qqfzl.com样本，exe文件包2[MD5: 2AE284 A16F8C C0F527 3DEEC4 1A25E8 E5ABCE 493A1A]

显示全部楼层 · 发表于 2007-6-9 14:26:58

一共七个文件

[ 本帖最后由 allenhippo 于 2007-6-9 14:35 编辑 ]

显示全部楼层 · 发表于 2007-6-9 14:29:58

Scan performed at: 2007-6-9 14:31:37
Scanning Log
NOD32 version 2320 (20070609) NT
Command line: C:\Documents and Settings\EQ2\桌面\virus.rar
Operating memory - is OK

Date: 9.6.2007 Time: 14:31:41
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\EQ2\桌面\virus.rar
C:\Documents and Settings\EQ2\桌面\virus.rar ?RAR ?nwizAsktao.exe - a variant of Win32/PSW.Agent.NEW trojan
C:\Documents and Settings\EQ2\桌面\virus.rar ?RAR ?qjso.exe - Win32/Pacex.Gen virus
C:\Documents and Settings\EQ2\桌面\virus.rar ?RAR ?rxso.exe - Win32/Pacex.Gen virus
C:\Documents and Settings\EQ2\桌面\virus.rar ?RAR ?systemm.exe - Win32/Agent.NEK trojan - was a part of the deleted object
C:\Documents and Settings\EQ2\桌面\virus.rar ?RAR ?tlso.exe - Win32/Pacex.Gen virus
C:\Documents and Settings\EQ2\桌面\virus.rar ?RAR ?upxdnd.exe - Win32/PSW.OnLineGames.NAL trojan - was a part of the deleted object
C:\Documents and Settings\EQ2\桌面\virus.rar ?RAR ?woso.exe - probably a variant of Win32/PSW.Agent.NDP trojan
Number of scanned files: 8
Number of threats found: 7
Number of files cleaned: 1
Time of completion: 14:31:41 Total scanning time: 0 sec (00:00:00)

显示全部楼层 · 发表于 2007-6-9 14:30:05

已删除: 木马程序 Trojan-PSW.Win32.OnLineGames.sl 文件: C:\Documents and Settings\Administrator\桌面\virus.rar/nwizAsktao.exe//PE_Patch//UPack
已删除: 木马程序 Backdoor.Win32.Agent.alh 文件: C:\Documents and Settings\Administrator\桌面\virus.rar/systemm.exe//UPack
已删除: 木马程序 Trojan-PSW.Win32.OnLineGames.bs 文件: C:\Documents and Settings\Administrator\桌面\virus.rar/tlso.exe
已删除: 木马程序 Trojan-PSW.Win32.OnLineGames.wq 文件: C:\Documents and Settings\Administrator\桌面\virus.rar/upxdnd.exe
已删除: 木马程序 Trojan-PSW.Win32.Small.cf 文件: C:\Documents and Settings\Administrator\桌面\virus.rar/woso.exe

显示全部楼层 · 发表于 2007-6-9 14:30:29

BitDefender

This web page has been blocked by BitDefender Antivirus Real-time Protection!

The blocked web page included objects that were either infected or likely to be infected with a virus. Your system has NOT been infected.

Trojan.PWS.Onlinegames.AWD
Trojan.Spy.Agent.NFA
q=Backdoor.Agent.ALH
Trojan.PWS.OnlineGames.AUP

显示全部楼层 · 发表于 2007-6-9 14:38:23

Demo mode
Command line options:
/r=susp.rpt /ha=3 /collect_suspects /nc /af+ /ar+ /bt- /mr- /ml+ /rw+ /as-
Ctrl-C will terminate program execution

*:
C:\
C:\ABC\virus.rar:<RAR>\nwizAsktao.exe : is suspected of Downloader.Small.160
C:\ABC\virus.rar:<RAR>\systemm.exe : infected Trojan.Sniff
C:\ABC\virus.rar:<RAR>\tlso.exe : infected Trojan.PWS.Wsgame
C:\ABC\virus.rar:<RAR>\upxdnd.exe : infected Trojan-PSW.Win32.OnLineGames.wq
C:\ABC\virus.rar:<RAR>\woso.exe : infected Trojan-PSW.Win32.Small.cf
Program execution terminated by user

Directories    : 3    Files in archives:    Files on disks:
Archives:                - total    : 7    - total    : 18
- scanned       : 1    -  scanned : 7    - scanned    : 18
- contain viruses : 1    -  infected : 4    - infected : 1
- deleted       : 0    -  suspicious : 1    - suspicious  : 0

Startup : 14:40:06 09-06-2007
End       : 14:40:11 09-06-2007
Total time : 00:00:05
终止批处理操作吗(Y/N)?

