MSN“性感相册”蠕虫病毒

Redevil

太温和了
这种病毒
不杀了

a3275

AntiVir PersonalEdition Classic
Report file date: 2007年6月3日  18:49

Scanning for 802392 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         康
Computer name:    NERV-2020F05317

Version information:
BUILD.DAT    : 247           14437 Bytes   2007-5-10 11:55:00
AVSCAN.EXE   : 7.0.4.15     282664 Bytes    2007-6-3 10:18:30
AVSCAN.DLL   : 7.0.4.4       33832 Bytes   2007-3-27 05:31:54
LUKE.DLL     : 7.0.4.11     143400 Bytes   2007-3-27 05:26:04
LUKERES.DLL  : 7.0.4.0       10280 Bytes   2007-3-19 05:18:59
ANTIVIR0.VDF : 6.35.0.1    7371264 Bytes   2006-5-31 07:08:58
ANTIVIR1.VDF : 6.38.1.170  5569024 Bytes   2007-5-21 10:18:31
ANTIVIR2.VDF : 6.38.1.200   169472 Bytes   2007-5-29 10:18:31
ANTIVIR3.VDF : 6.38.1.218    98816 Bytes    2007-6-1 10:18:31
AVEWIN32.DLL : 7.4.0.29    2478592 Bytes    2007-6-3 10:18:32
AVWINLL.DLL  : 1.0.0.7       14376 Bytes   2007-2-26 03:36:26
AVPREF.DLL   : 7.0.2.1       24616 Bytes   2007-3-27 05:31:50
AVREP.DLL    : 7.0.0.1      155688 Bytes   2007-4-16 06:16:24
AVPACK32.DLL : 7.3.0.10     360488 Bytes    2007-6-3 10:18:32
AVREG.DLL    : 7.0.1.2       31784 Bytes   2007-3-15 02:05:08
AVEVTLOG.DLL : 7.0.0.18      86056 Bytes   2007-3-27 05:16:05
AVARKT.DLL   : 1.0.0.17     278568 Bytes    2007-6-3 10:18:30
NETNT.DLL    : 7.0.0.0        7720 Bytes    2007-3-8 04:09:42
RCIMAGE.DLL  : 7.0.1.15    2228264 Bytes   2007-3-13 03:46:18
RCTEXT.DLL   : 7.0.45.0      86056 Bytes   2007-3-19 05:42:42

Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\康\LOCALS~1\Temp\6a4e8480.avp
Logging..........................: low
Primary action...................: delete
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
Macro heuristic..................: on
File heuristic...................: high
Skipped files....................: E:\杀毒防毒,
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 2007年6月3日  18:49

Starting the file scan:

Begin scan in 'C:\Documents and Settings\康\桌面\photos.rar'
C:\Documents and Settings\康\桌面\photos.rar
  [0] Archive type: RAR
  --> photos.scr
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      A backup was created as '46d19d2e.qua'  ( QUARANTINE )
      [INFO]      The file was deleted!


End of the scan: 2007年6月3日  18:49
Used time: 00:02 min

The scan has been done completely.

      0 Scanning directories
      2 Files were scanned
      1 viruses and/or unwanted programs were found
      1 classified as suspicious:
      1 files were deleted
      0 files were repaired
      1 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      0 Files not concerned
      1 Archives were scanned
      0 Warnings
      0 Notes
      0 Hidden objects were found

aoyang

原帖由 yinxuchina 于 2007-6-3 18:16 发表
费尔不报

病毒样本分析师

mhj144007

以前有支烤鷄是不是它家族De


Sandbox Submit a File Report

-

--------------------------------------------------------------------------------

ID 654818
Comment None
Flag 1

Analysis Summary:

Analysis Date 6/2/2007 1:53:59 AM
Sandbox Version 1.115
Filename 9784ab71076f583ce02de0340554aefa.exe

Technical Details:

Analysis Number 1
Parent ID 0
Process ID 1276
Filename c:\9784ab71076f583ce02de0340554aefa.exe
Filesize 479232 bytes
MD5 9784ab71076f583ce02de0340554aefa
Start Reason AnalysisTarget
Termination Reason NormalTermination
Start Time 00:00.281
Stop Time 00:03.156
Detection - (Authentium Command Antivirus - EngVer: 4.92.123.35 - SigVer: 20070525 35)
- (BitDefender Antivirus - EngVer: 7.0.0.2311 - SigVer: 7.10873)
- (CounterSpy - EngVer: 2.1.628.0 - SigVer: 469)
- (Microsoft Malware Protection - EngVer: 1.1.2503.0 - SigVer: Mon May 28 19:13:54 2007)
- (Norton AntiVirus - EngVer: 20071.2.0.18 - SigVer: 20070528 12:25:07)

DLL-Handling Loaded DLLs
c:\9784ab71076f583ce02de0340554aefa.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\Secur32.dll
USER32.dll
ADVAPI32.dll
NTDLL.dll
NTDLL
winmm.dll
KERNEL32.dll
ole32.dll


Filesystem New Files
C:\WINDOWS\photos.zip
C:\WINDOWS\system32\syshosts.dll

Opened Files
C:\WINDOWS\system32\KERNEL32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\ADVAPI32.dll
c:\9784ab71076f583ce02de0340554aefa.exe

