有点像鬼影1代呀

jason_jiang

PCA启发

jayavira

的确是鬼影
ess kill

D:\下载文件夹\ssem.rar > RAR > ssem.exe - Win32/Dalixi.C 特洛伊木马 的变种

hj5abc

机器狗？

mse
TrojanDropper:Win32/Dogrobot.G

diannao6051

回复 1楼 byxxdrls 的帖子


mp2.0 kill

xiaomudou

呵呵，试试。

XMonster

2011/4/29 10:26:10    创建文件夹    阻止
进程: d:\下载\ssem\ssem.exe
目标: C:\Program files\MSDN
规则: [文件组]文件保护 -> [文件]?:\program files\*

2011/4/29 10:26:10    创建文件夹    阻止
进程: d:\下载\ssem\ssem.exe
目标: C:\Program files\MSDN
规则: [文件组]文件保护 -> [文件]?:\program files\*

2011/4/29 10:26:10    创建文件夹    阻止
进程: d:\下载\ssem\ssem.exe
目标: C:\Program files\MSDN
规则: [文件组]文件保护 -> [文件]?:\program files\*

2011/4/29 10:26:11    创建新进程    阻止并结束进程
进程: d:\下载\ssem\ssem.exe
目标: c:\windows\system32\cmd.exe
命令行: cmd /c ""C:\Users\dxm\AppData\Local\Temp\t.bat" "
规则: [应用程序]* -> [子应用程序]c:\windows\*

Hacker29cn

真是个大马，干了不少坏事！
http://www.threatexpert.com/report.aspx?md5=c6a35ccaa69b3fcf3d647893d7b27f06

Visit ThreatExpert web site

|

Close Report

Submission Summary:

• Submission details:
  
  • Submission received: 28 April 2011, 20:22:48
  • Processing time: 11 min 50 sec
  • Submitted sample:
    
    • File MD5: 0xC6A35CCAA69B3FCF3D647893D7B27F06
    • File SHA-1: 0x6F2528A39008165E46640D178BD7F61B71A70E67
    • Filesize: 36,407 bytes
    • Alias: TrojanDropper:Win32/Dogrobot.G [Microsoft]
      

• Summary of the findings:
  

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:
  

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

• The following files were created in the system:
  

