收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 2010年10月10日【卡巴斯基监控启发出的】非常怪异,求鉴 ...
12下一页
返回列表 发新帖
查看: 3628|回复: 17
收起左侧

[病毒样本] 2010年10月10日【卡巴斯基监控启发出的】非常怪异,求鉴定???

[复制链接]
august8
发表于 2010-10-10 08:33:45 | 显示全部楼层 |阅读模式





Antivirus
Version
Last Update
Result
AhnLab-V3
2010.10.10.00
2010.10.09
-
AntiVir
7.10.12.167
2010.10.08
TR/Dropper.Gen
Antiy-AVL
2.0.3.7
2010.10.09
-
Authentium
5.2.0.5
2010.10.09
-
Avast
4.8.1351.0
2010.10.09
-
Avast5
5.0.594.0
2010.10.09
-
AVG
9.0.0.851
2010.10.10
Dropper.Generic2.BCWD
BitDefender
7.2
2010.10.10
-
CAT-QuickHeal
11.00
2010.10.09
-
ClamAV
0.96.2.0-git
2010.10.09
-
Comodo
6333
2010.10.09
-
DrWeb
5.0.2.03300
2010.10.10
-
Emsisoft
5.0.0.50
2010.10.09
Trojan.JS.StartPage!IK
eSafe
7.0.17.0
2010.10.07
-
eTrust-Vet
36.1.7901
2010.10.08
-
F-Prot
4.6.2.117
2010.10.09
-
F-Secure
9.0.15370.0
2010.10.09
-
Fortinet
4.2.249.0
2010.10.09
-
GData
21
2010.10.10
-
Ikarus
T3.1.1.90.0
2010.10.09
Trojan.JS.StartPage
Jiangmin
13.0.900
2010.10.09
Trojan/JS.dfd
K7AntiVirus
9.65.2713
2010.10.09
-
Kaspersky
7.0.0.125
2010.10.09
-
McAfee
5.400.0.1158
2010.10.10
-
McAfee-GW-Edition
2010.1C
2010.10.09
Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft
1.6201
2010.10.09
Worm:JS/Ociyota.A
NOD32
5518
2010.10.09
-
Norman
6.06.07
2010.10.09
W32/Malware
nProtect
2010-10-09.01
2010.10.09
-
Panda
10.0.2.7
2010.10.09
-
PCTools
7.0.3.5
2010.10.10
-
Prevx
3.0
2010.10.10
-
Rising
22.68.05.00
2010.10.09
-
Sophos
4.58.0
2010.10.09
-
Sunbelt
7026
2010.10.09
Trojan.Win32.Generic!BT
SUPERAntiSpyware
4.40.0.1006
2010.10.09
-
Symantec
20101.2.0.161
2010.10.10
-
TheHacker
6.7.0.1.053
2010.10.09
-
TrendMicro
9.120.0.1004
2010.10.09
-
TrendMicro-HouseCall
9.120.0.1004
2010.10.10
-
VBA32
3.12.14.1
2010.10.08
-
ViRobot
2010.9.25.4060
2010.10.09
-
VirusBuster
12.67.10.0
2010.10.09
-

回复

举报

rasis
发表于 2010-10-10 08:35:09 | 显示全部楼层
avira

Detected a virus or malware 'TR/Dropper.Gen' [trojan]
in file 'G:\TEMP\GO5j5DCv.htm.part'.
Action taken: Delete file
回复

