挂的很多

promised

[ 本帖最后由 promised 于 2007-6-3 20:45 编辑 ]

The EQs

加了什么东西？？

zelda1983

蜘蛛  NOD32  FOUND  NOTHING

aoyang

应该是加了壳

wangjay1980

2007-6-3 JAY20:50:19        File: C:\Documents and Settings\Owner\×ÀÃæ\x\x.exe//Armadillo        ok        scanned
这个壳

The EQs

穿山甲。。。。。。。

tracydk

已上报

aoyang

12

zelda1983

看来对于壳这个问题  还是...

mhj144007

Sandbox Submit a File Report

-

--------------------------------------------------------------------------------

ID 666637
Comment None
Flag 1

Analysis Summary:

Analysis Date 6/3/2007 8:52:31 AM
Sandbox Version 1.115
Filename 3a372f67456b65ffc51723f635b60b4e.exe

Technical Details:

Analysis Number 1
Parent ID 0
Process ID 564
Filename c:\temp\3a372f67456b65ffc51723f635b60b4e.exe
Filesize 716800 bytes
MD5 3a372f67456b65ffc51723f635b60b4e
Start Reason AnalysisTarget
Termination Reason NormalTermination
Start Time 00:00.203
Stop Time 00:07.031
DLL-Handling Loaded DLLs
c:\temp\3a372f67456b65ffc51723f635b60b4e.exe
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\MSVCRT.DLL
C:\WINDOWS\system32\OLE32.DLL
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\System32\wsock32.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\WS2HELP.dll
C:\WINDOWS\System32\pstorec.dll
C:\WINDOWS\System32\ATL.DLL
C:\WINDOWS\System32\Wship6.dll
C:\WINDOWS\System32\iphlpapi.dll
C:\WINDOWS\System32\Secur32.dll
user32.dll
KERNEL32.DLL
Kernel32
USER32.dll


Filesystem Opened Files
\\.\BCMDMCCP
\SystemRoot\AppPatch\sysmain.sdb
\SystemRoot\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
c:\temp\3a372f67456b65ffc51723f635b60b4e.exe

Chronological order
Open File: \\.\BCMDMCCP (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: c:\temp\3a372f67456b65ffc51723f635b60b4e.exe ()
Find File: 3a372f67456b65ffc51723f635b60b4e.exe


Mutexes Creates Mutex: 250::DA0B1A61B1
Creates Mutex: DILLOCREATE
Creates Mutex: DILLOOEP
Opens Mutex: 234::DA0B1A61B1

Registry  
Process Management Creates Process - Filename (c:\temp\3a372f67456b65ffc51723f635b60b4e.exe) CommandLine: (c:\temp\3a372f67456b65ffc51723f635b60b4e.exe) As User: () Creation Flags: (CREATE_SUSPENDED)
Kill Process - Filename () CommandLine: () Target PID: (564) As User: () Creation Flags: ()
Open Process - Filename (c:\temp\3a372f67456b65ffc51723f635b60b4e.exe) Target PID: (592)

System Info Get System Time

Threads Create Remote Thread - Target PID (592) Thread ID (624) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED)

Virtual Memory VM Protect - Target: (592) Address: ($0045C000) Size: (4096) Protect: (PAGE_READWRITE)
VM Protect - Target: (592) Address: ($0045C000) Size: (4096) Protect: (PAGE_EXECUTE_WRITECOPY)
VM Protect - Target: (592) Address: ($0045C000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Read - Target: (592) Address: ($0045C000) Size: (2)
VM Read - Target: (592) Address: ($7FFDE014) Size: (4)
VM Read - Target: (592) Address: ($00252C08) Size: (520)
VM Read - Target: (592) Address: ($00252CB0) Size: (520)
VM Read - Target: (592) Address: ($0012D5E4) Size: (91)
VM Read - Target: (592) Address: ($00252D50) Size: (520)
VM Read - Target: (592) Address: ($00252DF8) Size: (520)
VM Read - Target: (592) Address: ($00252E98) Size: (520)
VM Read - Target: (592) Address: ($00252F38) Size: (520)
VM Read - Target: (592) Address: ($00252FE0) Size: (520)
VM Read - Target: (592) Address: ($00253080) Size: (520)
VM Read - Target: (592) Address: ($00253128) Size: (520)
VM Read - Target: (592) Address: ($002531C8) Size: (520)
VM Read - Target: (592) Address: ($00253268) Size: (520)
VM Read - Target: (592) Address: ($00253308) Size: (520)
VM Read - Target: (592) Address: ($002533B0) Size: (520)
VM Read - Target: (592) Address: ($002534A0) Size: (520)
VM Read - Target: (592) Address: ($00253548) Size: (520)
VM Read - Target: (592) Address: ($00253458) Size: (520)
VM Read - Target: (592) Address: ($00253648) Size: (520)
VM Read - Target: (592) Address: ($002536E8) Size: (520)
VM Read - Target: (592) Address: ($00253788) Size: (520)
VM Read - Target: (592) Address: ($00253828) Size: (520)
VM Read - Target: (592) Address: ($002538C8) Size: (520)
VM Write - Target: (592) Address: ($0045C000) Size: (2)


