暴风一号

显示全部楼层 · 发表于 2010-1-16 14:51:37

Virus: Worm.VBS.Autorun.M (Engine A), VBS:AutoRun-W [Wrm] (Engine B)

显示全部楼层 · 发表于 2010-1-16 14:57:42

回复 2# hxjhe

看来是传说中的vbs病毒。都上新闻了，听说有5w感染~~

显示全部楼层 · 发表于 2010-1-16 14:57:48

开始扫描 'C:\Documents and Settings\Administrator\桌面\暴风一号.zip'
C:\Documents and Settings\Administrator\桌面\暴风一号.zip
[0] 压缩文档类型: ZIP
--> ﾱﾩﾷ￧ￒﾻﾺￅ.vbs
[检测] Contains recognition pattern of the WORM/Autorun.HI worm

显示全部楼层 · 发表于 2010-1-16 15:05:15

'号外起乱偶给要不'暴叫字名文中的我，叫字名文英的我，风 .eniFyoB-_-9

搞笑，脚本加密过了

C:\Sandbox\暴风一号\暴风一号.vbs detected: Worm.VBS.Autorun.hi!A2

典型的特征是在每个盘生成autorun.inf

显示全部楼层 · 发表于 2010-1-16 19:43:30

病毒

显示全部楼层 · 发表于 2010-1-16 19:45:20

显示全部楼层 · 发表于 2010-1-16 21:51:22

Avast!截住

显示全部楼层 · 发表于 2010-1-16 21:53:38

回复 8# 红草

怎么这么快，大家都报了

显示全部楼层 · 发表于 2010-1-16 22:22:11

本帖最后由牧羊老汉于 2010-1-17 00:17 编辑

'号外起乱偶给要不'暴叫字名文中的我，叫字名文英的我，风 .eniFyoB-_-9

搞笑，脚本加密过了

C:\Sand ...
ray1106 发表于 2010-1-16 15:05

'号外起乱偶给要不'暴叫字名文中的我，叫字名文英的我，风 .eniFyoB-_-9
搞笑，脚本加密过了
C:\Sand ...
ray1106 发表于 2010-1-16 15:05

Files added:
--------------------
F:\1336055007.vbs
F:\AutoRun.inf
F:\xxx文件夹.lnk
F:\recycle.lnk
F:\Recycled.lnk
F:\System Volume Information.lnk
F:\xxx文件夹.lnk
......
F盘所有文件夹.lnk

C:\1422398856.vbs
C:\AutoRun.inf
C:\Documents and Settings.lnk
C:\Downloads.lnk
C:\Program Files.lnk
C:\Recycled.lnk
C:\System Volume Information.lnk
C:\TempEI4.lnk
C:\WINDOWS.lnk
C:\WINDOWS\1422398856.vbs
C:\WINDOWS\system32\1422398856.vbs
C:\WINDOWS\system\svchost.exe
C:\xxx文件夹.lnk
......
C盘所有文件夹.lnk

D:\673720360.vbs
D:\AutoRun.inf
D:\Config.Msi.lnk
D:\My Documents.lnk
D:\Program Files.lnk
D:\recycle.lnk
D:\Recycled.lnk
D:\System Volume Information.lnk
.....
D盘所有文件夹.lnk

E:\1220438469.vbs
E:\AutoRun.inf
E:\xxx文件夹.lnk
......
E盘所有文件夹.lnk

Keys added:
--------------------
HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore
HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore\command
HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open
HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command

Keys deleted:
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume

Values added:
--------------------
HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore\command
  (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" EMC

HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command
  (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" OMC

HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\MUICache
  (SZ) C:\WINDOWS\system\svchost.exe =Microsoft (r) Windows Based Script Host

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Windows
  (SZ) Load =%SystemRoot%\system\svchost.exe "C:\WINDOWS\system32\1422398856.vbs"
  (SZ) Ver =1
  (SZ) Date =2010-1-16

Values changed:
--------------------
HKEY_LOCAL_MACHINE\software\Classes\Applications\iexplore.exe\shell\open\command
  Old: (SZ) (Default) ="C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1
  New: (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" OIE

HKEY_LOCAL_MACHINE\software\Classes\batfile\shell\open\command
  Old: (SZ) (Default) ="%1" %*
  New: (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" %1 %*

HKEY_LOCAL_MACHINE\software\Classes\chm.file\shell\open\command
  Old: (SZ) (Default) ="%1" %*
  New: (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" %1 %*

HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell
  Old: (SZ) (Default) =none
  New: (SZ) (Default) =(Null)

HKEY_LOCAL_MACHINE\software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
  Old: (SZ) (Default) ="C:\Program Files\Internet Explorer\iexplore.exe"
  New: (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs"

HKEY_LOCAL_MACHINE\software\Classes\cmdfile\shell\open\command
  Old: (SZ) (Default) ="%1" %*
  New: (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" %1 %*

HKEY_LOCAL_MACHINE\software\Classes\hlpfile\shell\open\command
  Old: (EXPAND_SZ) (Default) =%SystemRoot%\System32\winhlp32.exe %1
  New: (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" %1 %*

HKEY_LOCAL_MACHINE\software\Classes\inffile\shell\open\command
  Old: (EXPAND_SZ) (Default) =%SystemRoot%\System32\NOTEPAD.EXE %1
  New: (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" %1 %*

HKEY_LOCAL_MACHINE\software\Classes\inifile\shell\open\command
  Old: (EXPAND_SZ) (Default) =C:\WINDOWS\System32\NOTEPAD.EXE %1
  New: (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" %1 %*

HKEY_LOCAL_MACHINE\software\Classes\regfile\shell\open\command
  Old: (SZ) (Default) =regedit.exe "%1"
  New: (EXPAND_SZ) (Default) =%SystemRoot%\System32\WScript.exe "C:\WINDOWS\1422398856.vbs" %1 %*

HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
  Old: (DWORD) CheckedValue =0x00000002 (2)
  New: (DWORD) CheckedValue =0x00000003 (3)

HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
  Old: (DWORD) CheckedValue =0x00000001 (1)
  New: (DWORD) CheckedValue =0x00000002 (2)

[病毒样本] 暴风一号

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源