ]
* Accesses Registry key "HKCU\Software\Wine".
* Creates value "{3FDEB171-8F86-0022-0001-69B8DB553683}"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks".
* Creates key "HKCR\CLSID\{3FDEB171-8F86-0022-0001-69B8DB553683}".
* Sets value ""="" in key "HKCR\CLSID\{3FDEB171-8F86-0022-0001-69B8DB553683}".
* Creates key "HKCR\CLSID\{3FDEB171-8F86-0022-0001-69B8DB553683}\InProcServer32".
* Sets value ""="C:\WINDOWS\system32\sysyhzt9.dll" in key "HKCR\CLSID\{3FDEB171-8F86-0022-0001-69B8DB553683}\InProcServer32".
* Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{3FDEB171-8F86-0022-0001-69B8DB553683}\InProcServer32".

[ Network ]
* Hooks into Shell explorer.

[ Process/window information ]
* Enumerates running processes.
* Enumerates running processes several parses....

[ Signature Scanning ]
* C:\WINDOWS\system32\sysyhzt9.dll (79360 bytes) : no signature detection.

显示全部楼层 · 发表于 2009-8-4 16:38:45

Hello,

1.exe - Trojan-GameThief.Win32.OnLineGames.bmoj
1.exe - Trojan-Dropper.Win32.Autoit.w
1.exe2 - Trojan-GameThief.Win32.OnLineGames.bmoi
boot.vbs - Trojan-Downloader.VBS.Agent.xv
systeme.bat - Trojan.BAT.StartPage.cw

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.

1.exe) - Trojan.Win32.Agent2.chfq
1.exe1 - Trojan-GameThief.Win32.OnLineGames.vjig
1.exe5 - Trojan-GameThief.Win32.OnLineGames.vjij

At the moment these files are detected. Please update your antivirus bases.

1.exe^,
1.exe9,
Internet Explorer.lnk,
Internet Explorer.url,
systeme.vbs

No malicious code were found in these files.

42-49

显示全部楼层 · 发表于 2009-8-4 16:51:45

42-49L
to McAfee

显示全部楼层 · 发表于 2009-8-4 17:04:01

程序：
F:\过微点\1\1.EXE
病毒程序生成以下文件：
1) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\NOYC.TMP
2) C:\WINDOWS\SYSTEM\NOYC.TMP
是否删除病毒程序及其衍生物?

44>

程序：
F:\过微点\1.EXE
木马程序生成以下文件：
1) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\永恒之塔.EXE
2) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\永恒之塔小马TAILAOBAN.EXE
3) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\DSAD11.EXE
4) C:\WINDOWS\SYSTEM32\YUSFSKCL.TMP
是否删除木马程序及其衍生物?

46>

程序：
F:\过微点\1.EXE
木马程序生成以下文件：
1) C:\WINDOWS\SYSTEM32\JQSBSVM1.0.DLL
是否删除木马程序及其衍生物?

47>

程序：
F:\过微点\1.EXE
病毒程序生成以下文件：
1) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\NOYE.TMP
2) C:\WINDOWS\SYSTEM\NOYE.TMP
是否删除病毒程序及其衍生物?

48>

others to MP