显示全部楼层 · 发表于 2007-6-9 14:40:02

virus.rar
  [0] Archive type: RAR
  --> nwizAsktao.exe
   [DETECTION] Is the Trojan horse TR/Lineage.2
  --> qjso.exe
   [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
  --> rxso.exe
   [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
  --> systemm.exe
   [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Agent.alh Backdoor server programs
  --> tlso.exe
   [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
  --> upxdnd.exe
   [DETECTION] Is the Trojan horse TR/Rahao
  --> woso.exe
   [DETECTION] Is the Trojan horse TR/PSW.Onlinegames.AWD

显示全部楼层 · 发表于 2007-6-9 14:41:47

挂王avast!有4个不报

显示全部楼层 · 发表于 2007-6-9 22:52:18

---------------------------------------------------------
AVG Anti-Spyware - 扫描报告
---------------------------------------------------------

+ 创建时间: 22:54:02 2007-6-9

+ 扫描结果:

C:\Documents and Settings\jywangba@18p2p\桌面\virus.rar/systemm.exe -> Backdoor.Agent.alh : 未进行操作.
C:\Documents and Settings\jywangba@18p2p\桌面\virus.rar/upxdnd.exe -> Trojan.OnLineGames.wq : 未进行操作.
C:\Documents and Settings\jywangba@18p2p\桌面\virus.rar/woso.exe -> Trojan.Small.cf : 未进行操作.

::报告结束

显示全部楼层 · 发表于 2007-6-10 02:54:45

拦截四个，不让下。

显示全部楼层 · 发表于 2007-6-10 10:08:33

運行nwizAsktao.exe，發現下列行為，被EQ-Secure RC1攔截！
----------
2007-06-10 09:53:07 運行應用程序    操作:允許
進成路徑:C:\WINDOWS\Explorer.EXE
文件路徑:D:\桌面\virus\virus_kafan\nwizAsktao.exe
规则:應用程序規則->系統程序->%windir%\Explorer.EXE

1987-06-10 09:53:18 創建文件    操作:阻止
進成路徑:D:\桌面\virus\virus_kafan\nwizAsktao.exe
文件路徑:C:\WINDOWS\system32\nwizAsktao.exe
规则:所有程序規則->2.1.2保護系統進程->*\*system*.exe

1987-06-10 09:53:18 創建文件    操作:阻止
進成路徑:D:\桌面\virus\virus_kafan\nwizAsktao.exe
文件路徑:C:\WINDOWS\system32\nwizAsktao.exe
规则:所有程序規則->2.1.2保護系統進程->*\*system*.exe

1987-06-10 09:53:18 創建文件    操作:阻止
進成路徑:D:\桌面\virus\virus_kafan\nwizAsktao.exe
文件路徑:C:\WINDOWS\system32\nwizAsktao.exe
规则:所有程序規則->2.1.2保護系統進程->*\*system*.exe

1987-06-10 09:53:18 運行應用程序    操作:阻止
進成路徑:D:\桌面\virus\virus_kafan\nwizAsktao.exe
文件路徑:C:\WINDOWS\system32\cmd.exe
命令行:/c del "D:\桌面\virus\virus_kafan\nwizAsktao.exe"
规则:所有程序規則->系統程序->%windir%\system32\cmd.exe

-------------------------------------------------------------------------------------------
1.他會在下列路徑產生nwizAsktao.exe
C:\WINDOWS\system32\
2.他會運行cmd.exe來殺掉自己
/c del "D:\桌面\virus\virus_kafan\nwizAsktao.exe"

-----------
我的時間也被改為1987年了！

[病毒样本] qqfzl.com样本，exe文件包2[MD5: 2AE284 A16F8C C0F527 3DEEC4 1A25E8 E5ABCE 493A1A]

本帖子中包含更多资源

本帖子中包含更多资源