鸽子加北斗一只

显示全部楼层 · 发表于 2007-4-30 22:14:48

一个朋友自己做的鸽子加北斗壳.

显示全部楼层 · 发表于 2007-4-30 22:20:20

主动1\主动1\复件MS~1\复件 MS.EXE
BackDoor-AWQ.b (特洛伊)

显示全部楼层 · 发表于 2007-4-30 22:25:15

肯定加死了

卡巴小红伞大蜘蛛瑞星都没有反应

但是：看！（用Opera浏览器下载的，所以有乱码）

显示全部楼层 · 发表于 2007-4-30 22:29:56

有微点的运行看看。。。

显示全部楼层 · 发表于 2007-4-30 22:43:52

第一次见到这样的鸽子，删TMP，建文件夹，同一动作一直again

显示全部楼层 · 发表于 2007-4-30 22:45:39

好奇怪的鸽子。。。。

显示全部楼层 · 发表于 2007-4-30 22:55:54

在PCTools那里扫了一个report

：
Submission details:
Submission received: 1 May 2007, 12:47:21 AM
Processing time: 2 min 31 sec
Submitted sample:
File MD5: 0x00DFB479F6AE0DFADD0738D41ABACDF7
Filesize: 522,240 bytes
～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～
File System Modifications

The following files were created in the system:
# Filename(s) File Size File MD5 Alias / Other Info
1 %Temp%\139718.bat  284 bytes 0xD94D0A3D26C268770E173C924B2E1382 (not available)
2 %Temp%\IXP000.TMP\123.exe  8,704 bytes 0x08C9CF622220A20293DE124138E91CD7 Packer: WScript
3 %Temp%\IXP000.TMP\MS~1.EXE  509,758 bytes 0x05AE8AEB90C3C71E7D7C034AE5555E96 (not available)
4 [file and pathname of the sample #1]  522,240 bytes 0x00DFB479F6AE0DFADD0738D41ABACDF7 (not available)
5 c:\?? MS.EXE  0 bytes 0xD41D8CD98F00B204E9800998ECF8427E (not available)

Note:
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
The following directory was created:
%Temp%\IXP000.TMP
Memory modifications

There were new processes created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 536,576 bytes
123.exe %Temp%\ixp000.tmp\123.exe 16,384 bytes
MS~1.EXE %Temp%\IXP000.TMP\MS~1.EXE 135,168 bytes

Registry modifications

The following Registry Key was created:
HKEY_CURRENT_USER\Software\WinRAR SFX
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE]
wextract_cleanup0 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%Temp%\IXP000.TMP\""
[HKEY_CURRENT_USER\Software\WinRAR SFX]
C%% = "C:\"
～～～～～～～～～～～～～～～～～～～～·
Other details
Analysis of the file resources indicate the following possible countries of origin:
Russian Federation
China

显示全部楼层 · 发表于 2007-4-30 23:06:30

不会吧，我脱出了这么多……还没完

显示全部楼层 · 发表于 2007-4-30 23:07:18

这个嘛俺运行了下微点提示！

[ 本帖最后由 shmily512099 于 2007-4-30 23:08 编辑 ]

显示全部楼层 · 发表于 2007-4-30 23:10:47

晕

活鸽子过了一堆
就没过AVGAS
不可能啊

[病毒样本] 鸽子加北斗一只

本帖子中包含更多资源

MCAFEE：

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源