Virus.Win32.AutoRun.p所下载的病毒已全部更新！（附样本）

dikex

在对Virus.Win32.AutoRun.p的分析以及手动清理方法的文章里面我已经提到过，这个病毒可以随时从服务器下载最新的病毒进行更新，今天一看，果然如此，而且是全部更新了！

======================================

下面这个是昨天的病毒群在注册表里面写入的各个病毒的版本号：
"Me"="1.25"
"1"="2.8"
"2"="2.8"
"3"="2.92"
"4"="2.5"
"5"="2.5"
"6"="2.6"
"7"="2.6"
"8"="2.5"
"9"="2.91"
"10"="1.9"
"11"="1.92"
"12"="1.82"
"13"="1.2"

看看今天我再次运行那个病毒时得到的在注册表里面记录的版本号：
"Me"="1.26"
"1"="2.9"
"2"="2.9"
"3"="2.93"
"4"="2.6"
"5"="2.6"
"6"="2.8"
"7"="2.8"
"8"="2.6"
"9"="2.92"
"10"="1.91"
"11"="1.93"
"12"="1.83"
"13"="1.3"

======================================

对比两次的版本号，发现包括那个下载者在内的所有病毒已经全部升级了！下载了http://www.nice8.org/GetVer/Ver.txt这个服务器上面的版本记录文件，发现也和昨天的那个不同了！

根据下载链接下载那对病毒下面一看，也全部不同了，使用卡巴6.0.2.621（2007-05-22 18:00:22）扫描，只能扫描到那个下载者svchost.exe(23,602 字节即原Virus.Win32.AutoRun.p)，但是它的名字改变了，变为：Trojan-Downloader.Win32.Agent.bmo！

======================================

可见这个做法是有意用于躲开杀软的，这样对用户会构成很大的威胁，在此特意警惕大家小心这个病毒！现在名为：Trojan-Downloader.Win32.Agent.bmo


样本密码infected

[ 本帖最后由 dikex 于 2007-5-22 20:25 编辑 ]

allenhippo

这个毒最近很流行，昨天发那个下载者也是看了nod版的一个帖子说小心5y5.us。

后来搜索了下发现5y5里的只是个ani，7y7里面就是这个svchost，参考了搜索到的记录，觉得这个毒有潜力

wangjay1980

果然够新,卡巴杀一个
detected: Trojan program Trojan-Downloader.Win32.Agent.bmo        File: C:\Documents and Settings\Owner\×ÀÃæ\2007-05-22-1.zip/svchost.exe

风野胤

nod完全飘过
直接上报
密码都不需要重加

zane_xzz

红伞肯定清一色报壳，哈哈

allenhippo

原帖由 wangjay1980 于 2007-5-22 20:18 发表
果然够新,卡巴杀一个
detected: Trojan program Trojan-Downloader.Win32.Agent.bmo        File: C:\Documents and Settings\Owner\×ÀÃæ\2007-05-22-1.zip/svchost.exe

这个就是昨天那个，更新的部分肯定针对卡巴作了免杀。

dikex

原帖由 风野胤 于 2007-5-22 20:20 发表
nod完全飘过
直接上报
密码都不需要重加

因为这个密码就是我上报时用的密码

伯夷叔齐

原帖由 zane_xzz 于 2007-5-22 20:21 发表
红伞肯定清一色报壳，哈哈

晕.

A listing of files contained inside archives alongside their results can be found below:

File ID	Filename	Size (Byte)	Result
551650	spglsdr.exe	13 KB	MALWARE
551651	csrss.exe	13.5 KB	MALWARE
551652	IEXPLORE.EXE	13.5 KB	MALWARE
551653	mmc.exe	13.5 KB	MALWARE
551654	smss.exe	14 KB	MALWARE
551655	srogm.exe	14 KB	MALWARE
551656	stpgldk.exe	14 KB	MALWARE
551657	svchost32.exe	14 KB	MALWARE
551658	ctfmon.exe	14.5 KB	MALWARE
551659	copypfh.exe	15 KB	MALWARE
551660	svchost(1).exe	12 KB	MALWARE
551661	conime.exe	13 KB	MALWARE
551662	services.exe	13 KB	MALWARE
551663	svchost.exe	23.05 KB	MALWARE

Please find a detailed report concerning each individual sample below:

Filename	Result
spglsdr.exe	MALWARE

The file 'spglsdr.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
csrss.exe	MALWARE

The file 'csrss.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
IEXPLORE.EXE	MALWARE

The file 'IEXPLORE.EXE' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
mmc.exe	MALWARE

The file 'mmc.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
smss.exe	MALWARE

The file 'smss.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
srogm.exe	MALWARE

The file 'srogm.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
stpgldk.exe	MALWARE

The file 'stpgldk.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
svchost32.exe	MALWARE

The file 'svchost32.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
ctfmon.exe	MALWARE

The file 'ctfmon.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
copypfh.exe	MALWARE

The file 'copypfh.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
svchost(1).exe	MALWARE

The file 'svchost(1).exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
conime.exe	MALWARE

The file 'conime.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
services.exe	MALWARE

The file 'services.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

Filename	Result
svchost.exe	MALWARE

The file 'svchost.exe' has been determined to be 'MALWARE'.

Our analysts named the threat TR/Crypt.ULPM.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

[ 本帖最后由 伯夷叔齐 于 2007-5-22 20:38 编辑 ]

风野胤

原帖由 dikex 于 2007-5-22 20:32 发表



因为这个密码就是我上报时用的密码

我上报给nod长期用的都是这个密码
除了有时连带着上报给费尔  密码会用virus
刺猬上报给哪家的？

moonsilver

瑞星全报壳