举报

rasis
发表于 2010-10-10 08:38:49 | 显示全部楼层
• File Info
NameValue
Size46620
MD5d98f2e87fb403a51a1d047c7fb1a4172
SHA14489f3161f75088e079cc612121e572e3cc51c71
SHA256209db4292ffa7ebdf8af13f37becb298dfa37c369482e22b0ca392459144db0a
ProcessExited
• Keys Created
NameLast Write Time
CU\Software\Microsoft\Windows Script Host2009.01.12 15:12:47.171
CU\Software\Microsoft\Windows Script Host\Settings2009.01.12 15:12:47.171
• Keys Changed• Keys Deleted• Values Created
NameTypeSizeValue
LM\Software\Microsoft\Windows Script Host\Settings\EnabledREG_DWORD40x1
• Values Changed
NameTypeSizeValue
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenREG_DWORD/REG_DWORD4/40x1/0x2
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenREG_DWORD/REG_DWORD4/40x1/0x0
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHiddenREG_DWORD/REG_DWORD4/40x1/0x0
• Values Deleted• Directories Created
NameLast Write TimeCreation TimeLast Access TimeAttr
C:\Documents and Settings\User\Local Settings\Temp\best2009.01.12 15:12:45.6562009.01.12 15:12:45.5002009.01.12 15:12:45.6560x10
C:\Program Files\StorI2009.01.12 15:12:45.4682009.01.12 15:12:45.4372009.01.12 15:12:45.4680x10
• Directories Changed• Directories Deleted• Files Created
NameSizeLast Write TimeCreation TimeLast Access TimeAttr
C:\Documents and Settings\User\Local Settings\Temp\best\svchost.exe1146882007.07.27 12:00:00.0002009.01.12 15:12:45.6562009.01.12 15:12:45.6560x20
C:\Program Files\StorI\StormLib.nqm93562010.09.19 13:33:24.0002010.09.19 13:33:24.0002009.01.12 15:12:45.4680x20
C:\WINDOWS\system32\pop2.vbs2162010.09.30 14:10:52.0002010.09.30 14:10:52.0002009.01.12 15:12:45.4060x20
C:\WINDOWS\system32\taoY.ico128622005.06.08 10:10:24.0002005.06.08 10:10:24.0002009.01.12 15:12:45.3590x20
• Files Changed• Files Deleted• Directories Hidden• Files Hidden• Drivers Loaded• Drivers Unloaded• Processes Created
PIdProcess NameImage Name
0x374svchost.exeC:\DOCUME~1\User\LOCALS~1\Temp\best\svchost.exe
• Processes Terminated• Threads Created
PIdProcess NameTIdStartStart MemWin32 StartWin32 Start Mem
0x2aclsass.exe0x67c0x7c810856MEM_IMAGE0x77e76bf0MEM_IMAGE
0x348svchost.exe0xf80x7c810856MEM_IMAGE0x7c910760MEM_IMAGE
0x374svchost.exe0x3840x7c810856MEM_IMAGE0x1006ec4MEM_IMAGE
0x374svchost.exe0x4480x7c810856MEM_IMAGE0x77df9981MEM_IMAGE
0x374svchost.exe0x4f40x7c810867MEM_IMAGE0x1003c23MEM_IMAGE
0x374svchost.exe0x7bc0x7c810856MEM_IMAGE0x77a8964aMEM_IMAGE
0x3f4svchost.exe0x4cc0x7c810856MEM_IMAGE0x77e76bf0MEM_IMAGE
• Modules Loaded• Windows Api Calls• DNS Queries
DNS Query Text
www.95081.net IN A +
• HTTP Queries
HTTP Query Text
www.95081.net GET /2.htm HTTP/1.1
• Verdict
Auto Analysis Verdict
Suspicious
• Description
Suspicious Actions Detected
Creates files in program files directory
Creates files in windows system directory
• Mutexes  Created or Opened
PIdImage NameAddressMutex Name
0x374C:\DOCUME~1\User\LOCALS~1\Temp\best\svchost.exe0x7c81a838ShimCacheMutex
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x76ee3a34RasPbFile
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x771ba3ae_!MSFTHISTORY!_
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x771bc21cWininetConnectionMutex
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x771bc23dWininetProxyRegistryMutex
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x771bc2ddWininetStartupMutex
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x771d9710c:!documents and settings!user!cookies!
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x771d9710c:!documents and settings!user!local settings!history!history.ie5!
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x771d9710c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x777904d3WininetStartupMutex
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x77f76e78Shell.CMruPidlList
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x7c81a838ShimCacheMutex
• Events Created or Opened
PIdImage NameAddressEvent Name
0x298C:\DOCUME~1\User\LOCALS~1\Temp\best\svchost.exe0x77a89422Global\crypt32LogoffEvent
0x374C:\DOCUME~1\User\LOCALS~1\Temp\best\svchost.exe0x77a89422Global\crypt32LogoffEvent
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x7473d2a8CTF.ThreadMIConnectionEvent.00000628.00000000.00000005
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x7473d2a8CTF.ThreadMarshalInterfaceEvent.00000628.00000000.00000005
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x7473d2a8MSCTF.SendReceive.Event.ICG.IC
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x7473d2a8MSCTF.SendReceiveConection.Event.ICG.IC
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x769c4ec2Global\userenv:  User Profile setup event
0x57cC:\Program Files\Internet Explorer\iexplore.exe0x77de5f48Global\SvcctrlStartEvent_A3752DX
0x684C:\TEST\sample.exe0x7ca66917ShellCopyEngineRunning
0x684C:\TEST\sample.exe0x7ca66957ShellCopyEngineFinished
回复

