==============2X过掉主防，囧囧囧大家来测测 =============================

显示全部楼层 · 发表于 2011-2-12 19:08:44

回复 14楼 dm34343667 的帖子

金山网盾不是弹了吗？

显示全部楼层 · 发表于 2011-2-12 19:15:00

.凑个热闹，沙盘运行5.exe.
Folders added: 2
--------------------
C:\Program Files\Windows Media Player\1']N]NK[0.%I#=P!UdTXIMJ%V8'U9
C:\Program Files\Windows Media Player\skKKDs siBAlu

Files added: 24
--------------------
C:\Documents and Settings\Administrator\Cookies\administrator@www.mootolola[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4DD9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\27WBM72Z\112233667788[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\27WBM72Z\CAAJY1QV.htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\27WBM72Z\cpro_media_small[1].png
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\27WBM72Z\id=nWcLnjmkPs&gp=404&time=nHcvrHn1nWDLr0[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\27WBM72Z\id=nWnvrjDYrf&gp=404&time=nHcvrHn1nWDLn6[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\27WBM72Z\id=PHD3PHDv&gp=10&time=nHcdrHbznWfYPs[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C45AGZR1\CA67GHAJ.htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C45AGZR1\CASLMZKX.php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C45AGZR1\ecom[3]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C45AGZR1\id=PWRknWT&gp=10&time=nHcdPHDsnHD3rf[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DOLZ9DIH\AC_RunActiveContent[3].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DOLZ9DIH\icon_0[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DOLZ9DIH\stat[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OPMMS6\4022345[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OPMMS6\c[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OPMMS6\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OPMMS6\id=nWnvrHnzPf&gp=403&time=nHcvrHn1nWfsP0[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OPMMS6\stat[1].gif
C:\Program Files\Windows Media Player\1']N]NK[0.%I#=P!UdTXIMJ%V8'U9\360SATA.exe
C:\Program Files\Windows Media Player\skKKDs siBAlu\1.bat
C:\Program Files\Windows Media Player\skKKDs siBAlu\RunDict6.exe
C:\Program Files\Windows Media Player\skKKDs siBAlu\YodaoDict.exe

Files modified: 6
--------------------
C:\Documents and Settings\Administrator\Cookies\index.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012011021220110213\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Administrator\桌面\Desktop\5.exe

Values added: 2
--------------------
HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\MUICache
  (SZ) C:\Program Files\Windows Media Player\skKKDs siBAlu\1.bat =1

Values changed: 5
--------------------
HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication
  Old: (SZ) Name =iexplore.exe
  New: (SZ) Name =360SATA.exe
  Old: (DWORD) ID =0x48025225 (1208111653)
  New: (DWORD) ID =0x4D50E71D (1297147677)

显示全部楼层 · 发表于 2011-2-12 19:20:30

有啥特殊路径吗？楼上都是临时文件夹啊

显示全部楼层 · 发表于 2011-2-12 19:21:04

hudeg632 发表于 2011-2-12 19:15
.凑个热闹，沙盘运行5.exe.
Folders added: 2
--------------------

这是神马哦？

显示全部楼层 · 发表于 2011-2-12 19:24:52

本帖最后由 ccccwjl 于 2011-2-12 19:25 编辑

好像C盘生成了个叫程序的文件夹可是打开这个文件夹，发现名字又变成了 Oath 真神奇

显示全部楼层 · 发表于 2011-2-12 19:27:40

运行18.exe,日志如下
Folders added: 3
--------------------
C:\Documents and Settings\Administrator\「开始」菜单\程序\益盟软件
C:\Documents and Settings\Administrator\「开始」菜单\程序\益盟软件\益盟操盘手
C:\Program Files\ymLevel2_Taste

