瑞星高启出来的一个~

显示全部楼层 · 发表于 2009-8-24 19:32:26

EAV miss

显示全部楼层 · 发表于 2009-8-24 20:05:13

应该无毒，在线上报正常

显示全部楼层 · 发表于 2009-8-24 20:11:54

可能是误报卡巴MISS

显示全部楼层 · 发表于 2009-8-24 20:12:46

费尔miss

显示全部楼层 · 发表于 2009-10-3 12:35:45

NOD每报，瑞星的高启也能和NOD比

显示全部楼层 · 发表于 2009-10-3 12:43:54

被修改过的东西

显示全部楼层 · 发表于 2009-10-3 12:51:30

小小分析一下...
00401000 >/$  68 18000000 push 18                            ; /n = 18 (24.)
00401005  |.  68 00000000 push 0                               ; |c = 00
0040100A  |.  68 00344000 push 00403400                      ; |s = wupdmgr.00403400
0040100F  |.  E8 F40F0000 call <jmp.&CRTDLL.memset>          ; \memset
00401014  |.  83C4 0C    add    esp, 0C
00401017  |.  68 00000000 push 0                               ; /pModule = NULL
0040101C  |.  E8 ED0F0000 call <jmp.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401021  |.  A3 04344000 mov    dword ptr [403404], eax
00401026  |.  68 00000000 push 0                               ; /MaximumSize = 0
0040102B  |.  68 00100000 push 1000                            ; |InitialSize = 1000 (4096.)
00401030  |.  68 00000000 push 0                               ; |Flags = 0
00401035  |.  E8 DA0F0000 call <jmp.&KERNEL32.HeapCreate>    ; \HeapCreate
0040103A  |.  A3 00344000 mov    dword ptr [403400], eax
0040103F  |.  E8 04170000 call 00402748
00401044  |.  E8 17110000 call 00402160
00401049  |.  E8 72100000 call 004020C0
0040104E  |.  E8 1D170000 call 00402770
00401053  |.  68 06000000 push 6
00401058  |.  68 0C304000 push 0040300C
0040105D  |.  68 0D304000 push 0040300D                      ;  ASCII " config wuauserv start= auto"
00401062  |.  68 2A304000 push 0040302A                      ;  ASCII "sc.exe"
00401067  |.  E8 21160000 call 0040268D
0040106C  |.  68 06000000 push 6
00401071  |.  68 0C304000 push 0040300C
00401076  |.  68 31304000 push 00403031                      ;  ASCII " config BITS start= demand"
0040107B  |.  68 2A304000 push 0040302A                      ;  ASCII "sc.exe"
00401080  |.  E8 08160000 call 0040268D
00401085  |.  B8 32000000 mov    eax, 32
0040108A  |.  E8 713F0000 call 00405000
0040108F  |.  68 80000000 push 80
00401094  |.  E8 6B100000 call 00402104
00401099  |.  A3 0C344000 mov    dword ptr [40340C], eax
0040109E  |.  68 80000000 push 80                            ; /BufSize = 80 (128.)
004010A3  |.  FF35 0C344000 push dword ptr [40340C]             ; |Buffer = NULL
004010A9  |.  E8 6C0F0000 call <jmp.&KERNEL32.GetWindowsDirecto>; \GetWindowsDirectoryA
004010AE  |.  FF35 18344000 push dword ptr [403418]
004010B4  |.  FF35 0C344000 push dword ptr [40340C]
004010BA  |.  E8 61100000 call 00402120
004010BF  |.  83EC 04    sub    esp, 4
004010C2  |.  8D0D 14344000 lea    ecx, dword ptr [403414]
004010C8  |.  5A          pop    edx
004010C9  |.  E8 320F0000 call 00402000
