|
小红伞扫描一个U盘,发现一些老货色,有个是伪装成一张图片的EXE。
Begin scan in 'I:\' <KINGSTON>
I:\sxs.exe
[DETECTION] Is the TR/PSW.QQpass.LR.1 Trojan
[NOTE] A backup was created as '4b20b8fa.qua' ( QUARANTINE )
[NOTE] The file was deleted!
I:\RavMon.exe
[DETECTION] Is the TR/Agent.Abt.3 Trojan
[NOTE] A backup was created as '4b23b8e4.qua' ( QUARANTINE )
[NOTE] The file was deleted!
I:\Recycled.exe
[DETECTION] Is the TR/Agent.1252319 Trojan
[NOTE] A backup was created as '4b10b8ea.qua' ( QUARANTINE )
[NOTE] The file was deleted!
I:\EXPLORER.EXE
[DETECTION] Contains recognition pattern of the W32/VB.BU Windows virus
[NOTE] A backup was created as '4afdb8de.qua' ( QUARANTINE )
[NOTE] The file was deleted!
I:\wsctf.exe
[DETECTION] Is the TR/VB.HM Trojan
[NOTE] A backup was created as '4b10b8f9.qua' ( QUARANTINE )
[NOTE] The file was deleted!
I:\XX\2008年文件\新建文件夹\申请QQ工具.rar
[0] Archive type: RAR
--> freeQQ.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Pcclient.jzj.1 back-door program
[NOTE] A backup was created as '4aff44de.qua' ( QUARANTINE )
[NOTE] The file was deleted!
从隔离中恢复到桌面想发到样本区。因为开着监控做压缩包会出错,所以暂时关闭小红伞监控。
实机被感染。进程中多了跟病毒名字一样的东西。 Module is infected -> 'C:\WINDOWS\system32\XP-CCFED4B2.EXE'
Module is infected -> 'C:\WINDOWS\system32\EXPLORER.EXE'
WINDOWS下也有了。
C:\WINDOWS\system32\XP-CCFED4B2.EXE
[DETECTION] Is the TR/Agent.1252319 Trojan
[NOTE] A backup was created as '4adabe75.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\WINDOWS\system32\EXPLORER.EXE
[DETECTION] Contains recognition pattern of the W32/VB.BU Windows virus
[NOTE] A backup was created as '4afdbe7d.qua' ( QUARANTINE )
[NOTE] The file was deleted!
[ 本帖最后由 lomo 于 2009-9-14 14:29 编辑 ] | 
发表于 2009-9-14 14:27:03
楼主
发表于 2009-9-14 14:48:47
发表于 2009-9-14 15:54:14
