楼主: jack827
收起左侧

[病毒样本] FacebookPWCracker.exe

  [复制链接]
O(∩_∩)O哈哈~
发表于 2010-11-12 19:26:53 | 显示全部楼层
病毒名: Win32.SuspectCrc
建议: 保存并删除
特征Id: 46418624

--by ikarus
JusticeH
发表于 2010-11-12 20:11:06 | 显示全部楼层
BDAV2011
Found: Generic.Malware.SN!Q!.8EEF9ADE
波导的勇者
发表于 2010-11-12 22:24:25 | 显示全部楼层
TO kl
wjcharles
发表于 2010-11-13 00:28:44 | 显示全部楼层
貌似是玩笑程序,看看最后那个swf就知道了

http://www.threatexpert.com/repo ... 7b111a7e306ad1f09d1

Submission Summary:
  • Submission details:
    • Submission received: 12 November 2010, 00:32:20
    • Processing time: 11 min 21 sec
    • Submitted sample:
      • File MD5: 0x1B79B263AB8857B111A7E306AD1F09D1
      • File SHA-1: 0x89E805115E13E1CCA19DA47D8155B089643AF530
      • Filesize: 47,104 bytes
      • Packer info: packed with: UPX [Kaspersky Lab]
  • Summary of the findings:

What's been found
Severity Level
Hosts file modification that may block access to the security web sites.
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.


Technical Details:
  • The new window was created, as shown below:
NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.


File System Modifications
  • The following files were created in the system:

