快吐了，又更新了，svchost.exe

显示全部楼层 · 发表于 2007-5-24 13:30:19

----------
[凝逸反毒] (http://hi.baidu.com/503165656)
[凝逸.扫描病毒引擎-日志] 2007.5.24 13:28:47
文件:C:\Documents and Settings\系1\桌面\新建文件夹\Internet Explorer\romdrivers.bak | 感染:木马 [69>20070524_111219_0114.axx]3
操作:删除文件
文件:C:\Documents and Settings\系1\桌面\新建文件夹\Internet Explorer\svchost\svchost.exe | 感染:木马 [69>20070524_111219_0114.axx]3
操作:删除文件

扫描完成|病毒:2 文件:3|耗时:300
----------

显示全部楼层 · 发表于 2007-5-24 13:40:52

反正瑞星是不报

显示全部楼层 · 发表于 2007-5-24 15:42:28

小红伞

C:\Documents and Settings\Administrator\桌面\svchost.zip
  [0] Archive type: ZIP
  --> svchost.exe
   [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
   [WARNING] The file was ignored!
Begin scan in 'C:\Documents and Settings\Administrator\桌面\Internet Explorer.rar'
C:\Documents and Settings\Administrator\桌面\Internet Explorer.rar
  [0] Archive type: RAR
  --> romdrivers.bak
   [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
  --> romdrivers.dll
   [DETECTION] Contains suspicious code HEUR/Crypted
   [WARNING] The file was ignored!

显示全部楼层 · 发表于 2007-5-24 16:06:28

这个老牌子病毒了，我经常抓它报，它更新的太快了

令人气氛呵：）

显示全部楼层 · 发表于 2007-5-24 16:59:19

木马名称:未知间谍软件
程序:
I:\TEST\070524\8\SVCHOST\SVCHOST.EXE
是木马程序!
已成功阻止其运行,是否要删除此文件?

显示全部楼层 · 发表于 2007-5-24 17:02:47

Scan performed at: 2007-5-24 17:02:50
Scanning Log
NOD32 version 2288 (20070524) NT
Command line: C:\Documents and Settings\EQ2\桌面\svchost.zip
Operating memory - is OK

Date: 24.5.2007 Time: 17:02:55
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\EQ2\桌面\svchost.zip
C:\Documents and Settings\EQ2\桌面\svchost.zip ?ZIP ?svchost.exe - Win32/Delf.NDA worm - was a part of the deleted object
Number of scanned files: 2
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 17:02:55 Total scanning time: 0 sec (00:00:00)

显示全部楼层 · 发表于 2007-5-24 18:20:38

驱逐舰miss

显示全部楼层 · 发表于 2007-5-24 18:31:15

过了费尔，过不了微点。

显示全部楼层 · 发表于 2007-5-24 18:33:31

去告诉作者让他不要去加壳

文件肥就让他肥点

显示全部楼层 · 发表于 2007-5-24 18:57:59

不知原著有何用意...人心难测

删除值:1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972}: ""

增加值:4

HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "C:\Program Files\Internet Explorer\romdrivers.dll"
HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{09B68AD9-FF66-3E63-636B-B693E62F6236}: ""

修改值:1

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: A8 DF 03 C9 1E B8 A1 03 9B 9A 33 06 7C FB 73 C6 25 91 3E EE F0 9B 59 43 E1 EB 14 C5 1B 03 4D CB 4C C9 23 DB 17 44 FF 80 E6 CA 62 F3 AE 14 E6 36 62 6D 28 E7 81 82 93 80 36 B5 88 22 EF EB 7A 83 D9 62 FE 01 84 84 B5 12 41 8F AA 48 6D 23 00 A1
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 36 0C 05 F4 5C 83 FD 8C 9C 64 0A 9F CF F6 49 A3 0E 5D 2C 07 D8 8C 56 21 5D 06 1F FB 97 91 63 EF CF AE BB 2F 68 25 9D A6 31 C6 EF 47 8C 44 BD C9 37 75 66 A6 EF 2E 17 B9 66 1D B6 D0 57 60 94 E0 B6 8D 7A 0C B2 D7 83 10 A3 58 BF 9F 52 B9 2A 70

文件增加:2

C:\Program Files\Internet Explorer\romdrivers.bak
C:\Program Files\Internet Explorer\romdrivers.dll

文件删除:1

C:\WINDOWS\system32\drivers\etc\hosts

[ 本帖最后由 playx 于 2007-5-24 19:15 编辑 ]

[病毒样本] 快吐了，又更新了，svchost.exe

本帖子中包含更多资源

我这里微点提特征了

nod32可以查杀