过红伞的样本（过绝大多数杀软）

显示全部楼层 · 发表于 2009-9-18 01:41:16

文件 _______________.exe 接收于 2009.09.17 17:38:45 (UTC)

反病毒引擎	版本	最后更新	扫描结果
a-squared	4.5.0.24	2009.09.17	-
AhnLab-V3	5.0.0.2	2009.09.17	-
AntiVir	7.9.1.19	2009.09.17	-
Antiy-AVL	2.0.3.7	2009.09.17	-
Authentium	5.1.2.4	2009.09.17	-
Avast	4.8.1351.0	2009.09.17	-
AVG	8.5.0.412	2009.09.17	-
BitDefender	7.2	2009.09.17	-
CAT-QuickHeal	10.00	2009.09.17	-
ClamAV	0.94.1	2009.09.17	-
Comodo	2350	2009.09.17	-
DrWeb	5.0.0.12182	2009.09.17	-
eSafe	7.0.17.0	2009.09.17	-
eTrust-Vet	31.6.6743	2009.09.17	-
F-Prot	4.5.1.85	2009.09.17	-
F-Secure	8.0.14470.0	2009.09.17	-
Fortinet	3.120.0.0	2009.09.17	-
GData	19	2009.09.17	-
Ikarus	T3.1.1.72.0	2009.09.17	-
Jiangmin	11.0.800	2009.09.17	Heur:TrojanDropper.Agent
K7AntiVirus	7.10.847	2009.09.17	-
Kaspersky	7.0.0.125	2009.09.17	-
McAfee	5744	2009.09.17	-
McAfee+Artemis	5744	2009.09.17	-
McAfee-GW-Edition	6.8.5	2009.09.17	Heuristic.BehavesLike.Win32.Downloader.L
Microsoft	1.5005	2009.09.17	TrojanDropper:Win32/Jadtre.B
NOD32	4434	2009.09.17	-
Norman	6.01.09	2009.09.17	-
nProtect	2009.1.8.0	2009.09.17	-
Panda	10.0.2.2	2009.09.16	-
PCTools	4.4.2.0	2009.09.17	-
Prevx	3.0	2009.09.17	-
Rising	21.47.34.00	2009.09.17	-
Sophos	4.45.0	2009.09.17	-
Sunbelt	3.2.1858.2	2009.09.17	-
Symantec	1.4.4.12	2009.09.17	-
TheHacker	6.3.4.4.404	2009.09.15	-
TrendMicro	8.950.0.1094	2009.09.17	-
VBA32	3.12.10.10	2009.09.17	suspected of Win32.Trojan.Downloader (http://...)
ViRobot	2009.9.17.1941	2009.09.17	-
VirusBuster	4.6.5.0	2009.09.17	-

附加信息
File size: 24576 bytes
MD5...: 29f56b3f5ebe4a67bee386c8323fb655
SHA1..: a40a87ea7f96f223fe89f61e7f9ae80b62590094
SHA256: 122a71928e79f7fea7a08e57ad3ae834e8c7e3080e87ae8f70a857819a163b9f
ssdeep: 384:8xC3Yj1eN1eZBwAqBPvBkQwGc/ObRO7G0Aaph4BVtDIb3GXI:4ezGBeHBZwG<BR>aOb07GRaph4BUKXI<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1836<BR>timedatestamp.....: 0x4ab22640 (Thu Sep 17 12:06:24 2009)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 5 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x9cc 0xa00 5.59 8abe58ccafc857efb743b8736fe1eb33<BR>.rdata 0x2000 0x95c 0xa00 5.06 1dbf3df3cf025800428bba97ab49955a<BR>.data 0x3000 0xe4 0x200 1.49 bbf4e9b4ac7b490c559c44394c5fc7da<BR>.rsrc 0x4000 0x4070 0x4200 5.28 e3e668ba10e1a8820d4554133b798e6f<BR>.reloc 0x9000 0x210 0x400 2.92 ca6e326b5c03b9d36ad55347f76168e5<BR><BR>( 5 imports ) <BR>> MSVCRT.dll: memcpy, _acmdln, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, memset, strcat, __getmainargs, _exit, _XcptFilter, __setusermatherr, _initterm, exit<BR>> SHLWAPI.dll: PathFileExistsA<BR>> KERNEL32.dll: GetStartupInfoA, GetTempPathA, CloseHandle, GetCurrentThreadId, GetFileTime, GetModuleHandleA, GetModuleFileNameA, LoadLibraryA, GetProcAddress, MultiByteToWideChar, ExitProcess, CreateFileA, FindResourceA, SetFilePointer, lstrlenA, SetEndOfFile, FreeLibrary, LoadResource, GlobalLock, SetFileTime, GetWindowsDirectoryA, WriteFile, SizeofResource<BR>> USER32.dll: GetMessageA, wsprintfA, GetInputState, PostThreadMessageA<BR>> ADVAPI32.dll: ControlService, QueryServiceStatus, RegOpenKeyExA, StartServiceA, CreateServiceA, RegQueryValueExA, RegSetValueExA, CloseServiceHandle, OpenServiceA<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)<BR>Win32 Executable MS Visual C++ (generic) (26.2%)<BR>Win32 Executable Generic (5.9%)<BR>Win32 Dynamic Link Library (generic) (5.2%)<BR>Generic Win/DOS Executable (1.3%)
sigcheck:<BR>publisher....: n/a<BR>copyright....: n/a<BR>product......: n/a<BR>description..: n/a<BR>original name: n/a<BR>internal name: n/a<BR>file version.: n/a<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
packers (F-Prot): embedded

（）

[ 本帖最后由 apollomen 于 2009-9-18 23:16 编辑 ]

显示全部楼层 · 发表于 2009-9-18 07:01:29

有加载驱动的行为，上报小红伞。

[ 本帖最后由 wegon 于 2009-9-18 07:07 编辑 ]

显示全部楼层 · 发表于 2009-9-18 07:11:23

过费尔。创建dll文件，创建注册表服务项。

显示全部楼层 · 发表于 2009-9-18 07:17:37

eset4.0没查到

显示全部楼层 · 发表于 2009-9-18 09:20:31

瑞星2010
Trojan.Win32.Generic.11ED879E

显示全部楼层 · 发表于 2009-9-18 09:30:31

Malwarebytes' Anti-Malware 能查到

显示全部楼层 · 发表于 2009-9-18 09:31:41

IObit Trojan.Dropper

显示全部楼层 · 发表于 2009-9-18 09:34:16

to symantec, sophos, f-secure, drweb

显示全部楼层 · 发表于 2009-9-18 09:58:39

瑞星2010 KILL

显示全部楼层 · 发表于 2009-9-18 13:10:12

江民激情的启发了:
Heur:TrojanDropper.Agent

感染系统文件的东东

[ 本帖最后由 ryota 于 2009-9-18 13:14 编辑 ]

[病毒样本] 过红伞的样本（过绝大多数杀软）

本帖子中包含更多资源

本帖子中包含更多资源