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\000227D1eime.temp %Temp%\0002F34Feime.temp %Temp%\0003352Aeime.temp %System%\dbr99005.ocx	8,704 bytes	MD5: 0x76948DA567806229012AD2A3D697E468 SHA-1: 0x027B9B69EDA64B4872647D49F88236603C2433D3	Mal/PWS-AZ [Sophos]
2	%Temp%\000227D1ime.temp %Temp%\0002F34Fime.temp %Temp%\0003352Aime.temp %System%\winnt.com	7,168 bytes	MD5: 0xC38E0262C77E89E7EFAF4B32CA35BBF8 SHA-1: 0xB85C9B9B091E45E0EFEFA9887746FBCE51787588	Mal/Dloadr-E, Mal/Dloadr-E [Sophos]
3	%Temp%\0003352Amdd.temp %System%\dbr06035.ocx	40,960 bytes	MD5: 0x32610E52D78C3792BA4A80E05D2D61E7 SHA-1: 0x570A8809A1B2F29E31B0DF7FE78C82226A7FFB07	Trojan-GameThief.Win32.OnLineGames [Ikarus]
4	%Temp%\brtvp.exe	41,215 bytes	MD5: 0xC8D09C3F7D52B98B6B67D505E29D92C6 SHA-1: 0xC46A24E6B7FB81245FC28398A56CA5FE1F2A04BF	Suspicious.Graybird.1 [Symantec] Trojan.Win32.Antavmu.jhy [Kaspersky Lab] Suspect-AP!C8D09C3F7D52 [McAfee] Mal/TibsPk-A [Sophos] Trojan:Win32/Meredrop [Microsoft] Trojan.Win32.LaSta [Ikarus] packed with NSPack [Kaspersky Lab]
5	%Temp%\kb401964.sve %ProgramFiles%\Common Files\System\kb401964.dla	37,428 bytes	MD5: 0x8DDF3C60F8B7A798623F971FF5DF9E3D SHA-1: 0x950716C219024F9142BB49ADF814F8AFABD332C4	Infostealer.Gampass [Symantec] packed with UPX [Kaspersky Lab]
6	%Temp%\kb404692.sve %ProgramFiles%\Common Files\System\kb404692.pfd	62,080 bytes	MD5: 0xAE685615D896688690B3596169677655 SHA-1: 0x06C14551B4FA279EC356562B6480BEDB0169CA05	Infostealer.Gampass [Symantec] Trojan-PWS.Win32.Kykymber [Ikarus] packed with UPX [Kaspersky Lab]
7	%Temp%\kb509221.sve %ProgramFiles%\Common Files\System\kb509221.tra	69,128 bytes	MD5: 0x8463E7DE395CD5E6AF8CE6B0E85D95DC SHA-1: 0xCA944F19296F53DBEA0BAFED537B7D81127EACC7	Infostealer.Gampass [Symantec] Trojan-PWS.Win32.Kykymber [Ikarus] packed with UPX [Kaspersky Lab]
8	%Temp%\kb568201.sve %ProgramFiles%\Common Files\System\kb568201.tmt	69,084 bytes	MD5: 0x2D018E16EFE3F20B791F846CD84FCCB9 SHA-1: 0x3333800012DC537267F11B899A93C1964A6F30BB	Infostealer.Gampass [Symantec] Trojan-PWS.Win32.Kykymber [Ikarus] packed with UPX [Kaspersky Lab]
9	%Temp%\kb604697.sve %ProgramFiles%\Common Files\System\kb604697.srd	65,104 bytes	MD5: 0x8045F3CA662A94504C98E26C5F47A35A SHA-1: 0x273BDBDCA4CEBA5C0DEE265389F8D56845A6531F	Infostealer.Gampass [Symantec] Trojan-PWS.Win32.Kykymber [Ikarus] packed with UPX [Kaspersky Lab]
10	%Temp%\kb793419.sve %ProgramFiles%\Common Files\System\kb793419.tmt	67,084 bytes	MD5: 0x973A6309A3745B1700201F2348AF96AD SHA-1: 0x71C6D907C1A7BB4EBAD3A014D376F85EB19A7A78	Infostealer.Gampass [Symantec] Trojan-PWS.Win32.Kykymber [Ikarus] packed with UPX [Kaspersky Lab]
11	%Temp%\kb806316.sve %ProgramFiles%\Common Files\System\kb806316.tad	64,128 bytes	MD5: 0x3113EF419DAE993368D8EE6477AD832A SHA-1: 0xC317D6F09CD5CD382C1EB5E6EC025ABA2D4F3BA8	Infostealer.Gampass [Symantec] Trojan-PWS.Win32.Kykymber [Ikarus] packed with UPX [Kaspersky Lab]
12	%Temp%\kb844878.sve %ProgramFiles%\Common Files\System\kb844878.tad	51,128 bytes	MD5: 0xE7016B105F6DB740920FAC37E85FC263 SHA-1: 0x3424FB18E0D090C1DCFD3C0A764D875672DF7031	Infostealer.Gampass [Symantec] Trojan-PWS.Win32.Kykymber [Ikarus] packed with UPX [Kaspersky Lab]
13	%Temp%\kb993514.sve %ProgramFiles%\Common Files\System\kb993514.cpu	72,132 bytes	MD5: 0xCFF526AF0C271431C7F05AD331A5C571 SHA-1: 0xBC2471E6E7D41146C973A9D13B6E80C66A78BB9B	Infostealer.Gampass [Symantec] Trojan-PWS.Win32.Kykymber [Ikarus] packed with UPX [Kaspersky Lab]
14	%Temp%\t.bat	112 bytes	MD5: 0xA44CE8D45341E6C4F7F547A9BE8763A0 SHA-1: 0x8509F190E4170F47E542CC31895935FD3AA3DFD1	(not available)