Files added: 15
--------------------
C:\Documents and Settings\All Users\「开始」菜单\程序\启动\益盟操盘手.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\益盟软件\益盟操盘手\卸载益盟操盘手.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\益盟软件\益盟操盘手\益盟操盘手.lnk
C:\Documents and Settings\Administrator\桌面\益盟操盘手.lnk
C:\Program Files\ymLevel2_Taste\Coder2.dll
C:\Program Files\ymLevel2_Taste\DownLoad.dll
C:\Program Files\ymLevel2_Taste\INSTALL.LOG
C:\Program Files\ymLevel2_Taste\L2Host.dat
C:\Program Files\ymLevel2_Taste\L2LC.exe
C:\Program Files\ymLevel2_Taste\MFC71.dll
C:\Program Files\ymLevel2_Taste\msvcr71.dll
C:\Program Files\ymLevel2_Taste\offLogo.mht
C:\Program Files\ymLevel2_Taste\UNWISE.EXE
C:\Program Files\ymLevel2_Taste\UNWISE.INI
C:\Program Files\ymLevel2_Taste\UnzipDll.dll

Files modified: 2
--------------------
C:\process.txt
C:\WINDOWS\system32\msvcr71.dll

Keys added: 4
--------------------
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\益盟操盘手 T1.0.5.1
HKEY_CURRENT_USER\software\ymLevel2_Taste
HKEY_CURRENT_USER\software\ymLevel2_Taste\Stock
HKEY_CURRENT_USER\software\ymLevel2_Taste\Stock\System

Values added: 4
--------------------
HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer
  (SZ) SidTid =112301.14

HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\益盟操盘手 T1.0.5.1
  (SZ) DisplayName =益盟操盘手 T1.0.5.1
  (SZ) UninstallString =C:\PROGRA~1\YMLEVE~1\UNWISE.EXE C:\PROGRA~1\YMLEVE~1\INSTALL.LOG

HKEY_CURRENT_USER\software\ymLevel2_Taste\Stock\System
  (SZ) Path =C:\PROGRA~1\YMLEVE~1
  (SZ) SharePath =C:\PROGRA~1\YMLEVE~1

显示全部楼层 · 发表于 2011-2-12 19:29:09

红袖小乱发表于 2011-2-12 12:48
qvm报了一个，另外一个沙箱里运行不了就不试了~

貌似一早已经上报了，但我中午卫士扫描不到…云QVM溜了么

显示全部楼层 · 发表于 2011-2-12 20:02:20

本帖最后由 tedrick 于 2011-2-12 20:02 编辑

xzhlksh 发表于 2011-2-12 19:20
有啥特殊路径吗？楼上都是临时文件夹啊

我也纳闷，说的是1']N]NK[0.%I#=P!UdTXIMJ%V8'U9吧。虽乱码但都是合法字符。前面说不能扫不知是否杀软BUG。

显示全部楼层 · 发表于 2011-2-12 20:04:45

这个病毒我昨天就运行过，虽然360云主防没有任何反应，但是360杀毒的扫描还是很给力的

360杀毒扫描日志

病毒库版本：6727366
扫描时间：2011-02-11 16:34:35
扫描用时：00:28:20
扫描类型：全盘扫描
扫描文件总数：136967
威胁总数：5

扫描选项
----------------------
扫描所有文件：是
扫描压缩包：是
发现病毒处理方式：自动
扫描系统内存：是
扫描磁盘引导区：是
扫描 Rootkit：是
使用QVM启发式引擎：是

扫描内容
----------------------
全盘

白名单设置
----------------------

扫描结果
======================
系统修复扫描结果
----------------------

病毒扫描结果
----------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\847828_res.tmp       恶意程序(Malware.QVM27.Gen)       已删除
C:\Program Files\Windows Media Player\skKKDs siBAlu\YodaoDict.exe       恶意程序(Malware.QVM06.Gen)       已删除
C:\Program Files\Windows Media Player\1']N]NK[0.%I#=P!UdTXIMJ%V8'U9\360SATA.exe       恶意程序(Malware.QVM06.Gen)       已删除
C:\Oath\启动\CS.COM       恶意程序(Malware.QVM06.Gen)       已删除
D:\Program Files\腾讯游戏\QQGAME\DdzRpg\ddzrpg.exe       恶意程序(Malware.QVM07.Gen)       已删除

显示全部楼层 · 发表于 2011-2-13 09:59:52

过360也不奇怪嘛

[讨论] ==============2X过掉主防，囧囧囧 大家来测测 =============================

[讨论] ==============2X过掉主防，囧囧囧大家来测测 =============================