004010CE  |.  FF35 18344000 push dword ptr [403418]
004010D4  |.  68 03000000 push 3
004010D9  |.  FF35 14344000 push dword ptr [403414]
004010DF  |.  E8 4C0F0000 call 00402030
004010E4  |.  83EC 04    sub    esp, 4
004010E7  |.  8D0D 10344000 lea    ecx, dword ptr [403410]
004010ED  |.  5A          pop    edx
004010EE  |.  E8 0D0F0000 call 00402000
004010F3  |.  FF35 18344000 push dword ptr [403418]
004010F9  |.  68 05000000 push 5
004010FE  |.  68 0C304000 push 0040300C
00401103  |.  68 4C304000 push 0040304C                      ;  ASCII " http://windowsupdate.microsoft.com"
00401108  |.  8B15 10344000 mov    edx, dword ptr [403410]
0040110E  |.  FF35 18344000 push dword ptr [403418]
00401114  |.  E8 A7160000 call 004027C0
00401119  |.  BA 70304000 mov    edx, 00403070                   ;  ASCII "Program Files\Internet Explorer\iexplore.exe "
0040111E  |.  E8 9D160000 call 004027C0
00401123  |.  FF05 18344000 inc    dword ptr [403418]
00401129  |.  8B15 F4304000 mov    edx, dword ptr [4030F4]
0040112F  |.  011424       add    dword ptr [esp], edx
00401132  |.  E8 56150000 call 0040268D
00401137  |.  8F05 18344000 pop    dword ptr [403418]
0040113D  |.  68 06000000 push 6
00401142  |.  68 0C304000 push 0040300C
00401147  |.  68 9E304000 push 0040309E                      ;  ASCII " stop wuauserv"
0040114C  |.  68 2A304000 push 0040302A                      ;  ASCII "sc.exe"
00401151  |.  E8 37150000 call 0040268D
00401156  |.  B8 32000000 mov    eax, 32
0040115B  |.  E8 A03E0000 call 00405000
00401160  |.  68 06000000 push 6
00401165  |.  68 0C304000 push 0040300C
0040116A  |.  68 AD304000 push 004030AD                      ;  ASCII " config BITS start= disabled"
0040116F  |.  68 2A304000 push 0040302A                      ;  ASCII "sc.exe"
00401174  |.  E8 14150000 call 0040268D
00401179  |.  68 06000000 push 6
0040117E  |.  68 0C304000 push 0040300C
00401183  |.  68 CA304000 push 004030CA                      ;  ASCII " config wuauserv start= disabled"
00401188  |.  68 2A304000 push 0040302A                      ;  ASCII "sc.exe"
0040118D  |.  E8 FB140000 call 0040268D
00401192  |.  68 00000000 push 0
00401197  |.  E8 10000000 call 004011AC
0040119C  |.  FF35 00344000 push dword ptr [403400]             ; |/hHeap = NULL
004011A2  |.  E8 790E0000 call <jmp.&KERNEL32.HeapDestroy>    ; |\HeapDestroy
004011A7  \.  E8 7A0E0000 call <jmp.&KERNEL32.ExitProcess>    ; \ExitProcess
这是嘛东西大家都知道了吧...

调用sc.exe设置wuauserv【WINDOWS自动更新服务】为自动，设置BITS【自动更新依靠服务】为手动

调用IE启动http://windowsupdate.microsoft.com

更新完毕后调用sc.exe再次将wuauserv和BITS设置为禁用然后退出

非微软物...但也不是病毒...Over...此帖没意见就锁了吧...留名的赶快

显示全部楼层 · 发表于 2009-10-3 12:56:15

看留名

显示全部楼层 · 发表于 2009-10-3 13:05:49

5楼扣分的。

显示全部楼层 · 发表于 2009-10-3 13:11:17

留名完成...锁了...

7、如为非PE文件、无法运行的文件或者确认样本误报的主题（至少两个杀软分析师确认非病毒或卡饭DZ测试非病毒）
锁定此主题

[病毒样本] 瑞星高启出来的一个~

本帖子中包含更多资源

回复 27楼 aarwwefdds 的帖子