77.exe

显示全部楼层 · 发表于 2010-6-19 23:03:43

SEP第三次表示无压力

显示全部楼层 · 发表于 2010-6-19 23:34:28

红伞拦截，DR/Delphi.Gen

显示全部楼层 · 发表于 2010-6-20 10:14:59

Checking: http://bbs.kafan.cn/forum.php?mo ... zcwMDAwNzR8NDQyMDQ0
Engine version: 5.0.2.3300
Total virus-finding records: 1466687
File size: 44.22 KB
File MD5: c55a39742c148f68e9394b82dc6f8cf8

http://bbs.kafan.cn/forum.php?mo ... zcwMDAwNzR8NDQyMDQ0 - archive RAR
>http://bbs.kafan.cn/forum.php?mod=attachment&aid=ODU2OTY0fDYwOWU3MDVifDEyNzcwMDAwNzR8NDQyMDQ0/77.exe packed by ASPACK
>>http://bbs.kafan.cn/forum.php?mod=attachment&aid=ODU2OTY0fDYwOWU3MDVifDEyNzcwMDAwNzR8NDQyMDQ0/77.exe infected with Trojan.PWS.Qqpass.5216

显示全部楼层 · 发表于 2010-6-20 10:17:50

G Data拦截

显示全部楼层 · 发表于 2010-6-20 11:38:12

显示全部楼层 · 发表于 2010-6-20 14:12:52

2010-6-20 14:11:31 创建新进程允许
进程: c:\windows\explorer.exe
目标: c:\documents and settings\xe-cj\my documents\77.exe
命令行: "C:\Documents and Settings\XE-CJ\My Documents\77.exe"
规则: [应用程序]c:\windows\explorer.exe

2010-6-20 14:11:33 创建文件允许
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: C:\tpbs.exe
规则: [文件组]全局FD -> [文件]?:\; *.exe

2010-6-20 14:11:37 修改文件允许
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: C:\tpbs.exe
规则: [文件组]全局FD -> [文件]?:\; *.exe

2010-6-20 14:11:46 设置文件隐藏属性阻止
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: C:\tpbs.exe
规则: [文件组]全局FD -> [文件]?:\; *.exe

2010-6-20 14:11:48 修改注册表值阻止
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
值: \??\C:\Documents and Settings\XE-CJ\Application Data\Tencent\QQPinyin\cdict\tmp\%e5%9f%8e%e5%b8%82%e4%bf%a1%e6%81%af%28%e8%8b%8f%e5%b7%9e%29.qpyd  \??\C:\Documents and Settings\XE-CJ\Application Data\Tencent\QQPinyin\cdict\tmp\talk_100304.qpyd  \??\C:\Documen
规则: [注册表组]自动运行程序所在位置 -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager; PendingFileRenameOperations

2010-6-20 14:11:51 修改注册表值阻止
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
值: \??\C:\Documents and Settings\XE-CJ\Application Data\Tencent\QQPinyin\cdict\tmp\%e5%9f%8e%e5%b8%82%e4%bf%a1%e6%81%af%28%e8%8b%8f%e5%b7%9e%29.qpyd  \??\C:\Documents and Settings\XE-CJ\Application Data\Tencent\QQPinyin\cdict\tmp\talk_100304.qpyd  \??\C:\Documen
规则: [注册表组]自动运行程序所在位置 -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager; PendingFileRenameOperations

2010-6-20 14:11:53 创建新进程允许
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: c:\tpbs.exe
命令行: c:\tpbs.exe
规则: [应用程序]*

2010-6-20 14:11:57 创建文件允许
进程: c:\tpbs.exe
目标: C:\Program Files\Common Files\TabIt.exe
规则: [文件组]特殊目录 -> [文件]c:\program files\common files

2010-6-20 14:12:03 创建新进程允许
进程: c:\tpbs.exe
目标: c:\program files\common files\tabit.exe
命令行: "C:\Program Files\Common Files\TabIt.exe"
规则: [应用程序]*

2010-6-20 14:12:06 创建文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\Program Files\Common Files\ogqkit.dll
规则: [文件组]特殊目录 -> [文件]c:\program files\common files

2010-6-20 14:12:08 创建文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\onpeed.txt
规则: [文件组]全局FD -> [文件]?:\; *.txt