Chronological order
Open File: C:\WINDOWS\system32\KERNEL32.dll (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\USER32.dll (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\ADVAPI32.dll (OPEN_EXISTING)
Open File: c:\9784ab71076f583ce02de0340554aefa.exe (OPEN_EXISTING)
Create File: C:\WINDOWS\photos.zip
Create File: C:\WINDOWS\system32\syshosts.dll


Registry Changes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "syshosts" = {EA2B9A9F-2E2A-4658-BDB5-8B519F9216D7}
HKEY_CLASSES_ROOT\CLSID\{EA2B9A9F-2E2A-4658-BDB5-8B519F9216D7}\InProcServer32 "" = syshosts.dll


Process Management Kill Process - Filename () CommandLine: () Target PID: (1276) As User: () Creation Flags: ()
Enum Processes
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1448)

System Info Get System Directory
Get Windows Directory
Get System Time

Threads Create Remote Thread - Target PID (1448) Thread ID (1296) Thread ID ($7C80AE4B) Parameter Address ($01BF0000) Creation Flags (CREATE_SUSPENDED)

Virtual Memory VM Allocate - Target: (1448) Address: ($01BF0000) Size: (4096) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1448) Address: ($01E40000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1448) Address: ($01F3E000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Protect - Target: (1448) Address: ($01BF0000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1448) Address: ($01BF0000) Size: (4096) Protect: (PAGE_READWRITE)
VM Protect - Target: (1448) Address: ($01F3E000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Write - Target: (1448) Address: ($01BF0000) Size: (66)


The following process was started by process: 1
Analysis Number 2
Parent ID 1
Process ID 1448
Filename C:\WINDOWS\Explorer.EXE
Filesize 1032192 bytes
MD5 a0732187050030ae399b241436565e64
Start Reason InjectedCode
Termination Reason Timeout
Start Time 00:02.281
Stop Time 01:00.953
DLL-Handling Loaded DLLs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\BROWSEUI.dll
C:\WINDOWS\system32\SHDOCVW.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\CRYPTUI.dll
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\appHelp.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\System32\cscui.dll
C:\WINDOWS\System32\CSCDLL.dll
C:\WINDOWS\system32\themeui.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\MSIMG32.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\system32\actxprxy.dll
C:\WINDOWS\system32\shimgvw.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\mlang.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\mshtml.dll
C:\WINDOWS\system32\msls31.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\ImgUtil.dll
C:\WINDOWS\system32\pngfilt.dll
C:\WINDOWS\system32\shdoclc.dll
C:\WINDOWS\system32\LINKINFO.dll
C:\WINDOWS\system32\ntshrui.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\system32\msimtf.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\NETSHELL.dll
C:\WINDOWS\system32\credui.dll
C:\WINDOWS\system32\iphlpapi.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\MSISIP.DLL
C:\WINDOWS\system32\wshext.dll
C:\WINDOWS\system32\MFC42.DLL
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\WSOCK32.dll
C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\system32\BatMeter.dll
C:\WINDOWS\system32\POWRPROF.dll
C:\WINDOWS\system32\WTSAPI32.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\Wship6.dll
dnsapi.dll


Filesystem New Files
\Device\RasAcd

Chronological order
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)


Mutexes Creates Mutex: youpissmeofffniggaaazvsshit

Registry Reads
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"


Network Activity DNS Lookup
Host Name IP Address
www.free8.biz 208.109.176.115
Outgoing connection to remote server: www.free8.biz TCP port 8081
Outgoing connection to remote server: www.free8.biz TCP port 8081


Analysis Number 3
Parent ID 0
Process ID 712
Filename  
Filesize -1 bytes
MD5  
Start Reason SCM
Termination Reason Unknown
Start Time 00:36.312
Stop Time 00:00.000

rasis

photos.rar
  [0] Archive type: RAR
  --> photos.scr
      [DETECTION] Contains suspicious code HEUR/Crypted

The EQs

这种东西杀软直接带壳入库。。。

woai_jolin

2007/6/3 20:11:33        Scanning Log
2007/6/3 20:11:33        Version of virus signature database: 2305 (20070601)
2007/6/3 20:11:33        Date: 3.6.2007  Time: 20:11:33
2007/6/3 20:11:33        Scanned disks, folders and files: E:\病毒测试\;E:\VistaAdvance.zip
2007/6/3 20:11:33        E:\病毒测试\photos.rar - Win32/IRCBot.ZY trojan - deleted - quarantined
2007/6/3 20:11:33        E:\病毒测试\photos.rar » RAR » photos.scr - Win32/IRCBot.ZY trojan
2007/6/3 20:11:34        Number of scanned files: 74
2007/6/3 20:11:34        Number of threats found: 1
2007/6/3 20:11:34        Time of completion: 20:11:34  Total scanning time: 1 sec (00:00:01)

hcyjc

红伞启发的
  --> photos.scr
      [DETECTION] Contains suspicious code HEUR/Crypted

鼻耳盖子

木马名称:Backdoor.Win32.IRCBot.ahd
程序:
I:\TEST\070603\33\PHOTOS\PHOTOS.SCR
是木马程序!
已成功阻止其运行,是否要删除此文件?

tracydk