The following process was started by process: 1
Analysis Number 2
Parent ID 1
Process ID 592
Filename c:\temp\3a372f67456b65ffc51723f635b60b4e.exe c:\temp\3a372f67456b65ffc51723f635b60b4e.exe
Filesize 716800 bytes
MD5 3a372f67456b65ffc51723f635b60b4e
Start Reason CreateProcess
Termination Reason NormalTermination
Start Time 00:01.766
Stop Time 00:06.922
Detection - (Authentium Command Antivirus - EngVer: 4.92.123.35 - SigVer: 20070525 35)
- (BitDefender Antivirus - EngVer: 7.0.0.2311 - SigVer: 7.10873)
- (CounterSpy - EngVer: 2.1.628.0 - SigVer: 469)
- (Microsoft Malware Protection - EngVer: 1.1.2503.0 - SigVer: Mon May 28 19:13:54 2007)
- (Norton AntiVirus - EngVer: 20071.2.0.18 - SigVer: 20070528 12:25:07)

COM COM Create Instance: %SystemRoot%\System32\browseui.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})

DLL-Handling Loaded DLLs
c:\temp\3a372f67456b65ffc51723f635b60b4e.exe
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\MSVCRT.DLL
C:\WINDOWS\system32\OLE32.DLL
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\System32\wsock32.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\WS2HELP.dll
C:\WINDOWS\System32\pstorec.dll
C:\WINDOWS\System32\ATL.DLL
C:\WINDOWS\System32\Wship6.dll
C:\WINDOWS\System32\iphlpapi.dll
C:\WINDOWS\System32\Secur32.dll
user32.dll
KERNEL32.DLL
COMCTL32.dll
WSOCK32.dll
KERNEL32.dll
USER32.dll
GDI32.dll
comdlg32.dll
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
MSVCRT.dll
ole32.dll
Kernel32.DLL
USER32.DLL
rpcrt4.dll
ws2_32.dll
inetmib1.dll
snmpapi.dll
MPRAPI.dll
MSVBVM60.DLL
ADVAPI32.DLL
COMCTL32.DLL
COMDLG32.DLL
GDI32.DLL
SHELL32.DLL
OLE32.DLL
UserAx.DLL
riched32.dll
riched20.dll
.\UxTheme.dll
UxTheme.dll
netapi32
CLBCATQ.DLL
comctl32.dll
shell32.dll
VERSION.dll


Filesystem New Files
\\.\PHYSICALDRIVE0
\Device\Tcp6
3.jpg
setup.exe

Opened Files
\\.\BCMDMCCP
c:\temp\3a372f67456b65ffc51723f635b60b4e.exe
\\.\SCSI0:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\26D488F2.TMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5C7CFCB793BCD0AD.TMP
\\.\SuperBPMDev0
\\.\SICE
\\.\NTICE
\\.\SIWDEBUG
\\.\SIWVID
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5C7CFCB7.RREF
c:\temp\3a372f67456b65ffc51723f635b60b4e.exe
\\.\PIPE\wkssvc
\\.\PIPE\lsarpc
\\.\PIPE\ntsvcs
\SystemRoot\AppPatch\sysmain.sdb
\SystemRoot\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
c:\setup.exe