举报

hddu
发表于 2010-10-10 08:39:11 | 显示全部楼层
2010-10-10 08:38:10    创建文件      操作:使用任务隔离区操作
进程路径:F:\virus\setup_20101042\setup_20101042.exe
文件路径:C:\WINDOWS\system32\taoY.ico
触发规则:所有程序规则->WINDOWS文件夹全局阻止设置(一)->%windir%\*.ico

2010-10-10 08:38:10    创建文件      操作:允许
进程路径:F:\virus\setup_20101042\setup_20101042.exe
文件路径:C:\WINDOWS\system32\pop2.vbs
触发规则:所有程序规则->WINDOWS文件夹全局设置->%windir%\*

2010-10-10 08:38:20    创建文件      操作:阻止
进程路径:F:\virus\setup_20101042\setup_20101042.exe
文件路径:C:\Program Files\StorI
触发规则:所有程序规则->%ProgramFiles%文件夹设置->%ProgramFiles%\*

2010-10-10 08:39:06    创建文件      操作:使用任务隔离区操作
进程路径:F:\virus\setup_20101042\setup_20101042.exe
文件路径:C:\WINDOWS\system32\taoY.ico
触发规则:所有程序规则->WINDOWS文件夹全局阻止设置(一)->%windir%\*.ico

2010-10-10 08:39:12    创建文件      操作:允许
进程路径:F:\virus\setup_20101042\setup_20101042.exe
文件路径:C:\Program Files\StorI
触发规则:所有程序规则->%ProgramFiles%文件夹设置->%ProgramFiles%\*

2010-10-10 08:39:13    修改注册表内容      操作:阻止
进程路径:F:\virus\setup_20101042\setup_20101042.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
注册表名称:Hidden
触发规则:所有程序规则->资源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced*

2010-10-10 08:39:13    修改注册表内容      操作:阻止
进程路径:F:\virus\setup_20101042\setup_20101042.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
注册表名称:ShowSuperHidden
触发规则:所有程序规则->资源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced*

2010-10-10 08:39:13    修改注册表内容      操作:阻止
进程路径:F:\virus\setup_20101042\setup_20101042.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
注册表名称:SuperHidden
触发规则:所有程序规则->资源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced*

2010-10-10 08:39:13    运行应用程序      操作:允许
进程路径:F:\virus\setup_20101042\setup_20101042.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
命令行:"C:\Program Files\StorI\StormLib.nqm"
触发规则:所有程序规则->其它程序设置->*\Temp\*

2010-10-10 08:39:13    运行应用程序      操作:允许
进程路径:F:\virus\setup_20101042\setup_20101042.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
命令行:"C:\WINDOWS\system32\pop2.vbs"
触发规则:所有程序规则->其它程序设置->*\Temp\*

2010-10-10 08:39:19    运行应用程序      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\Program Files\Internet Explorer\IEXPLORE.EXE
命令行:http://wWw.95081.net/2.htm
触发规则:应用程序规则->TEMP临时目录->*\Temp\*->%ProgramFiles%\*.exe