2010-6-20 14:12:13 修改文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\Program Files\Common Files\ogqkit.dll
规则: [文件组]特殊目录 -> [文件]c:\program files\common files

2010-6-20 14:12:14 创建文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\ystrso.jpg
规则: [文件]?:\

2010-6-20 14:12:16 创建文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\xkhnia.bmp
规则: [文件]?:\

2010-6-20 14:12:18 修改文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\onpeed.txt
规则: [文件组]全局FD -> [文件]?:\; *.txt

2010-6-20 14:12:20 创建文件阻止
进程: c:\program files\common files\tabit.exe
目标: C:\Documents and Settings\All Users\桌面\Intennet Exploner.lnk
规则: [文件组]临时目录 -> [文件]*; *.lnk

2010-6-20 14:12:21 安装全局消息钩子阻止
进程: c:\program files\common files\tabit.exe
目标: c:\program files\common files\ogqkit.dll
钩子类型: WH_CBT
规则: [应用程序]*

2010-6-20 14:12:25 安装全局消息钩子阻止
进程: c:\program files\common files\tabit.exe
目标: c:\program files\common files\ogqkit.dll
钩子类型: WH_CBT
规则: [应用程序]*

2010-6-20 14:12:27 修改文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\ystrso.jpg
规则: [文件]?:\

2010-6-20 14:12:37 创建新进程允许
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: c:\program files\internet explorer\iexplore.exe
命令行: "C:\Program Files\Internet Explorer\iexplore.exe" http://a.qq2233.com/GoGo.ashx?Mac=00:0C:29:1C:06:06&UserId=77&Bate=3.03
规则: [应用程序]*

2010-6-20 14:12:39 设置文件隐藏属性阻止
进程: c:\program files\common files\tabit.exe
目标: C:\Program Files\Common Files\ogqkit.dll
规则: [文件组]特殊目录 -> [文件]c:\program files\common files

2010-6-20 14:12:41 创建文件阻止
进程: c:\program files\common files\tabit.exe
目标: C:\Documents and Settings\All Users\桌面\改变你的一生.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-6-20 14:12:43 创建文件允许
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: C:\ccc.bat
规则: [文件]?:\

2010-6-20 14:12:45 修改注册表值阻止
进程: c:\program files\common files\tabit.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
值: \??\C:\Documents and Settings\XE-CJ\Application Data\Tencent\QQPinyin\cdict\tmp\%e5%9f%8e%e5%b8%82%e4%bf%a1%e6%81%af%28%e8%8b%8f%e5%b7%9e%29.qpyd  \??\C:\Documents and Settings\XE-CJ\Application Data\Tencent\QQPinyin\cdict\tmp\talk_100304.qpyd  \??\C:\Documen
规则: [注册表组]自动运行程序所在位置 -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager; PendingFileRenameOperations

2010-6-20 14:12:47 修改文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\xkhnia.bmp
规则: [文件]?:\

2010-6-20 14:12:49 修改文件允许
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: C:\ccc.bat
规则: [文件]?:\

2010-6-20 14:12:52 创建文件阻止
进程: c:\program files\common files\tabit.exe
目标: C:\Documents and Settings\All Users\桌面\淘宝购物A.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-6-20 14:12:54 创建新进程阻止
进程: c:\documents and settings\xe-cj\my documents\77.exe
目标: c:\windows\system32\cmd.exe
命令行: cmd /c c:\ccc.bat
规则: [应用程序]*

2010-6-20 14:12:56 删除文件阻止
进程: c:\program files\common files\tabit.exe
目标: C:\onpeed.txt
规则: [文件组]全局FD -> [文件]?:\; *.txt

2010-6-20 14:13:00 删除文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\ystrso.jpg
规则: [文件]?:\

2010-6-20 14:13:01 删除文件允许
进程: c:\program files\common files\tabit.exe
目标: C:\xkhnia.bmp
规则: [文件]?:\

2010-6-20 14:13:05 创建文件夹阻止
进程: c:\program files\common files\tabit.exe
目标: C:\RECYCLER
规则: [文件]*

2010-6-20 14:13:13 创建文件阻止并结束进程
进程: c:\program files\common files\tabit.exe
目标: C:\Documents and Settings\All Users\「开始」菜单\程序\启动\ITss.lnk
规则: [文件组]临时目录 -> [文件]*; *.lnk

[病毒样本] 77.exe

本帖子中包含更多资源