几乎全过的极度可疑样本1X

显示全部楼层 · 发表于 2009-9-22 13:27:08

今天下了个OFFICE 2007 SP2精简版，刚安装玩NOD就报 2009/9/22 12:58:39 文件系统实时防护文件 C:\Program Files\gaqpy\haases.exe Win32/Iyeclore.A 特洛伊木马的变种通过删除清除 NT AUTHORITY\SYSTEM 尝试通过应用程序访问文件时发生事件: C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe.

我就奇怪了，我是把OFFICE装在Program Files（x86）下的，怎么会有程序写到Program Files呢？我就去gaqpy目录看了下，发现还剩下一个EXE和DLL NOD和红伞都没报，便打包拿去在线扫描，结果少数几家报启发和特征

Antivirus       Version       Last Update       Result
a-squared       4.5.0.24       2009.09.22       -
AhnLab-V3       5.0.0.2       2009.09.22       -
AntiVir       7.9.1.23       2009.09.21       -
Antiy-AVL       2.0.3.7       2009.09.22       -
Authentium       5.1.2.4       2009.09.21       -
Avast       4.8.1351.0       2009.09.21       -
AVG       8.5.0.412       2009.09.21       -
BitDefender       7.2       2009.09.22       -
CAT-QuickHeal       10.00       2009.09.21       -
ClamAV       0.94.1       2009.09.22       -
Comodo       2398       2009.09.22       -
DrWeb       5.0.0.12182       2009.09.22       -
eSafe       7.0.17.0       2009.09.21       -
eTrust-Vet       31.6.6751       2009.09.22       -
F-Prot       4.5.1.85       2009.09.21       -
F-Secure       8.0.14470.0       2009.09.22       -
Fortinet       3.120.0.0       2009.09.22       -
GData       19       2009.09.22       -
Ikarus       T3.1.1.72.0       2009.09.22       Trojan.Win32.Iyeclore
Jiangmin       11.0.800       2009.09.21       -
K7AntiVirus       7.10.850       2009.09.21       -
Kaspersky       7.0.0.125       2009.09.22       -
McAfee       5748       2009.09.21       -
McAfee+Artemis       5748       2009.09.21       -
McAfee-GW-Edition       6.8.5       2009.09.21       -
Microsoft       1.5005       2009.09.21       -
NOD32       4445       2009.09.21       -
Norman       6.01.09       2009.09.21       -
nProtect       2009.1.8.0       2009.09.21       -
Panda       10.0.2.2       2009.09.21       -
PCTools       4.4.2.0       2009.09.20       -
Prevx       3.0       2009.09.22       -
Rising       21.48.10.00       2009.09.22       -
Sophos       4.45.0       2009.09.22       Sus/Behav-113
Sunbelt       3.2.1858.2       2009.09.22       -
Symantec       1.4.4.12       2009.09.22       -
TheHacker       6.5.0.2.014       2009.09.21       -
TrendMicro       8.950.0.1094       2009.09.22       -
VBA32       3.12.10.10       2009.09.21       -
ViRobot       2009.9.22.1947       2009.09.22       -
VirusBuster       4.6.5.0       2009.09.21       -

[ArcaVir]
2009-09-21 Found nothing
      [G DATA]
2009-09-22 Found nothing
[A-Squared]
2009-09-22 Trojan.Win32.Iyeclore!IK
      [Ikarus]
2009-09-22 Trojan.Win32.Iyeclore
[Avast! antivirus]
2009-09-21 Found nothing
      [Kaspersky Anti-Virus]
2009-09-22 Found nothing
[Grisoft AVG Anti-Virus]
2009-09-21 Found nothing
      [ESET NOD32]
2009-09-21 Found nothing
[Avira AntiVir]
2009-09-21 Found nothing
      [Norman Virus Control]
2009-09-21 Found nothing
[Softwin BitDefender]
2009-09-22 Found nothing
      [Panda Antivirus]
2009-09-21 Found nothing
[ClamAV]
2009-09-22 Found nothing
      [Quick Heal]
2009-09-21 Found nothing
[CPsecure]
2009-09-22 Found nothing
      [Sophos]
2009-09-22 Sus/Behav-113
[Dr.Web]
2009-09-22 Found nothing
      [VirusBlokAda VBA32]
2009-09-21 Found nothing
[Frisk F-Prot Antivirus]
2009-09-21 Found nothing
      [VirusBuster]
2009-09-21 Found nothing
[F-Secure Anti-Virus]
2009-09-22 Found nothing

[ 本帖最后由 2288136aa 于 2009-9-22 13:29 编辑 ]

显示全部楼层 · 发表于 2009-9-22 13:47:19

Multi Command-Line Scanner 扫描报告
-------------------------------------------------------------------------
E:\Sample\rnor.dll
MD5 Hash: EE25EACDC2A7A80368209FE3249DC394

A-squared ----- Trojan.Win32.Iyeclore!IK
Avast ----- 无检出
AntiVir V8 ----- 无检出
BitDefender ----- 无检出
Dr.Web V5 ----- 无检出
Eset V4 ----- 无检出
Jiangmin ----- 无检出
Kaspersky ----- 无检出
Kingsoft ----- 无检出
Microsoft ----- 无检出
Rising ----- 无检出

*** 11 款反病毒引擎中 1 款检测到病毒 ***
-------------------------------------------------------------------------
E:\Sample\suiu.exe
MD5 Hash: 7A5B627B6924EA725E7A029F3C0237DD

A-squared ----- 无检出
Avast ----- 无检出
AntiVir V8 ----- 无检出
BitDefender ----- 无检出
Dr.Web V5 ----- 无检出
Eset V4 ----- 无检出
Jiangmin ----- 无检出
Kaspersky ----- 无检出
Kingsoft ----- 无检出
Microsoft ----- 无检出
Rising ----- 无检出

*** 11 款反病毒引擎中 0 款检测到病毒 ***
-------------------------------------------------------------------------

任务完成于 2009-09-22 星期二 13:47:14.75
注意: 扫描结果可能与GUI版本不同

显示全部楼层 · 发表于 2009-9-22 13:48:20

了解一下

显示全部楼层 · 发表于 2009-9-22 18:32:16

Hello,

rnor.dll

No malicious code was found in this file.

suiu.exe - Backdoor.Win32.Delf.qqe

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Best regards, Sergey Prokudin
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

显示全部楼层 · 发表于 2009-9-22 18:36:14

显示全部楼层 · 发表于 2009-9-22 22:07:35

to McAfee

[病毒样本] 几乎全过的极度可疑样本1X

本帖子中包含更多资源