[衍生物系列之1] 一个木马+8个衍生物 你能杀多少

xpn282

在沙盘运行一个木马,,它共生成8个东西(3个EXE,3个TMP,3个DLL),,你能杀多少啊??

还有就是木马样本会联网哦...没防火墙的话..不要乱试哦(防火墙终于派上用场了)..

2007-04-26 01:15:52 创建文件
操作:允许
进程路径:F:\病毒样本\毒包\update16.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\Ruanyi05.exe

2007-04-26 01:15:52 创建文件
操作:允许
进程路径:F:\病毒样本\毒包\update16.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\drive\C\WINDOWS\Ruanyi05.dll

2007-04-26 01:16:16 运行应用程序
操作:允许
进程路径:F:\病毒样本\毒包\update16.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\Ruanyi05.exe

2007-04-26 01:16:17 创建文件
操作:允许
进程路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\Ruanyi05.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\nsiD.tmp

2007-04-26 01:16:17 创建文件
操作:允许
进程路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\Ruanyi05.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\nsiE.tmp

2007-04-26 01:16:17 修改文件
操作:允许
进程路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\Ruanyi05.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\nsiE.tmp

2007-04-26 01:16:17 创建文件
操作:允许
进程路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\Ruanyi05.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\DiskFree_mt01.8.exe

2007-04-26 01:16:26 运行应用程序
操作:允许
进程路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\Ruanyi05.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\DiskFree_mt01.8.exe

2007-04-26 01:16:26 创建文件
操作:允许
进程路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\Ruanyi05.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\live.exe

2007-04-26 01:16:26 创建文件
操作:允许
进程路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\DiskFree_mt01.8.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\nswF.tmp

2007-04-26 01:16:35 运行应用程序
操作:允许
进程路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\Ruanyi05.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\live.exe

2007-04-26 01:16:35 创建文件
操作:允许
进程路径:D:\Sandboxie\Sandbox\DefaultBox\user\current\Local Settings\Temp\live.exe
文件路径:D:\Sandboxie\Sandbox\DefaultBox\drive\C\WINDOWS\system32\Webmail.dll

木马样本的查杀

Antivirus	Version	Update	Result
AhnLab-V3	2007.4.26.0	04.25.2007 [td]no virus found
AntiVir	7.4.0.15	04.25.2007	TR/Dldr.Barbs.A.5
Authentium	4.93.8	04.24.2007	W32/Dropper.EBA
Avast	4.7.981.0	04.25.2007	Win32:Singu-N
AVG	7.5.0.464	04.25.2007	Dropper.Agent.DIU
BitDefender	7.2	04.25.2007	Trojan.Downloader.Barbs.A
CAT-QuickHeal	9.00	04.25.2007	(Suspicious) - DNAScan
ClamAV	devel-20070416	04.25.2007 [td]no virus found
DrWeb	4.33	04.25.2007	Trojan.MulDrop.6129
eSafe	7.0.15.0	04.25.2007	Suspicious Trojan/Worm
eTrust-Vet	30.7.3594	04.25.2007 [td]no virus found
Ewido	4.0	04.25.2007 [td]no virus found
FileAdvisor	1	04.25.2007 [td]no virus found
Fortinet	2.85.0.0	04.25.2007	W32/Agent.BEW!tr
F-Prot	4.3.2.48	04.25.2007	W32/Dropper.EBA
F-Secure	6.70.13030.0	04.25.2007	Trojan-Dropper.Win32.Agent.bew
Ikarus	T3.1.1.5	04.25.2007	Trojan-Spy.Win32.Banker.to
Kaspersky	4.0.2.24	04.25.2007	Trojan-Dropper.Win32.Agent.bew
McAfee	5017	04.25.2007	Generic Downloader.d
Microsoft	1.2405	04.25.2007 [td]no virus found
NOD32v2	2218	04.25.2007 [td]no virus found
Norman	5.80.02	04.25.2007 [td]no virus found
Panda	9.0.0.4	04.25.2007	Suspicious file
Prevx1	V2	04.25.2007	Trojan.Updatex
Sophos	4.16.0	04.23.2007 [td]no virus found
Sunbelt	2.2.907.0	04.19.2007	VIPRE.Suspicious
Symantec	10	04.25.2007 [td]no virus found
TheHacker	6.1.6.095	04.15.2007	Trojan/Dropper.Agent.bew
VBA32	3.11.4	04.25.2007	Trojan.Popwin
VirusBuster	4.3.7:9	04.25.2007	Trojan.DR.Agent.TJR
Webwasher-Gateway	6.0.1	04.25.2007	Trojan.Dldr.Barbs.A.5

