网马

显示全部楼层 · 发表于 2007-5-27 23:37:02

Hello,

smss.exe_ - Virus.Win32.AutoRun.p

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Vladimir Lebedev
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

> Attachment: smss.zip

显示全部楼层 · 发表于 2007-5-27 23:38:18

Virus or unwanted program 'DR/Delphi.Gen [DR/Delphi.Gen]'
detected in file 'F:\Temporary Internet Files\Content.IE5\BJTMIYBN\smss[1].exe.
Action performed: Move file to quarantine

显示全部楼层 · 发表于 2007-5-27 23:40:40

有没有搞错，卡巴究竟是什么东西，几分钟就回信了，太变态了。真是恐怖。
费尔发个邮件，一个多星期才回。

显示全部楼层 · 发表于 2007-5-27 23:45:48

Processes:
PID ParentPID User Path
--------------------------------------------------

Ports:
Port PID Type Path
--------------------------------------------------

Explorer Dlls:
DLL Path Company Name File Description
--------------------------------------------------
C:\Program Files\Internet Explorer\romdrivers.dll Microsoft Corporation Microsoft Corporation Windows DLL

IE Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found

Loaded Drivers:
Driver File Company Name Description
--------------------------------------------------

Monitored RegKeys
Registry Key Value
--------------------------------------------------

Kernel31 Api Log

--------------------------------------------------
***** Installing Hooks *****
71a270df    RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)
71a27cc4    RegOpenKeyExA (Protocol_Catalog9)
71a2737e    RegOpenKeyExA (000000F3)
71a2724d    RegOpenKeyExA (Catalog_Entries)
71a278ea    RegOpenKeyExA (000000000001)
71a278ea    RegOpenKeyExA (000000000002)
71a278ea    RegOpenKeyExA (000000000003)
71a278ea    RegOpenKeyExA (000000000004)
71a278ea    RegOpenKeyExA (000000000005)
71a278ea    RegOpenKeyExA (000000000006)
71a278ea    RegOpenKeyExA (000000000007)
71a278ea    RegOpenKeyExA (000000000008)
71a278ea    RegOpenKeyExA (000000000009)
71a278ea    RegOpenKeyExA (000000000010)
71a278ea    RegOpenKeyExA (000000000011)
71a278ea    RegOpenKeyExA (000000000012)
71a278ea    RegOpenKeyExA (000000000013)
71a22623    WaitForSingleObject(7a0,0)
71a283c6    RegOpenKeyExA (NameSpace_Catalog5)
71a2737e    RegOpenKeyExA (00000004)
71a27f5b    RegOpenKeyExA (Catalog_Entries)
71a280ef    RegOpenKeyExA (000000000001)
71a280ef    RegOpenKeyExA (000000000002)
71a280ef    RegOpenKeyExA (000000000003)
71a22623    WaitForSingleObject(798,0)
71a11afa    RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)
71a11996    GlobalAlloc()
7c80b689    ExitThread()
40e358    LoadLibraryA(KERNEL32.DLL)=7c800000
40e358    LoadLibraryA(advapi32.dll)=77da0000
40e358    LoadLibraryA(gdi32.dll)=77ef0000
40e358    LoadLibraryA(shlwapi.dll)=77f40000
40e358    LoadLibraryA(user32.dll)=77d10000
402078    RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE)
4025e4    RegOpenKeyExA (HKLM\SOFTWARE\KasperskyLab\AVP6\environment\)
4021a4    CreateFileA(C:\Documents and Settings\Administrator\桌面\smss.exe)
4021cb    ReadFile()
402217    ReadFile()
402ae9    Copy(C:\Documents and Settings\Administrator\桌面\smss.exe->C:\Program Files\Internet Explorer\romdrivers.bak)
7c8283f4    WriteFile(h=7a4)
401fce    CreateFileA(C:\Program Files\Internet Explorer\romdrivers.dll)
401ff4    WriteFile(h=7a4)
402014    WriteFile(h=7a4)
15c800    LoadLibraryA(KERNEL32.DLL)=7c800000
15c800    LoadLibraryA(advapi32.dll)=77da0000
15c800    LoadLibraryA(gdi32.dll)=77ef0000
15c800    LoadLibraryA(oleaut32.dll)=770f0000
15c800    LoadLibraryA(shlwapi.dll)=77f40000
15c800    LoadLibraryA(user32.dll)=77d10000
15c800    LoadLibraryA(wininet.dll)=76680000
152f29    RegCreateKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks,(null))
152f34    RegDeleteValueA ({09B68AD9-FF66-3E63-636B-B693E62F6236})
152f34    RegDeleteValueA ({754FB7D8-B8FE-4810-B363-A788CD060F1F})
152f34    RegDeleteValueA ({A6011F8F-A7F8-49AA-9ADA-49127D43138F})
152f34    RegDeleteValueA ({06A68AD9-FF56-6E73-937B-B893E72F6226})
152f34    RegDeleteValueA ({AEB6717E-7E19-11d0-97EE-00C04FD91972})
152f34    RegDeleteValueA ({99F1D023-7CEB-4586-80F7-BB1A98DB7602})
152f34    RegDeleteValueA ({FEB94F5A-69F3-4645-8C2B-9E71D270AF2E})
152f34    RegDeleteValueA ({923509F1-45CB-4EC0-BDE0-1DED35B8FD60})
152f34    RegDeleteValueA ({42A612A4-4334-4424-4234-42261A31A236})
152f34    RegDeleteValueA ({DE35052A-9E37-4827-A1EC-79BF400D27A4})
152f34    RegDeleteValueA ({DD7D4640-4464-48C0-82FD-21338366D2D2})
152f34    RegDeleteValueA ({B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5})
152f34    RegDeleteValueA ({131AB311-16F1-F13B-1E43-11A24B51AFD1})
152f34    RegDeleteValueA ({274B93C2-A6DF-485F-8576-AB0653134A76})
152f34    RegDeleteValueA ({1496D5ED-7A09-46D0-8C92-B8E71A4304DF})
152f34    RegDeleteValueA ({01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6})
152f34    RegDeleteValueA ({06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8})
152f34    RegDeleteValueA ({BC0ACA58-6A6F-51DA-9EFE-9D20F4F621BA})
152fd4    RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE)
402bd7    LoadLibraryA(C:\Program Files\Internet Explorer\romdrivers.dll)=150000
746826aa    GetVersionExA()
746830a7    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\Compatibility\smss.exe)
746830a7    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\SystemShared\)
7468245b    CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
7468245b    CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
7468245b    CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
7468245b    CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
7468245b    CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-1060284298-1214440339-682003330-500)
746830a7    RegOpenKeyExA (HKCU\Keyboard Layout\Toggle)
7468260a    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\)
74684683    GetCurrentProcessId()=2928
7468245b    CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-1060284298-1214440339-682003330-500MUTEX.DefaultS-1-5-21-1060284298-1214440339-682003330-500)
7469d232    WaitForSingleObject(77c,1388)
746b556a    GetCurrentProcessId()=2928
7c816513    WaitForSingleObject(774,64)
73658f33    GetVersionExA()
73665225    GetVersionExA()
7365d4f4    LoadLibraryA(C:\windows\system32\ole32.dll)=76990000
402259    RegCreateKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks,(null))
402270    RegSetValueExA ({0CB68AD9-FF66-3E63-636B-B693E62F6236})
402259    RegCreateKeyExA (HKCR\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236},(null))
402270    RegSetValueExA ()
402259    RegCreateKeyExA (HKCR\CLSID\{0CB68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32,(null))
402270    RegSetValueExA (ThreadingModel)
4015a7    ExitProcess()
74681d36    GetCurrentProcessId()=2928
74682056    GetCurrentProcessId()=2928
***** Injected Process Terminated *****