#
Filename(s)
File Size
File Hash
Alias
1
c:\11021.txt
7 bytes
MD5: 0x309E58B0C1F4789AB68EA41DD5EE41A5
SHA-1: 0xC82EF6705AE880FB8B7884A72681CA4EE28B86F9
(not available)
2
c:\12119.txt
7 bytes
MD5: 0xD910A492D3CEECE3312A3E7232878176
SHA-1: 0xB5BF4B46D78EE4E4E1882A822AA3D822EE6F1B87
(not available)
3
c:\12331.txt
7 bytes
MD5: 0x5B7A2C19A43BA41E0716F79B171390CE
SHA-1: 0x1E010D82720D95EE86DEE30F6C4FEBB01E73BDD3
(not available)
4
c:\12507.txt
6 bytes
MD5: 0x9381795487BD1DC5C1B6D0C6CE7D87CD
SHA-1: 0x68693D7D7F7CC0ED3E5896E32721D2C46036B192
(not available)
5
c:\1301.txt
7 bytes
MD5: 0x699263F3829F70B2D244B2E4B14EC733
SHA-1: 0xA42A336EDEC39145D6F64A626B94010787C94BA2
(not available)
6
c:\13067.txt
7 bytes
MD5: 0x039C69155EF8BA010DCE0235ED5C2E4D
SHA-1: 0x7DF508F97EC5BD75893DB4DDA7A802626711A913
(not available)
7
c:\13932.txt
7 bytes
MD5: 0x38D5171368039646DC28488AD22B9FF7
SHA-1: 0x8A1AAC34B16099DF7D38C37B3F748E19FF0A68A3
(not available)
8
c:\14691.txt
7 bytes
MD5: 0x0E9E08C87CF14224B2A50D77B7EDF8E2
SHA-1: 0xE7D5F2423AF34C721F234B99BBE7FF89104F064F
(not available)
9
c:\1536.txt
7 bytes
MD5: 0xFB275A06A2870A1FC17BC77FF929B418
SHA-1: 0x4E4223ABB00D6EE4462AB70F09C67C713E051481
(not available)
10
c:\1588.txt
7 bytes
MD5: 0xFBD7A08345CE69D60A18ADF60961EBE6
SHA-1: 0x53B3257AFAFB3C966974928D1DBCE829F9667D6B
(not available)
11
c:\15941.txt
7 bytes
MD5: 0xF26FF989496D5DF47635743CEC105C4E
SHA-1: 0xADD976746EF63EEDE96191E639856DE9FCEC3E96
(not available)
12
c:\16207.txt
6 bytes
MD5: 0x763D25657FFB612F1BD9CFEA932B06B2
SHA-1: 0x50961A8E5E7C713C5CC29E044539CD2DE71568A1
(not available)
13
c:\1759.txt
7 bytes
MD5: 0xB355E566C96769FE8E3A3731F5B4C239
SHA-1: 0xB7BAC117C935FEC27B4AB49CE73E832A958C4A07
(not available)
14
c:\17934.txt
7 bytes
MD5: 0xDEE0234A9167109B210084E8D694F1BD
SHA-1: 0x8FFF37582389D3A168909A334C84E5397ED9A4FB
(not available)
15
c:\18341.txt
7 bytes
MD5: 0x7A20F0562241747D07F265FAAB9EB9A6
SHA-1: 0x60A45152D420B0B7C1CCDDCCBC68225767C71AD6
(not available)
16
c:\1993.txt
7 bytes
MD5: 0xE383FB237506E47CF173FF301BD2EC4A
SHA-1: 0x2EF9A52A399DD0EBC8EBB7EAB21D64E10ED05987
(not available)
17
c:\20056.txt
6 bytes
MD5: 0xCC8B40913064D22F0418BCC9099DE0B7
SHA-1: 0x721D8783F2E34ECCE116DBF2E487911736431EFA
(not available)
18
c:\20506.txt
7 bytes
MD5: 0xEFB13453E744E170FCEF5EB0E4AF1723
SHA-1: 0x969F89C4A175F01929A683CB7695D5DCC6BAE583
(not available)
19
c:\20650.txt
6 bytes
MD5: 0xD516FF760268029C620B0AE15602B83D
SHA-1: 0x0D039795FBBCB4EB7A78F9D791A25475396B16C4
(not available)
20
c:\21186.txt
7 bytes
MD5: 0x79B03BB908410180263753DB45798C4E
SHA-1: 0x4431FC3F73155C6685905437563D6F92726B75A7
(not available)
21
c:\21392.txt
6 bytes
MD5: 0xB281EBB88A849F208FB587FCB61113C9
SHA-1: 0xB539341872DC99030FCC948143D02762D9072699
(not available)
22
c:\21774.txt
6 bytes
MD5: 0x60F45511C10E3A5A7D342D9378CE46EE
SHA-1: 0xC6EF3E907A2220D38C488F4C4F2AFAA64A5079F4
(not available)
23
c:\23519.txt
7 bytes
MD5: 0xCB5C6FE4C77E965520AFD31901904370
SHA-1: 0x3551814D0B9BB06291FB660889C272AA90CF6A8C
(not available)
24
c:\23602.txt
6 bytes
MD5: 0xC822C7CCD1B61D6DC556C942BF9D4478
SHA-1: 0xF6D46017FBBB409B85D573B4A3C0E9B7C3BF0CEF
(not available)
25
c:\23805.txt
6 bytes
MD5: 0x444DA2CCDB61AAB71000EA6F813C1321
SHA-1: 0x5BA1497B20F47D984D5EF4639B5757A6D961920D
(not available)
26
c:\23816.txt
6 bytes
MD5: 0x8C288E90162E09023F74A8B92ACC80B3
SHA-1: 0x10031F093774CDD03EF983B6DCE5404F6A6FDD73
(not available)
27
c:\24667.txt
6 bytes
MD5: 0xDA8C10BA9EEA103C22F41BE0A106D85F
SHA-1: 0xD8335E77A4AC1E960F3C0B0C19D4EC5004082CC7
(not available)
28
c:\25438.txt
6 bytes
MD5: 0xFA2D80CC179A67D97B023AB9F6E235F5
SHA-1: 0x8F90945E4AB617A6DA17F05477F53DE7ED89D84F
(not available)
29
c:\25743.txt
6 bytes
MD5: 0x30B8788F569EE7EEEFCF0420C42D1DA9
SHA-1: 0x2F3979CB1DA176399843FD266ACC89DB43CED812
(not available)
30
c:\27022.txt
7 bytes
MD5: 0x4BF6C9543DE5D7EF3A714E92C6049F57
SHA-1: 0xBE6FA238D3E5169AA307B9B70A6F030D08E78323
(not available)
31
c:\27200.txt
7 bytes
MD5: 0x6986217D359021D105A0C0DA242070C3
SHA-1: 0x6631DF051024ACA0B6CF7DABA02DC129E09EE755
(not available)
32
c:\2754.txt
6 bytes
MD5: 0xA93BE298F71D30D87C6D6A0E4C65AB55
SHA-1: 0x0326E7E89C710B3BE43FB6F6F537BFDC14A3ECD7
(not available)
33
c:\27600.txt
7 bytes
MD5: 0x26D83F3A0128DEA49265B7DD9C00CC8F
SHA-1: 0xF21B03DFB76EE62CF7321EFFF49FB1D0825AA2AC
(not available)
34
c:\28648.txt
6 bytes
MD5: 0x39B89171B40793F2D945DAF9DBFF87CC
SHA-1: 0xE9D1884731032F33E508D27AEB82D6E1C7ADBF58
(not available)
35
c:\29039.txt
7 bytes
