收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 virus[3/ 43 (7.0%)]
123下一页
返回列表 发新帖
楼主: 川澄绫子
 收起左侧

[病毒样本] virus[3/ 43 (7.0%)]

  [复制链接]
jason_jiang
发表于 2010-9-16 18:19:17 | 显示全部楼层
miss,to xandora(panda)
回复

举报

qq563889386
头像被屏蔽
发表于 2010-9-16 18:54:59 | 显示全部楼层
有多少毒啊?
回复

举报

kkgh
发表于 2010-9-16 19:40:31 | 显示全部楼层
瑞星2011 KILL
回复

举报

勇者无敌
头像被屏蔽
发表于 2010-9-16 20:34:37 | 显示全部楼层

蜘蛛杯具了
歌歌的人 发表于 2010.9.16 14:17

回复

举报

wlx81702
发表于 2010-9-16 20:43:59 | 显示全部楼层
MPAV 360SD、小a都没报
回复

举报

Shirou
发表于 2010-9-16 20:56:09 | 显示全部楼层
to avast
回复

举报

wangyuli100
发表于 2010-9-16 21:56:33 | 显示全部楼层
NIS  2011 飘过
回复

举报

chenhanmuyu
发表于 2010-9-16 22:22:52 | 显示全部楼层
WKS 杀下载
回复

举报

hddu
发表于 2010-9-17 00:39:15 | 显示全部楼层
2010-09-17 00:40:20    创建文件      操作:使用任务隔离区操作
进程路径:F:\virus\virus\virus.exe
文件路径:C:\WINDOWS\system32\taoY.ico
触发规则:所有程序规则->WINDOWS文件夹全局阻止设置(一)->%windir%\*.ico


2010-09-17 00:40:20    创建文件      操作:使用任务隔离区操作
进程路径:F:\virus\virus\virus.exe
文件路径:C:\Program Files\Messenger\Messenger.mke
触发规则:所有程序规则->%ProgramFiles%文件夹设置(二)->%ProgramFiles%\Messenger\*


2010-09-17 00:40:20    修改注册表内容      操作:阻止
进程路径:F:\virus\virus\virus.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
注册表名称:Hidden
触发规则:所有程序规则->资源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced*


2010-09-17 00:40:20    修改注册表内容      操作:阻止
进程路径:F:\virus\virus\virus.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
注册表名称:ShowSuperHidden
触发规则:所有程序规则->资源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced*


2010-09-17 00:40:20    修改注册表内容      操作:阻止
进程路径:F:\virus\virus\virus.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
注册表名称:SuperHidden
触发规则:所有程序规则->资源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced*


2010-09-17 00:40:20    运行应用程序      操作:允许
进程路径:F:\virus\virus\virus.exe
文件路径:C:\WINDOWS\system32\wscript.exe
命令行:"C:\Program Files\Messenger\messenger.mke"
触发规则:所有程序规则->系统程序设置->%windir%\system32\*script.exe


回复

举报

liulangzhecgr
发表于 2010-9-17 04:26:00 | 显示全部楼层
本帖最后由 liulangzhecgr 于 2010.9.17 04:36 编辑
2010-09-17 00:40:20    创建文件      操作:使用任务隔离区操作
进程路径:F:\virus\virus\virus.exe
文件 ...
hddu 发表于 2010.9.17 00:39


这是啥病毒?!
wscript.exe调用两个c:\windows\system\svchost.exe
此两个文件都过数字签名却后者是隐藏的!





