金山毒霸，请问你这是不是流氓！！！

wangshengxiang

今天没事，准备把虚拟机里的几个杀毒软件升级，金山毒霸升级到一半时，卡巴斯基报警了，已检测到: 广告程序 not-a-virus:AdWare.Win32.Agent.an        
文件: C:\KAV2007\Update\Common\KAS\Extend\KASExt.KAS/UPX


经过测试，卡巴斯基杀并是不是因为该程序加了UPX的壳，我将其脱壳后，卡巴斯基仍然照杀不误。
广告程序 not-a-virus:AdWare.Win32.Agent.an




大概反汇编了一下，找到如下字符串，看来金山被杀不冤，有兴趣的朋友可以反汇编一下被杀的这个DLL，好像蛮有意思的

http://update.17player.cn/webwork

http://www.mokead.com/NewSetup.exe

http://www.mokead.com/set/NewInfo

http://www.besttoolbars.net



强烈抗议金山毒霸如此流氓行径，丫不停在后台下载那几个破玩意，并且还注册为服务启动，删除后，又自动下载，文件名还随机变更


啥也不说了，大家看图

如果哪位高手能分析一下它就好了，我承认自己水平很菜，但是，金山那个DLL我是当EXE来脱壳的，故在脱壳过程中不小心运行了，之后就是那个流氓开始在我的本本上安家了。

[ 本帖最后由 wangshengxiang 于 2007-6-15 15:22 编辑 ]

九棒歪打

毒爸爸嘛？
贴去他们官网如何？

omplete scanning result of "WCIOWCJPWCJP.EXE", received in VirusTotal at 06.16.2007, 00:16:31 (CET).
                        

Antivirus	Version	Update	Result
AhnLab-V3	2007.6.16.0	06.15.2007	no virus found
AntiVir	7.4.0.32	06.15.2007	no virus found
Authentium	4.93.8	06.15.2007	no virus found
Avast	4.7.997.0	06.15.2007	Win32:Admoke-B
AVG	7.5.0.467	06.15.2007	Adware Generic2.DVO
BitDefender	7.2	06.15.2007	Dropped:Adware.AdMoke.DU
CAT-QuickHeal	9.00	06.15.2007	no virus found
ClamAV	devel-20070416	06.16.2007	no virus found
DrWeb	4.33	06.15.2007	no virus found
eSafe	7.0.15.0	06.14.2007	no virus found
eTrust-Vet	30.7.3721	06.15.2007	no virus found
Ewido	4.0	06.15.2007	no virus found
FileAdvisor	1	06.16.2007	no virus found
Fortinet	2.85.0.0	06.15.2007	no virus found
F-Prot	4.3.2.48	06.15.2007	no virus found
F-Secure	6.70.13030.0	06.15.2007	no virus found
Ikarus	T3.1.1.8	06.15.2007	not-a-virus:AdWare.Win32.AdMoke.bx
Kaspersky	4.0.2.24	06.15.2007	no virus found
McAfee	5054	06.15.2007	potentially unwanted program Adware-MokeAd
Microsoft	1.2607	06.15.2007	Adware:Win32/MokeAd
Norman	5.80.02	06.15.2007	no virus found
Panda	9.0.0.4	06.15.2007	Suspicious file
Prevx1	V2	06.16.2007	no virus found
Sophos	4.18.0	06.12.2007	Mal/Behav-053
Sunbelt	2.2.907.0	06.14.2007	no virus found
Symantec	10	06.15.2007	no virus found
TheHacker	6.1.6.133	06.15.2007	no virus found
VBA32	3.12.0.2	06.15.2007	suspected of MalwareScope.Trojan-PSW.Game.16
VirusBuster	4.3.23:9	06.15.2007	no virus found
Webwasher-Gateway	6.0.1	06.15.2007	no virus found

Aditional Information

File size: 1057792 bytes

MD5: 6fc1a1a8b44fdb60499c066d09ea8497

SHA1: cac7153f80960b155990ded2e4edda9bb0f1f957

沙盘检测结果，不幸的，是malware

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

WCIOWCJPWCJP.EXE : INFECTED with W32/Malware (Signature: NO_VIRUS)


[ DetectionInfo ]
   * Sandbox name: W32/Malware
   * Signature name: NO_VIRUS

[ General information ]
   * Drops files in %WINSYS% folder.
   * File length:      1057792 bytes.
   * MD5 hash: 6fc1a1a8b44fdb60499c066d09ea8497.

[ Changes to filesystem ]
   * Creates file C:\WINDOWS\SYSTEM32\1u8s01Lg0.dll.
   * Creates directory C:\Windows\system32\wbem.

[ Process/window information ]
   * Creates an event called .

[ Signature Scanning ]
   * C:\WINDOWS\SYSTEM32\1u8s01Lg0.dll (1824 bytes) : no signature detection.



(C) 2004-2006 Norman ASA. All Rights Reserved.

[ 本帖最后由 九棒歪打 于 2007-6-16 11:02 编辑 ]

红心王子

感觉是误报

kp2006

卡吧报瑞星报金山 就差kv了 kv的日期不远了

walkingmu

广告程序可能性不大，应该是误报吧
发给卡巴研究下？

nealee

我的卡巴还没下载下来就报了。。。

欠妳緈諨

卡巴误报

seamonkey

毒霸高级工程师李铁军在其博客中称“卡巴这个误杀王，又把刀砍向毒霸”


http://hi.baidu.com/litiejun/blo ... 19b491f603a6e6.html

fanrubin

两个红伞都没有报，估计误报

woai_jolin

原帖由 fanrubin 于 2007-6-15 18:42 发表
两个红伞都没有报，估计误报

小红伞c版不报广告和流氓软件
难怪谁叫人家是免费的啦

[ 本帖最后由 woai_jolin 于 2007-6-15 19:07 编辑 ]