15	%Temp%\uepwh.exe	8,966 bytes	MD5: 0x05A6B232A2CAF64DCB20A7D7299B43D4 SHA-1: 0xA81CC9C1D90A10D0C3CCBF0CF793E28DC2336069	Suspicious.Graybird.1 [Symantec] Trojan.Win32.Qhost.lfs [Kaspersky Lab] Suspect-AP!05A6B232A2CA [McAfee] Mal/Packer [Sophos] Trojan:Win32/Comame [Microsoft] Trojan-Clicker.Win32.VB [Ikarus] Win-Trojan/Xema.variant [AhnLab] packed with NSPack [Kaspersky Lab]
16	c:\sys13 c:\sysLoad	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
17	%FontsDir%\dbr01029.ttf	540 bytes	MD5: 0x35C1064FA13F7486CD55B070DAEAEAF9 SHA-1: 0xBFC3E387F4D31761126D574EF9F85ACF45855138	(not available)
18	%FontsDir%\dbr06035.ttf	412 bytes	MD5: 0xFD574C78F0A4874A05DA8F8AADD732B3 SHA-1: 0xE17AB25CB7DCB5D0D3D34A0AE457575C58CDC828	(not available)
19	%FontsDir%\dbr07019.ttf	412 bytes	MD5: 0xD80651AABDD0EAA1C9970AC58F42F5D0 SHA-1: 0x64F89A840599EF08B95B592464C93A29F2EEFB04	(not available)
20	%System%\comres.dll.bak	792,064 bytes	MD5: 0x6728270CB7DBB776ED086F5AC4C82310 SHA-1: 0xE913CC86F68627541DAE2A92509AB230F427E980	(not available)
21	%System%\d3d8.dll.BFAJ	1,179,648 bytes	MD5: 0x42803EC60803C1A0754671E9183458F1 SHA-1: 0xC0BCDE686DBF9E578F019CD6E1DEC7F0FBF9DE15	(not available)
22	%System%\dbr01029.ocx	39,424 bytes	MD5: 0xF433B507866FC20C1F7580837D65BAE2 SHA-1: 0x489D8DD505EAE08CFD357CA98A393AB07DA53CA6	Infostealer.Gampass [Symantec] Trojan.Win32.Vilsel [Ikarus]
23	%System%\dbr07019.ocx	39,424 bytes	MD5: 0xE30B88AC89743C3B1443836B269D323B SHA-1: 0xF75C8E28986F0D559ADACE324EE756D7D6F0F360	Infostealer.Gampass [Symantec] Mal_OLGM-6 [Trend Micro] Trojan.Win32.Vilsel [Ikarus]
24	%System%\ddraw.dll.bak	269,824 bytes	MD5: 0xE18936A8CF39D60E0A15651FF53C21DF SHA-1: 0xD269724E2CF8947C5CC98E3F0FE0002D22427A7C	Trojan.Win32.Patched.ji [Kaspersky Lab]
25	%System%\ddraw.dll.bqwc	269,824 bytes	MD5: 0x4E9886194E4CE13EAC871E05E12B1C93 SHA-1: 0x30A46BF07032053B92438F293FFEA182A6DAF8E8	Trojan.Win32.Patched.ji [Kaspersky Lab]
26	%System%\ddraw.dll.dznm	269,824 bytes	MD5: 0x6F5FAB637284B931F0C61EE2E478859B SHA-1: 0x1B0954311CAB1B2594BECA52AAE331E57AF8E7C6	Trojan.Win32.Patched.ji [Kaspersky Lab]
27	%System%\ddraw.dll.ntdj	266,240 bytes	MD5: 0x7ED462F353B3D915A418A689FA881F96 SHA-1: 0xBFB515B107C01AD884E2EA3CC746D9A8E1A0F0D6	(not available)
28	%System%\ddraw.dll.UGOI	269,824 bytes	MD5: 0xF82680365653FF3587C66039973A889A SHA-1: 0x5EEF73006C221C8CC4EBFA98380E9B07F4150918	Trojan.Win32.Patched.ji [Kaspersky Lab]
29	%System%\dsound.dll.bak	371,200 bytes	MD5: 0x32241F7E0596F3EE8A1926F8D2528DF3 SHA-1: 0xC580B505B2E2EA67B5334C9BFA908C6B58A556D0	Virus:Win32/Patchload.gen!A [Microsoft]
30	%System%\dsound.dll.hhst	369,152 bytes	MD5: 0xEB73B4AE6732A0139686DD07C0206941 SHA-1: 0xFE282625A5175A3E06D481482C065FD0FC30F2F8	Trojan.Win32.Patched.ji [Kaspersky Lab]
31	%System%\gbvgbv01.exe %System%\gbvgbv06.exe %System%\gbvgbv07.exe	33,280 bytes	MD5: 0x8358193945474F68A2D498CBED8EB97E SHA-1: 0xA905C9849147628387F6B1D5A7BF88FD5A64F15F	(not available)
32	%System%\olepro32.dll.EAQI	85,504 bytes	MD5: 0x34C8001ABA6A8A4AD90C2E4BACB6204D SHA-1: 0xE3AF1533DB0D3C36E59142F2DFA502E1625DE0C8	Trojan.Gampass!inf [Symantec] Trojan.Win32.Patched.ja [Kaspersky Lab] Virus:Win32/Patchload.gen!A [Microsoft] Trojan.Win32.Patched [Ikarus] Win-Trojan/Patched.CK [AhnLab]
33	%System%\olepro32.dll.ESQM	83,456 bytes	MD5: 0xB48D3193DD1474DCBCC32BF4779AC698 SHA-1: 0x4A39D43AEA0766C159A32C311C9EB2E06DBF8C03	(not available)
34	%System%\rasadhlp.dll.KMYM	8,192 bytes	MD5: 0x4CAEC028C1E21C75E17877D4522D3DB4 SHA-1: 0x09D450E9D0BD7D3178F08EF57E54A8B94DC2E2D2	(not available)
35	[file and pathname of the sample #1]	36,407 bytes	MD5: 0xC6A35CCAA69B3FCF3D647893D7B27F06 SHA-1: 0x6F2528A39008165E46640D178BD7F61B71A70E67	TrojanDropper:Win32/Dogrobot.G [Microsoft]