DirwatchData

--------------------------------------------------
WatchDir Initilized OK
Watching C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
Watching C:\windows
Watching C:\Program Files
Created: C:\Program Files\Internet Explorer\romdrivers.bak
Modifed: C:\Program Files\Internet Explorer\romdrivers.bak
Created: C:\Program Files\Internet Explorer\romdrivers.dll
Modifed: C:\Program Files\Internet Explorer\romdrivers.dll
Modifed: C:\windows\system32\drivers\etc\hosts
Deteled: C:\windows\system32\drivers\etc\hosts
Modifed: C:\Program Files\Internet Explorer
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JET5855.tmp
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JET6B.tmp
Deteled: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JET6B.tmp
Deteled: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JET5855.tmp
Modifed: C:\windows\Prefetch\SNIFF_HIT.EXE-1AB02EA8.pf
Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6700.tmp
Modifed: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6700.tmp
Modifed: C:\windows\Prefetch\PROC_ANALYZER.EXE-3974E660.pf
Deteled: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6700.tmp

显示全部楼层 · 发表于 2007-5-28 11:14:34

反病毒专家 AntiVirusKit 2006 扫描病毒日志记录
版本 16.0.7
双引擎反病毒签名 2007-5-27
开始时间: 2007-5-28 11:15
引擎: KAV 引擎 (AVK 16.10153), BD 引擎 (BD 16.6079)
高启发式: 打开
压缩文件: 打开
系统区域: 打开

扫描系统区域...
扫描所选择的目录和文件...
对象: smss.exe
路径: C:\Documents and Settings\Administrator\桌面
Status: 已发现病毒
病毒: Virus.Win32.AutoRun.p (KAV 引擎)
扫描完成: 2007-5-28 11:16
已检查 1 个文件
已发现 1 个染毒文件
发现 0 个可疑文件

显示全部楼层 · 发表于 2007-5-28 17:17:23

[病毒样本] 网马

回复 #11 wangjay1980 的帖子

微点报未知木马

本帖子中包含更多资源