Installation Report: virus
Generated by InCtrl5, version 1.0.0.0
Install program: E:\downloads\virus\virus.exe
9-16-2010 2:40 PM
------------------------------------------------------------
Registry
********
Keys ignored: 0
---------------
* (none)
Keys added: 4
-------------
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_CLASSES_ROOT\.mke
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2445&SUBSYS_4730414C&REV_05#3&13C0B0C5&0&FD#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\n
Keys deleted: 4
---------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2445&SUBSYS_4730414C&REV_05#3&13C0B0C5&0&FD#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\F
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\o
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\o
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\o
Values added: 3
---------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "E:\downloads\virus\virus.exe"
  Type: REG_SZ
  Data: virus
HKEY_CLASSES_ROOT\.mke "(Default)"
  Type: REG_SZ
  Data: JSEFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings "Enabled"
  Type: REG_DWORD
  Data: 01, 00, 00, 00
Values changed: 5
-----------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden"
  Old type: REG_DWORD
  New type: REG_DWORD
  Old data: 01, 00, 00, 00
  New data: 02, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
  Old type: REG_DWORD
  New type: REG_DWORD
  Old data: 01, 00, 00, 00
  New data: 00, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "SuperHidden"
  Old type: REG_DWORD
  New type: REG_DWORD
  Old data: 01, 00, 00, 00
  New data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\Kingsoft AntiVirus Technology Preview "FileCount"
  Old type: REG_DWORD
  New type: REG_DWORD
  Old data: 69, 1B, 00, 00
  New data: F6, 1B, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
  Old type: REG_BINARY
  New type: REG_BINARY
  Old data: A3, 92, A7, FF, 79, B4, 01, 34, 11, 48, DA, BE, 24, 1F, AC, F7, 40, EF, 25, 20, C8, 91, BF, CD, AD, 23, 09, 18, E3, 3F, 52, F1, C7, 13, F6, FA, 8F, 01, 3A, E2, 8C, DD, 4F, 5A, 2F, BD, B2, B3, F5, 37, 5A, 28, 5D, 43, E2, 64, 2C, 20, 3A, F0, 40, 49, 30, F5, BE, 0C, C0, 61, B5, 95, 41, D3, 7D, C1, EB, 9F, 54, 4D, 3D, 0F
  New data: D0, F9, 16, EF, 0F, D5, F1, 1C, F0, 8D, 47, B2, DF, 84, DD, EF, 63, F1, 1E, BD, 8A, C4, C5, 97, 74, CE, C7, 2C, 05, D0, 76, 39, 87, 9B, 84, 77, 61, 4F, B8, 06, 92, D2, E9, 6A, 24, C4, 01, B2, 30, 56, BF, 57, 31, 42, 48, 92, 58, 6E, F3, 1A, D5, CA, 6E, EE, F1, 09, E3, 45, 7D, F0, 9A, B9, CA, 57, 08, 37, 50, 10, F0, CB
------------------------------------------------------------
Disk contents
*************
Drives tracked: 3
-----------------
* c:\
* d:\
* e:\
Folders added: 1
----------------
c:\Program Files\Messenger
Files added: 7
--------------
c:\tmp.tmp
  Date: 9-16-2010 2:40 PM
  Size: 0 bytes
c:\Program Files\Messenger\Messenger.mke
  Date: 9-14-2010 8:11 PM
  Size: 10,796 bytes
c:\WINDOWS\Prefetch\SVCHOST.EXE-0445652B.pf
  Date: 9-16-2010 2:40 PM
  Size: 32,986 bytes
c:\WINDOWS\Prefetch\VIRUS.EXE-0223345C.pf
  Date: 9-16-2010 2:39 PM
  Size: 20,224 bytes
c:\WINDOWS\Prefetch\WSCRIPT.EXE-32960AB9.pf
  Date: 9-16-2010 2:39 PM
  Size: 32,212 bytes
c:\WINDOWS\system\SVCHOST.EXE
  Date: 12-15-2005 8:00 AM
  Size: 114,688 bytes
c:\WINDOWS\system32\taoY.ico
  Date: 6-8-2005 6:10 PM
