移不走的毒

显示全部楼层 · 发表于 2009-11-19 01:41:56

重灌後还在.....

显示全部楼层 · 发表于 2009-11-19 01:47:16

VirSCAN.org Scanned Report :
Scanned time : 2009/11/19 01:28:35 (CST)
Scanner results: 16%的防毒軟體(6/37)報告發現病毒
File Name    : startr.7z
File Size    : 9636 byte
File Type    : 7-zip archive data, version 0.2
MD5          : 831742a84ce787fd6b0e017a5a875570
SHA1          : 040e616c95f69502755ed9ffc27adc72f90a4bb5
Online report  : http://virscan.org/report/e9b1cc6c81161a57ccd167ddd86087b2.html
Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    4.5.0.8       20091119003254 2009-11-19  3.98 -
AhnLab V3    2009.11.19.00 2009.11.19       2009-11-19  0.92 -
AntiVir       8.2.1.70       7.1.6.250       2009-11-18  0.53 -
Antiy       2.0.18       20091118.3273892  2009-11-18  0.12 Trojan/Win32.Agent.ugc[Downloader]
Arcavir       2009          200911171901    2009-11-17  0.02 -
Authentium    5.1.1          200911181430    2009-11-18  1.19 -
AVAST!       4.7.4          091118-0       2009-11-18  0.00 -
AVG          8.5.288       270.14.72/2511 2009-11-18  0.30 -
BitDefender 7.81008.4553726 7.28999          2009-11-18  3.88 -
CA (VET)    35.1.0       7125             2009-11-17  8.57 -
ClamAV       0.95.2       10040          2009-11-18  0.01 -
Comodo       3.12          2979             2009-11-18  0.72 -
CP Secure    1.3.0.5       2009.11.18       2009-11-18  0.01 -
Dr.Web       4.44.0.9170    2009.11.18       2009-11-18  6.96 Trojan.Starter.1048
F-Prot       4.4.4.56       20091117       2009-11-17  1.19 -
F-Secure    7.02.73807    2009.11.18.07    2009-11-18  9.10 -
Fortinet    2.81-3.120    11.65          2009-11-17  0.19 -
GData       19.8878/19.567  20091118       2009-11-18  5.66 -
ViRobot       20091118       2009.11.18       2009-11-18  0.41 -
Ikarus       T3.1.01.74    2009.11.18.74550  2009-11-18  4.18 -
JiangMin    11.0.800       2009.11.18       2009-11-18  4.26 -
Kaspersky    5.5.10       2009.11.18       2009-11-18  0.08 -
KingSoft    2009.2.5.15    2009.11.18.7    2009-11-18  0.50 -
McAfee       5.3.00       5805             2009-11-17  3.39 -
Microsoft    1.5202       2009.11.18       2009-11-18  6.20 Trojan:Win32/Bumat!rts
Norman       6.01.09       6.01.00          2009-11-18  4.01 W32/Startpage.KRK
Panda       9.05.01       2009.11.18       2009-11-18  1.73 -
Trend Micro 9.000-1003    6.634.03       2009-11-18  0.00 -
Quick Heal    10.00          2009.11.17       2009-11-17  1.22 -
Rising       20.0          22.22.02.08    2009-11-18  0.99 -
Sophos       3.01.0       4.47             2009-11-18  2.84 Mal/Generic-A
Sunbelt       5516          5516             2009-11-17  1.77 -
Symantec    1.3.0.24       20091117.020    2009-11-17  0.04 -
nProtect    20091116.01    6230577          2009-11-16  3.67 -
The Hacker    6.5.0.2       v00011          2009-09-18  0.64 -
VBA32       3.12.12.0    20091117.2201    2009-11-17  2.11 BAT.Agent.NAQ
VirusBuster 4.5.11.10    10.113.22/2018383 2009-11-18  2.36 -

显示全部楼层 · 发表于 2009-11-19 01:52:16

To KL

显示全部楼层 · 发表于 2009-11-19 02:12:55

startr.exe

No malicious code was found in this file.

显示全部楼层 · 发表于 2009-11-19 08:50:33

ESET
startr.exe - 可能是 Win32/Agent 特洛伊木马的变种 - 是已删除对象的一部分

显示全部楼层 · 发表于 2009-11-19 09:22:35

startr.exe
　-cmd.exe
　　-ping.exe

startr.exe
·键值更改
HKEY_USERS\
S-1-5-21-842925246-1425521274-308236825-500\
Software\
Microsoft\
Windows\
CurrentVersion\
Explorer\
MountPoints2\
{a1094da8-30a0-11dd-817b-806d6172696f}\

HKEY_USERS\
S-1-5-21-842925246-1425521274-308236825-500\
Software\
Microsoft\
Windows\
CurrentVersion\
Explorer\
MountPoints2\
{a1094daa-30a0-11dd-817b-806d6172696f}\

·文件删除
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\498406.bat

·文件创建
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\498406.bat

·文件修改
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\498406.bat

·弹窗
C:\WINDOWS\system32\Setup\0EM1.exe
C:\WINDOWS\system32\Setup\0EM2.exe
C:\WINDOWS\system32\oobe\html\oemreg\0EM3.exe
C:\WINDOWS\system32\oobe\html\oemreg\0EM4.exe
内容：类似寻找不到相关文件，请使用“开始”——“搜索”来查找

·文件修改
MountPointManager
PIPE\lsarpc
PIPE\wkssvc
nul
——————————————————————————————————————————————————————
ping.exe
·键值更改
HKEY_LOCAL_MACHINE\
System\
CurrentControlSet\
Services\
WinSock2\
Parameters\
NameSpace_Catalog5

HKEY_LOCAL_MACHINE\
System\
CurrentControlSet\
Services\
WinSock2\
Parameters\
Protocol_Catalog9

·文件修改
(stdout)
Ip
\Device\Ip
\Device\Tcp

显示全部楼层 · 发表于 2009-11-19 10:36:34

过微点杀毒

显示全部楼层 · 发表于 2009-11-19 10:47:56

用7Z压缩的杀软都能直接扫描么？

显示全部楼层 · 发表于 2009-11-19 14:37:14

@Echo Off

start %Windir%\system32\Setup\0EM1.exe
ping -n 2 127.1>nul
start %Windir%\system32\Setup\0EM2.exe
ping -n 2 127.1>nul
start %Windir%\system32\oobe\html\oemreg\0EM3.exe
ping -n 2 127.1>nul
start %Windir%\system32\oobe\html\oemreg\0EM4.exe
ping -n 2 127.1>nul
Del /f /s /q %Windir%\system32\Setup\0EM1.exe
Del /f /s /q %Windir%\system32\oobe\html\oemreg\0EM3.exe
Del /f /s /q %Windir%\system32\oobe\html\oemreg\0EM4.exe

Exit

显示全部楼层 · 发表于 2009-11-19 14:55:00

to FS

[病毒样本] 移不走的毒

本帖子中包含更多资源