转剑盟一个

显示全部楼层 · 发表于 2007-3-24 10:48:28

2007-3-24 10:40:51       !**************************************************
                     Safe'n'Sec alert
                     Action
                     Date and time: 2007-3-24 10:40:30
                     Type: Viewing a file/folder
                     Risk: Moderate

                     Control activity rule
                     Name: Open CMD.EXE

                     Application
                     Process identifier: 1420
                     Parent process identifier: 1604
                     User identifier: 0553A719C5644CE\Administrator
                     File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\QQ2006\QQ2006.EXE

                     Object
                     File/folder: C:\WINDOWS\SYSTEM32\CMD.EXE
                     User action:       Allow
                     ***************************************************
2007-3-24 10:41:06       !**************************************************
                     Safe'n'Sec alert
                     Action
                     Date and time: 2007-3-24 10:40:52
                     Type: Windows Registry key creation
                     Risk: Moderate

                     Application activity rule
                     Name:

                     Application
                     Process identifier: 1420
                     Parent process identifier: 1604
                     User identifier: 0553A719C5644CE\Administrator
                     File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\QQ2006\QQ2006.EXE

                     Object
                     Registry key: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{A172A3DC-945E-5618-AD6E-F3D542D55C22}

                     Description
                     The NoManageMyComputerVerb parameter allows hiding the Manage item from the My Computer’s context menu. Certain malicious programs use this to embarrass user work.
                     Therefore, if you personally do not change these settings by hand and the application is not a system utility you are recommended to block changing this parameter.
                     User action:       Allow
                     ***************************************************
2007-3-24 10:41:35       !**************************************************
                     Safe'n'Sec alert
                     Action
                     Date and time: 2007-3-24 10:41:06
                     Type: Deleting a file
                     Risk: High

                     Control activity rule
                     Name:

                     Application
                     Process Identifier: 1092
                     Parent process Identifier: 1420
                     User Identifier: 0553A719C5644CE\Administrator
                     File: C:\WINDOWS\SYSTEM32\CMD.EXE

                     Object
                     File: C:\WINDOWS\SYSTEM32\VERCLSID.EXE

                     Technical description
                     System files, which are critically important for Windows to correctly function, are kept in the system folders WINDOWS and WINDOWS\SYSTEM32. Deleting a system file may break system operability. Deleting these files is permissible only for Windows Update or application installation programs.
                     Therefore, if you aren't updating Windows, installing new software at the moment, or if this application is unknown to you, Block deletion of these files.
                     User action:       Allow
                     ***************************************************
2007-3-24 10:41:50       !**************************************************
                     Safe'n'Sec alert
                     Action
                     Date and time: 2007-3-24 10:41:35
                     Type: Editing a file
                     Risk: High

                     Control activity rule
                     Name:

                     Application
                     Process Identifier: 1420
                     Parent process Identifier: 1604
                     User Identifier: 0553A719C5644CE\Administrator
                     File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\QQ2006\QQ2006.EXE

                     Object
                     File: C:\WINDOWS\SYSTEM32\RESPRI.DLL

                     Technical description
                     System files, which are critically important for Windows to correctly function, are kept in the system folders WINDOWS and WINDOWS\SYSTEM32. Any inappropriate changes or improper user action on these files may break system operability. Editing these files is permissible only for Windows Update or application installation programs.
                     Therefore, if you aren't updating Windows, installing new software at the moment, or if this application is unknown to you, Block editing of these files.
                     User action:       Allow
                     ***************************************************
2007-3-24 10:42:06       !**************************************************
                     Safe'n'Sec alert
                     Action
                     Date and time: 2007-3-24 10:41:50
                     Type: Editing a file
                     Risk: High

                     Control activity rule
                     Name:

                     Application
                     Process Identifier: 1420
                     Parent process Identifier: 1604
                     User Identifier: 0553A719C5644CE\Administrator
                     File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\QQ2006\QQ2006.EXE

                     Object
                     File: C:\WINDOWS\SYSTEM32\MCRINI.DLL

                     Technical description
                     System files, which are critically important for Windows to correctly function, are kept in the system folders WINDOWS and WINDOWS\SYSTEM32. Any inappropriate changes or improper user action on these files may break system operability. Editing these files is permissible only for Windows Update or application installation programs.
                     Therefore, if you aren't updating Windows, installing new software at the moment, or if this application is unknown to you, Block editing of these files.
                     User action:       Allow
                     ***************************************************
2007-3-24 10:42:20       !**************************************************
                     Safe'n'Sec alert
                     Action
                     Date and time: 2007-3-24 10:42:06
                     Type: Editing a file
                     Risk: High

                     Control activity rule
                     Name:

                     Application
                     Process Identifier: 1420
                     Parent process Identifier: 1604
                     User Identifier: 0553A719C5644CE\Administrator
                     File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\QQ2006\QQ2006.EXE

                     Object
                     File: C:\WINDOWS\SYSTEM32\RESPRI.DLL

                     Technical description
                     System files, which are critically important for Windows to correctly function, are kept in the system folders WINDOWS and WINDOWS\SYSTEM32. Any inappropriate changes or improper user action on these files may break system operability. Editing these files is permissible only for Windows Update or application installation programs.
                     Therefore, if you aren't updating Windows, installing new software at the moment, or if this application is unknown to you, Block editing of these files.
                     User action:       Allow
                     ***************************************************
2007-3-24 10:43:31       !**************************************************
                     Safe'n'Sec alert
                     Action
                     Date and time: 2007-3-24 10:43:04
                     Type: Windows Registry key creation
                     Risk: Moderate

                     Application activity rule
                     Name:

                     Application
                     Process identifier: 1604
                     Parent process identifier: 1524
                     User identifier: 0553A719C5644CE\Administrator
                     File: C:\WINDOWS\EXPLORER.EXE

                     Object
                     Registry key: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{A172A3DC-945E-5618-AD6E-F3D542D55C22}

                     Description
                     The NoManageMyComputerVerb parameter allows hiding the Manage item from the My Computer’s context menu. Certain malicious programs use this to embarrass user work.
                     Therefore, if you personally do not change these settings by hand and the application is not a system utility you are recommended to block changing this parameter.
                     User action:       Allow
                     ***********************************************

[ 本帖最后由 jlennon 于 2007-3-24 13:36 编辑 ]

显示全部楼层 · 发表于 2007-3-24 10:53:01

2007年3月24日10时52分59秒开始查杀C:\Downloads\样本
=========================================

_________文件性质分析结果________________
"带壳"仅指文件性质,仅供专业人员分析使用。

C:\Downloads\样本\qq2006.exe 带壳文件:UPX加壳
-----------------------------------------

2007年3月24日10时52分59秒收起线程…100% 查杀完毕！
扫描文件：1查杀病毒：0

显示全部楼层 · 发表于 2007-3-24 11:10:22

这傢伙干了那麽多壞事啊~~

差點没看完....

显示全部楼层 · 发表于 2007-3-24 12:19:23

原帖由 jhtl 于 2007-3-24 09:27 发表
这种低发率的病毒，nod32不鸟的～～～牛X的杀软是这样的。

嗯嗯，这便是全球最强启发的过人之处！

[病毒样本] 转剑盟一个

回复 #11 jlennon 的帖子

本帖子中包含更多资源