  Size: 12,862 bytes
Files deleted: 3
----------------
c:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\搜狗高速浏览器.lnk
  Date: 9-15-2010 8:20 PM
  Size: 760 bytes
c:\Documents and Settings\All Users\「开始」菜单\搜狗高速浏览器.lnk
  Date: 9-15-2010 8:20 PM
  Size: 742 bytes
c:\Documents and Settings\All Users\桌面\搜狗高速浏览器.lnk
  Date: 9-15-2010 8:20 PM
  Size: 742 bytes
Files changed: 14
-----------------
c:\Documents and Settings\Administrator\ntuser.dat.LOG
  Old date: 9-16-2010 2:38 PM
  New date: 9-16-2010 2:40 PM
  Old size: 1,024 bytes
  New size: 1,024 bytes
c:\Program Files\Kingsoft\Kingsoft AntiVirus Technology Preview\kse_wfsdata\tmpa0.dat
  Old date: 9-16-2010 2:38 PM
  New date: 9-16-2010 2:40 PM
  Old size: 0 bytes
  New size: 0 bytes
c:\Program Files\Kingsoft\webshield\kse\kse_wfsdata\KSWebShield_tmpa0.dat
  Old date: 9-16-2010 2:38 PM
  New date: 9-16-2010 2:40 PM
  Old size: 0 bytes
  New size: 0 bytes
c:\Program Files\Kingsoft\webshield\webui\icon\btbg.gif
  Old date: 9-16-2010 2:38 PM
  New date: 9-16-2010 2:40 PM
  Old size: 1,050 bytes
  New size: 1,050 bytes
c:\WINDOWS\explorer.exe
  Old date: 12-15-2005 8:00 AM
  New date: 9-16-2010 2:39 PM
  Old size: 976,896 bytes
  New size: 976,896 bytes
c:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
  Old date: 9-16-2010 2:05 PM
  New date: 9-16-2010 2:39 PM
  Old size: 29,308 bytes
  New size: 28,276 bytes
c:\WINDOWS\system32\smss.exe
  Old date: 12-15-2005 8:00 AM
  New date: 9-16-2010 2:39 PM
  Old size: 50,688 bytes
  New size: 50,688 bytes
c:\WINDOWS\system32\CatRoot2\edb.chk
  Old date: 9-16-2010 1:31 PM
  New date: 9-16-2010 2:39 PM
  Old size: 8,192 bytes
  New size: 8,192 bytes
c:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
  Old date: 9-16-2010 1:31 PM
  New date: 9-16-2010 2:39 PM
  Old size: 3,153,920 bytes
  New size: 3,153,920 bytes
c:\WINDOWS\system32\config\default.LOG
  Old date: 9-16-2010 12:56 PM
  New date: 9-16-2010 2:40 PM
  Old size: 1,024 bytes
  New size: 1,024 bytes
c:\WINDOWS\system32\config\software
  Old date: 9-16-2010 12:41 PM
  New date: 9-16-2010 2:39 PM
  Old size: 9,961,472 bytes
  New size: 9,961,472 bytes
c:\WINDOWS\system32\config\software.LOG
  Old date: 9-16-2010 2:37 PM
  New date: 9-16-2010 2:40 PM
  Old size: 1,024 bytes
  New size: 20,480 bytes
c:\WINDOWS\system32\dllcache\explorer.exe
  Old date: 12-15-2005 8:00 AM
  New date: 9-16-2010 2:39 PM
  Old size: 976,896 bytes
  New size: 976,896 bytes
c:\WINDOWS\system32\dllcache\smss.exe
  Old date: 12-15-2005 8:00 AM
  New date: 9-16-2010 2:39 PM
  Old size: 50,688 bytes
  New size: 50,688 bytes
------------------------------------------------------------
INI file
********
Ini files tracked: 4
--------------------
* C:\boot.ini
* c:\windows\control.ini
* c:\windows\system.ini
* c:\windows\win.ini
------------------------------------------------------------
Text file
*********
Text files tracked: 2
---------------------
* c:\windows\system32\autoexec.nt
* c:\windows\system32\config.nt
------------------------------------------------------------
InCtrl5, Copyright ?2000 by Ziff Davis Media, Inc.
Written by Neil J. Rubenking
First published in PC Magazine, December 5, 2000.



回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-6-9 16:55 , Processed in 0.092249 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表