目前对8个衍生物的查杀:   AVK2006杀2个     红伞杀3个

[ 本帖最后由 xpn282 于 2007-4-26 16:05 编辑 ]

lanvin

嘟嘟这么晚还搞样本？

lanvin

等等开着影子看看eq的表现



Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\8个衍生物.rar'
C:\Documents and Settings\Administrator\桌面\8个衍生物.rar
  [0] Archive type: RAR
  --> DiskFree_mt01.8.exe
      [DETECTION] Is the Trojan horse TR/Drop.Adfun
  --> live.exe
      [DETECTION] Contains signature of the Ad- or Spyware ADSPY/Boran.AC.2
  --> Webmail.dll
      [DETECTION] Contains signature of the Ad- or Spyware ADSPY/Boran.AC.2
      [WARNING]   The file was ignored!



Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\木马样本.rar'
C:\Documents and Settings\Administrator\桌面\木马样本.rar
  [0] Archive type: RAR
  --> update16.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Barbs.A.5
      [WARNING]   The file was ignored!





eq拦截了第一步，后面的出现了运行错误没有继续
图没有抓
闪了睡觉去

[ 本帖最后由 lanvin 于 2007-4-26 01:57 编辑 ]

dyw1021

费尔也只杀了两个！~~~~~~~~~~~~~~~~~~

xpn282

NOD32既然连样本都不杀[:27:]

睡觉咯...大家慢慢杀...觉得杀爽了再睡也不迟

couldsst

VirusBuster  只对妈妈有兴趣她生的小孩没有一个喜欢

The EQs

Scan performed at: 2007-4-26 3:40:11
Scanning Log
NOD32 version 2218 (20070425) NT
Command line: C:\Documents and Settings\EQ2\桌面\8个衍生物.rar C:\Documents and Settings\EQ2\桌面\木马样本.rar
Operating memory - is OK

Date: 26.4.2007  Time: 03:40:16
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\EQ2\桌面\8个衍生物.rar; C:\Documents and Settings\EQ2\桌面\木马样本.rar
C:\Documents and Settings\EQ2\桌面\8个衍生物.rar ?RAR ?Ruanyi05.exe ?NSIS ?DiskFree_mt01.8.exe ?NSIS ?ieagent-dist.exe - Win32/TrojanDownloader.Adload.NDE trojan - was a part of the deleted object
C:\Documents and Settings\EQ2\桌面\8个衍生物.rar ?RAR ?DiskFree_mt01.8.exe ?NSIS ?ieagent-dist.exe - Win32/TrojanDownloader.Adload.NDE trojan - was a part of the deleted object
Number of scanned files: 12
Number of threats found: 2
Number of files cleaned: 1
Time of completion: 03:40:18 Total scanning time: 2 sec (00:00:02)

mofunzone

看了楼上的言论就好笑，既然叫best hur还需要上报
p.s lz喜欢把0kb的样本也算一个吗？

[ 本帖最后由 mofunzone 于 2007-4-25 14:49 编辑 ]

solcroft

原来还有这种杀软，用户不上报便不能查杀，NOD32病毒实验室的这种小白分析师聘了等于白聘

The EQs

我倒想听听不上报怎么能查杀？？？难道分析师自己能预知？？？除了那些报壳的能查杀外。。。