MD5: 0xDEB373E3B05F1B359FA53C8006DF6544
SHA-1: 0x0BE43106F716E4B893B271D6100781ECA4390167
(not available)
36
c:\29264.txt
6 bytes
MD5: 0x85DFF7C1F908509196FCCC2490F7486E
SHA-1: 0x488474EA1EADA61C7CF139D45CD98144B84B8885
(not available)
37
c:\30353.txt
6 bytes
MD5: 0xC91D5B11BF3466BCD71310897E65C42E
SHA-1: 0x0358D4BF16CF09543D1653C801054AAE119E0420
(not available)
38
c:\30548.txt
7 bytes
MD5: 0xC8FC75D6CB0AD023F4D76610000543AB
SHA-1: 0x081059C729F78C96430F795E4EC1918C5A8CCB2A
(not available)
39
c:\32161.txt
7 bytes
MD5: 0x670F9D926C6093284A670513E4ECC517
SHA-1: 0xC24A2C2F314DABE87A53A616F092C221F8672129
(not available)
40
c:\3349.txt
7 bytes
MD5: 0x3CD78CBC211509978307B7091FBA77DC
SHA-1: 0x8AEFE2EF2C8496032C028773DC75510BCFBF647A
(not available)
41
c:\4019.txt
7 bytes
MD5: 0x06DC9AF7AF1849F3EDA41926415C0982
SHA-1: 0xF4C506A9BE9D7FB5BD61E337D96983A5A09BD851
(not available)
42
c:\4241.txt
6 bytes
MD5: 0x28CF572C17E3BC68A07B28D333AE7C87
SHA-1: 0xB90BB121715B9E7511442EE49DF52D3B0C19E9E6
(not available)
43
c:\543.txt
7 bytes
MD5: 0xC3B140FA4B25AD9E7B3A5EE1F7972537
SHA-1: 0x55295A0CA1A9EEED71DBCD149B7A318EBCF43304
(not available)
44
c:\5881.txt
7 bytes
MD5: 0xF81AC7E4BC272997E1CADB2A1223BF2E
SHA-1: 0xED631F712360C353057132CCADDB24423B48DAE6
(not available)
45
c:\6293.txt
6 bytes
MD5: 0x18B7F30FD09A4438F93A9F45EA21074D
SHA-1: 0x9966B79DC2C379329BD7CA4B7545FAE73D698245
(not available)
46
c:\6374.txt
6 bytes
MD5: 0xE3B72CF2AB43C9C4A3658566D6FE4042
SHA-1: 0xAA901608EC841757489CE9164310D39B68025FA1
(not available)
47
c:\7499.txt
6 bytes
MD5: 0x63CDDFDEFDF8A8EBD6904FD35285439B
SHA-1: 0x23DEE3B27BF079F28AB79DE4A68DB948804D8991
(not available)
48
c:\8007.txt
5 bytes
MD5: 0x52DCB739AF74EFA5AC4AF2A3C6B8A009
SHA-1: 0xCE97679B4B220BC2941DE4BD895974EE131511D3
(not available)
49
c:\8873.txt
6 bytes
MD5: 0x78F47B42C1DAB25D44312F37E236349C
SHA-1: 0x465DD53C9056F2E03A028658B51B8261D0A98B51
(not available)
50
c:\9602.txt
6 bytes
MD5: 0xE182E484312A4B62BD20A53C58A2F137
SHA-1: 0x292FA843522D6EFB66A7D8927AF5A319698ADE28
(not available)
51
%Temp%\1.tmp\FacebookPWCracker.bat
%Windir%\10181.28073
%Windir%\10527.23117
%Windir%\10863.4810
%Windir%\12054.2589
%Windir%\12312.26343
%Windir%\12677.11182
%Windir%\13161.21599
%Windir%\13520.5449
%Windir%\13725.18533
%Windir%\13759.3770
%Windir%\14455.11872
%Windir%\14719.9018
%Windir%\15039.20631
%Windir%\15404.21752
%Windir%\15942.7779
%Windir%\15985.13165
%Windir%\16550.30679
%Windir%\1722.3959
%Windir%\18219.31622
%Windir%\19934.22192
%Windir%\203.133
%Windir%\20309.19569
%Windir%\20429.13933
%Windir%\21171.9622
%Windir%\2367.10646
%Windir%\2437.14488
%Windir%\24504.29437
%Windir%\24716.10191
%Windir%\25432.461
%Windir%\25823.7011
%Windir%\26659.11477
%Windir%\27256.8826
%Windir%\27633.18456
%Windir%\2782.17169
%Windir%\27954.7242
%Windir%\29661.25499
%Windir%\29895.31262
%Windir%\2994.9175
%Windir%\31484.29911
%Windir%\32442.27257
%Windir%\3823.16452
%Windir%\4034.22418
%Windir%\5200.31203
%Windir%\547.18930
%Windir%\5547.10429
%Windir%\6264.17458
%Windir%\7833.19477
%Windir%\8543.21728
%Windir%\8813.2008
%System%\10077.31571
%System%\12407.11930
%System%\14155.31646
%System%\14569.19910
%System%\15120.6779
%System%\15390.32241
%System%\15455.20902
%System%\16287.28686
%System%\16403.29562
%System%\17300.11613
%System%\17376.9986
%System%\18107.9177
%System%\18331.23441
%System%\19010.8661
%System%\19274.3756
%System%\1976.28963
%System%\19887.12929
%System%\21017.28286
%System%\21121.733
%System%\2123.16719
%System%\21796.10144
%System%\22533.31156
%System%\22840.27704
%System%\2405.18313
%System%\24481.14240
%System%\2660.24049
%System%\26827.19036
%System%\27254.19109
%System%\28046.12253
%System%\28774.32130
%System%\28966.32282
%System%\29411.9023
%System%\29758.19885
%System%\31114.8285
%System%\31195.17063
%System%\31230.19378
%System%\3747.7330
%System%\4263.20754
%System%\4336.1611
%System%\4621.3495
%System%\5509.17175
%System%\6323.20279
%System%\650.11280
%System%\67.32257
%System%\7578.21726
%System%\8109.31348
%System%\8208.15696
%System%\9502.19196
%System%\9763.19571
13,662 bytes
MD5: 0xD52C041E6128329CA6806541B661B599
SHA-1: 0x3FE7C714C10AD63C039529B56C46AAFFAB150404
(not available)
52
c:\msg.vbs
450 bytes
MD5: 0x0CD83CED7E722CAB36D93E1D020DAA55
SHA-1: 0xD094476091AC04357FD81660D9C2F63E94A599B4
(not available)
53
[file and pathname of the sample #1]
47,104 bytes
MD5: 0x1B79B263AB8857B111A7E306AD1F09D1
SHA-1: 0x89E805115E13E1CCA19DA47D8155B089643AF530
packed with UPX [Kaspersky Lab]