Chronological order
Open File: \\.\BCMDMCCP (OPEN_EXISTING)
Open File: c:\temp\3a372f67456b65ffc51723f635b60b4e.exe (OPEN_EXISTING)
Create/Open File: \\.\PHYSICALDRIVE0 (OPEN_ALWAYS)
Open File: \\.\SCSI0: (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\26D488F2.TMP (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5C7CFCB793BCD0AD.TMP (OPEN_EXISTING)
Open File: \\.\SuperBPMDev0 (OPEN_EXISTING)
Open File: \\.\SICE (OPEN_EXISTING)
Open File: \\.\NTICE (OPEN_EXISTING)
Open File: \\.\SIWDEBUG (OPEN_EXISTING)
Open File: \\.\SIWVID (OPEN_EXISTING)
Find File: C:\WINDOWS\*
Find File: C:\*
Find File: c:\temp\*
Find File: C:\WINDOWS\System32\*
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5C7CFCB7.RREF (OPEN_EXISTING)
Open File: c:\temp\3a372f67456b65ffc51723f635b60b4e.exe (OPEN_EXISTING)
Get File Attributes: 3.jpg Flags: (SECURITY_ANONYMOUS)
Get File Attributes: 3.jpg.exe Flags: (SECURITY_ANONYMOUS)
Find File: c:\temp\3a372f67456b65ffc51723f635b60b4e.exe
Create File: 3.jpg
Set File Time: C:\3.jpg
Set File Attributes: 3.jpg Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Get File Attributes: setup.exe Flags: (SECURITY_ANONYMOUS)
Create File: setup.exe
Set File Time: C:\setup.exe
Set File Attributes: setup.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:\setup.exe Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\Documents and Settings\Administrator\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: c:\setup.exe ()
Find File: setup.exe


INI Files Read INI File
c:\temp\3a372f67456b65ffc51723f635b60b4e.INI [LICENSE] Language =
c:\temp\3a372f67456b65ffc51723f635b60b4e.INI [LICENSE] Key =
WIN.INI [windows] ScrollInset =
WIN.INI [windows] DragDelay =
WIN.INI [windows] DragMinDist =
WIN.INI [windows] ScrollDelay =
WIN.INI [windows] ScrollInterval =
WIN.INI [richedit30] flags =
C:\Documents and Settings\Administrator\My Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Administrator\My Documents\desktop.ini [DeleteOnCopy.A] Owner =
C:\Documents and Settings\Administrator\My Documents\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Documents and Settings\Administrator\My Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Documents and Settings\All Users\Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\desktop.ini [.ShellClassInfo] LocalizedResourceName =


Mutexes Creates Mutex: RALCADBBE3D
Opens Mutex: 250::DA0B1A61B1
Opens Mutex: CADBBE3D:SIMULATEEXPIRED
Opens Mutex: 250:DAF

Registry Changes
HKEY_LOCAL_MACHINE\Software\Licenses "{R7C0DB872A3F777C0}" = [REG_BINARY, size: 4 bytes]
HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters "TrapPollTimeMilliSecs" = [REG_DWORD, value: 00003A98]
HKEY_LOCAL_MACHINE\Software\Licenses "{K7C0DB872A3F777C0}" = [REG_BINARY, size: 260 bytes]
HKEY_CLASSES_ROOT\CLSID\{7517112D-B1F6-49F5-B1F6-49F5B1F649F5} "" = Multimedia File Property Sheet
HKEY_CLASSES_ROOT\CLSID\{7517112D-B1F6-49F5-B1F6-49F5B1F649F5}\InProcServer32 "" = mmsys.cpl
HKEY_CLASSES_ROOT\CLSID\{7517112D-B1F6-49F5-B1F6-49F5B1F649F5}\InProcServer32 "ThreadingModel" = Apartment
HKEY_LOCAL_MACHINE\Software\Licenses "{I5C7CFCB793BCD0AD}" = [REG_BINARY, size: 4 bytes]
HKEY_LOCAL_MACHINE\Software\Licenses "{05C7CFCB793BCD0AD}" = [REG_BINARY, size: 74 bytes]
HKEY_CURRENT_USER\Software\WinRAR SFX "c%%" = c:/

Reads
HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters "TrapPollTimeMilliSecs"
HKEY_LOCAL_MACHINE\Hardware\Description\System "SystemBiosVersion"
HKEY_LOCAL_MACHINE\Hardware\Description\System "SystemBiosDate"
HKEY_LOCAL_MACHINE\Software\Licenses "{K7C0DB872A3F777C0}"
HKEY_LOCAL_MACHINE\Software\Licenses "{05C7CFCB793BCD0AD}"
HKEY_CLASSES_ROOT\CLSID\{7517112D-B1F6-49F5-B1F6-49F5B1F649F5} "GGHJLfuGzaR"
HKEY_LOCAL_MACHINE\Software\Licenses "{I5C7CFCB793BCD0AD}"
HKEY_CURRENT_USER\Software\WinRAR SFX "c%%"

Enums
HKEY_CLASSES_ROOT\CLSID\{00022613-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\CLSID\{00022613-0000-0000-C000-000000000046}\InProcServer32