2010-10-10 08:39:27    创建文件      操作:使用任务隔离区操作
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\Documents and Settings\Administrator\Templates\tmp.tmp
触发规则:所有程序规则->Documents and Settings文件夹设置(二)->?:\Documents and Settings\*\Templates\*

2010-10-10 08:39:31    创建文件      操作:使用任务隔离区操作
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\Documents and Settings\Administrator\Templates\tmp.tmp
触发规则:所有程序规则->Documents and Settings文件夹设置(二)->?:\Documents and Settings\*\Templates\*

2010-10-10 08:39:32    创建文件      操作:使用任务隔离区操作
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\Documents and Settings\Administrator\Templates\tmp.tmp
触发规则:所有程序规则->Documents and Settings文件夹设置(二)->?:\Documents and Settings\*\Templates\*

2010-10-10 08:39:33    创建文件      操作:使用任务隔离区操作
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\Documents and Settings\Administrator\Templates\tmp.tmp
触发规则:所有程序规则->Documents and Settings文件夹设置(二)->?:\Documents and Settings\*\Templates\*

2010-10-10 08:39:35    创建文件      操作:使用任务隔离区操作
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\Documents and Settings\Administrator\Templates\tmp.tmp
触发规则:所有程序规则->Documents and Settings文件夹设置(二)->?:\Documents and Settings\*\Templates\*

2010-10-10 08:39:36    创建文件      操作:使用任务隔离区操作
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\Documents and Settings\Administrator\Templates\tmp.tmp
触发规则:所有程序规则->Documents and Settings文件夹设置(二)->?:\Documents and Settings\*\Templates\*

2010-10-10 08:39:38    创建文件      操作:使用任务隔离区操作
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\Documents and Settings\Administrator\Templates\tmp.tmp
触发规则:所有程序规则->Documents and Settings文件夹设置(二)->?:\Documents and Settings\*\Templates\*

2010-10-10 08:39:40    创建文件      操作:使用任务隔离区操作
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\Documents and Settings\Administrator\Templates\tmp.tmp
触发规则:所有程序规则->Documents and Settings文件夹设置(二)->?:\Documents and Settings\*\Templates\*

2010-10-10 08:39:42    删除文件      操作:阻止
进程路径:C:\WINDOWS\system32\wbem\wmiprvse.exe
文件路径:C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk
触发规则:所有程序规则->Documents and Settings文件夹设置(一)->?:\Documents and Settings\*\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk

2010-10-10 08:39:42    创建文件      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\WINDOWS\explorer.exe:999819547.nqm
触发规则:所有程序规则->WINDOWS文件夹全局设置->%windir%\*

2010-10-10 08:39:42    创建文件      操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\best\svchost.exe
文件路径:C:\WINDOWS\system32\smss.exe:999819547.nqm
触发规则:所有程序规则->WINDOWS文件夹全局设置->%windir%\*

2010-10-10 08:39:48    创建文件      操作:使用任务隔离区操作
进程路径:C:\WINDOWS\system32\wbem\wmiprvse.exe
文件路径:C:\WINDOWS\system\SVCHOST.EXE
触发规则:应用程序规则->WINDOWS文件设置->%windir%\*->*\*.exe

回复

举报

尝微听几
头像被屏蔽
发表于 2010-10-10 08:39:44 | 显示全部楼层
回复 1楼 august8 的帖子

微点杀掉
回复

举报

jayavira
发表于 2010-10-10 08:47:43 | 显示全部楼层
to eset

http://samples.nod32.com.sg/inde ... a51a1d047c7fb1a4172
回复

举报

xiaoyaosanren
发表于 2010-10-10 09:33:50 | 显示全部楼层
我家赛铁是不杀这些淘宝流氓的。。。。。
回复

举报

hansyu
发表于 2010-10-10 09:34:42 | 显示全部楼层
启发,to xandora(panda)
回复

举报

njjsxy
发表于 2010-10-10 10:06:20 | 显示全部楼层
回复

举报

ll098
发表于 2010-10-10 10:23:25 | 显示全部楼层
已经上报小a
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-6-8 21:36 , Processed in 0.130393 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表