  • Notes:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • The following file was modified:
    • %Windir%\win.ini
  • The following directories were created:
    • %DesktopDir%\10369
    • %DesktopDir%\1045
    • %DesktopDir%\10625
    • %DesktopDir%\10642
    • %DesktopDir%\11554
    • %DesktopDir%\12057
    • %DesktopDir%\12076
    • %DesktopDir%\12217
    • %DesktopDir%\12826
    • %DesktopDir%\13716
    • %DesktopDir%\14144
    • %DesktopDir%\14296
    • %DesktopDir%\14554
    • %DesktopDir%\147
    • %DesktopDir%\15522
    • %DesktopDir%\16194
    • %DesktopDir%\16296
    • %DesktopDir%\18982
    • %DesktopDir%\19341
    • %DesktopDir%\19934
    • %DesktopDir%\2033
    • %DesktopDir%\20439
    • %DesktopDir%\20595
    • %DesktopDir%\2112
    • %DesktopDir%\21228
    • %DesktopDir%\21393
    • %DesktopDir%\21833
    • %DesktopDir%\22106
    • %DesktopDir%\22233
    • %DesktopDir%\22644
    • %DesktopDir%\23646
    • %DesktopDir%\24661
    • %DesktopDir%\24725
    • %DesktopDir%\2556
    • %DesktopDir%\25615
    • %DesktopDir%\25972
    • %DesktopDir%\26030
    • %DesktopDir%\26436
    • %DesktopDir%\27109
    • %DesktopDir%\27399
    • %DesktopDir%\27482
    • %DesktopDir%\2834
    • %DesktopDir%\28501
    • %DesktopDir%\2926
    • %DesktopDir%\30142
    • %DesktopDir%\31
    • %DesktopDir%\31268
    • %DesktopDir%\32049
    • %DesktopDir%\32595
    • %DesktopDir%\32757
    • %DesktopDir%\3420
    • %DesktopDir%\3918
    • %DesktopDir%\477
    • %DesktopDir%\4832
    • %DesktopDir%\5080
    • %DesktopDir%\5272
    • %DesktopDir%\5560
    • %DesktopDir%\578
    • %DesktopDir%\5902
    • %DesktopDir%\7154
    • %DesktopDir%\7261
    • %DesktopDir%\788
    • %DesktopDir%\8735
    • %DesktopDir%\935
    • %DesktopDir%\9616
    • %DesktopDir%\9636
    • %DesktopDir%\9828
    • %DesktopDir%\9943
    • %Temp%\1.tmp
  • Notes:
    • %DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.