Process Management Creates Process - Filename (c:\setup.exe) CommandLine: () As User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (592) As User: () Creation Flags: ()

Service Management Open Service Manager - Name: "SCM"

System Info Get System Directory
Get Windows Directory
Get Computer Name
Get System Time

Window Find Window - Class Name (FileMonClass) Window Name ()
Find Window - Class Name (RegMonClass) Window Name ()
Find Window - Class Name (EDIT) Window Name ()
Enum Windows
Destroy Window - Class Name (Edit) Window Name ()
Destroy Window - Class Name (ComboLBox) Window Name ()

Network Activity  

Analysis Number 3
Parent ID 0
Process ID 712
Filename  
Filesize -1 bytes
MD5  
Start Reason SCM
Termination Reason Unknown
Start Time 00:03.141
Stop Time 00:00.000

The following process was started by process: 2
Analysis Number 4
Parent ID 2
Process ID 1020
Filename c:\setup.exe
Filesize 136704 bytes
MD5 c68d098545c4e97de35efd2501fe0436
Start Reason CreateProcess
Termination Reason NormalTermination
Start Time 00:06.750
Stop Time 00:09.375
DLL-Handling Loaded DLLs
c:\setup.exe
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\System32\AVICAP32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\System32\WINMM.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\System32\MSVFW32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\System32\msacm32.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\System32\wsock32.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\WS2HELP.dll
C:\WINDOWS\System32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\System32\UxTheme.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\
C:\WINDOWS\System32\pstorec.dll
C:\WINDOWS\System32\ATL.DLL
C:\WINDOWS\System32\Wship6.dll
C:\WINDOWS\System32\iphlpapi.dll
C:\WINDOWS\System32\Secur32.dll
KERNEL32.DLL
advapi32.dll
AVICAP32.dll
gdi32.dll
msacm32.dll
ole32.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll
wininet.dll
winmm.dll
wsock32.dll
c:\setup.ENU
c:\setup.EN
.\UxTheme.dll
PSAPI.DLL
USER32.dll


Filesystem Chronological order
Find File: C:\WINDOWS\System32\brc_Server.exe


Registry  
Process Management Kill Process - Filename () CommandLine: () Target PID: (1020) As User: () Creation Flags: ()
Enum Processes
Open Process - Filename () Target PID: (4)
Open Process - Filename (\SystemRoot\System32\smss.exe) Target PID: (596)
Open Process - Filename () Target PID: (644)
Open Process - Filename (C:\WINDOWS\system32\winlogon.exe) Target PID: (668)
Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (712)
Open Process - Filename (C:\WINDOWS\system32\savedump.exe) Target PID: (728)
Open Process - Filename (C:\WINDOWS\system32\lsass.exe) Target PID: (748)
Open Process - Filename (C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe) Target PID: (888)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (952)
Open Process - Filename (C:\WINDOWS\System32\svchost.exe) Target PID: (1064)
Open Process - Filename () Target PID: (1240)
Open Process - Filename () Target PID: (1344)
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1416)
Open Process - Filename (C:\WINDOWS\system32\spoolsv.exe) Target PID: (1560)
Open Process - Filename (C:\WINDOWS\system32\dumprep.exe) Target PID: (420)
Open Process - Filename (C:\WINDOWS\System32\dwwin.exe) Target PID: (444)
Open Process - Filename (C:\WINDOWS\System32\rundll32.exe) Target PID: (472)
Open Process - Filename (C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe) Target PID: (500)

Service Management Open Service Manager - Name: "SCM"

System Info Get System Directory

Network Activity  

Analysis Number 5
Parent ID 0
Process ID 712
Filename  
Filesize -1 bytes
MD5  
Start Reason SCM
Termination Reason Unknown
Start Time 00:07.766
Stop Time 00:00.000

Analysis Number 6
Parent ID 0
Process ID 712
Filename  
Filesize -1 bytes
MD5  
Start Reason SCM
Termination Reason Unknown
Start Time 00:07.953
Stop Time 00:00.000

Analysis Number 7
Parent ID 0
Process ID 712
Filename  
Filesize -1 bytes
MD5  
Start Reason SCM
Termination Reason Unknown
Start Time 00:08.016
Stop Time 00:00.000

Analysis Number 8
Parent ID 0
Process ID 712
Filename  
Filesize -1 bytes
MD5  
Start Reason SCM
Termination Reason Unknown
Start Time 00:09.235
Stop Time 00:00.000