Memory Modifications
  • There was a new process created in the system:

Process Name
Process Filename
Main Module Size
[filename of the sample #1]
[file and pathname of the sample #1]
126,976 bytes


Registry Modifications
  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • PWNAGE = "%System%\drivers\FacebookPasswordCracker.exe"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
      • Pwner = "%Windir%\FacebookPasswordCracker.exe"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
      • No%UserName%InStartMenu = "1"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      • DisableTaskMgr = "1"

      to prevent users from starting Task Manager (Taskmgr.exe)
  • The following Registry Values were modified:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
      • (Default) =
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mp3]
      • (Default) =
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wmv]
      • (Default) =

Other details
  • The HOSTS file was updated with the following URL-to-IP mappings:


  • There was registered attempt to establish connection with the remote host. The connection details are:

[tr][/tr]
Remote Host
Port Number
72.29.84.67
80

  • The data identified by the following URLs was then requested from the remote web server:
    • http://www.youareanidiot.org/
    • http://www.youareanidiot.org/youare.swf


thelordisone
发表于 2010-11-13 01:09:24 | 显示全部楼层
被MSE杀了
Nortant
发表于 2010-11-13 05:47:20 | 显示全部楼层
为啥我解压缩到桌面上,MSE说发现了,然后删除成功,但是桌面上的EXE还在,然后就一直检测到,删除成功,这样循环。。。
CYCSQ
发表于 2010-11-13 07:08:45 | 显示全部楼层
卡巴报毒
威尔士王子
发表于 2010-11-13 08:14:20 | 显示全部楼层
百锐 Trojan.Win32.Heur.Gen C:\Users\*\Desktop\FacebookPWCracker.exe
wayneqiu
发表于 2010-11-13 08:22:02 | 显示全部楼层
杯具了,eav放过
★後起の綉★
发表于 2010-11-13 09:53:17 | 显示全部楼层
卡巴斯基直接拦截
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-25 20:51 , Processed in 0.097932 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表