• Notes:
  
  • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
  • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
  • %FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.
    

• The following files were modified:
  
  • %System%\comres.dll
  • %System%\ddraw.dll
  • %System%\drivers\etc\hosts
  • %System%\dsound.dll
  • %System%\olepro32.dll
  • %System%\rasadhlp.dll
    

• The following directory was created:
  
  • %ProgramFiles%\MSDN
    

Memory Modifications

• There was a new process created in the system:
  

Process Name	Process Filename	Main Module Size
vxdumfj.exe	%Temp%\vxdumfj.exe	69,632 bytes

• There was a new memory page created in the address space of the system process(es):
  

Process Name	Process Filename	Allocated Size
explorer.exe	%Windir%\explorer.exe	24,576 bytes

• Notes:
  
  • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    

• The following modules were loaded into the address space of other process(es):
  

Module Name	Module Filename	Address Space Details
winnt.com	%System%\winnt.com	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1F40000 - 0x1F45000
dbr06035.ocx	%System%\dbr06035.ocx	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1F60000 - 0x1F70000
dbr99005.ocx	%System%\dbr99005.ocx	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2050000 - 0x2056000
dbr07019.ocx	%System%\dbr07019.ocx	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2290000 - 0x229E000
dbr01029.ocx	%System%\dbr01029.ocx	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2330000 - 0x233E000

Registry Modifications

• The following Registry Keys were created:
  
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LHLH1314
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LHLH1314\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LHLH1314\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lhlh1314
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lhlh1314\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lhlh1314\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LHLH1314
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LHLH1314\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LHLH1314\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lhlh1314
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lhlh1314\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lhlh1314\Enum
    

• The newly created Registry Values are:
  
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804]
    
    • Ime File = "DBR99005.OCX"
    • Layout Text = "US"
    • Layout File = "kbdus.dll"
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LHLH1314\0000\Control]
    
    • *NewlyCreated* = 0x00000000
    • ActiveService = "lhlh1314"
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LHLH1314\0000]
    
    • Service = "lhlh1314"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "lhlh1314"
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LHLH1314]
    
    • NextInstance = 0x00000001
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lhlh1314\Enum]
    
    • 0 = "Root\LEGACY_LHLH1314\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lhlh1314\Security]
    
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lhlh1314]
    
    • Type = 0x00000001
    • Start = 0x00000003
    • ErrorControl = 0x00000001
    • ImagePath = "\??\%ProgramFiles%\MSDN\hehex.sys"
    • DisplayName = "lhlh1314"
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804]
    
    • Ime File = "DBR99005.OCX"
    • Layout Text = "US"
    • Layout File = "kbdus.dll"
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LHLH1314\0000\Control]
    
    • *NewlyCreated* = 0x00000000
    • ActiveService = "lhlh1314"
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LHLH1314\0000]
    
    • Service = "lhlh1314"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "lhlh1314"
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LHLH1314]
    
    • NextInstance = 0x00000001
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lhlh1314\Enum]
    
    • 0 = "Root\LEGACY_LHLH1314\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lhlh1314\Security]
    
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lhlh1314]
    
    • Type = 0x00000001
    • Start = 0x00000003
    • ErrorControl = 0x00000001
    • ImagePath = "\??\%ProgramFiles%\MSDN\hehex.sys"
    • DisplayName = "lhlh1314"
      
  • [HKEY_CURRENT_USER\Keyboard Layout\Preload]
    
    • 2 = "00000409"
      

• The following Registry Value was modified:
  
  • [HKEY_CURRENT_USER\Keyboard Layout\Preload]
    
    • 1 =
      

Other details

• Analysis of the file resources indicate the following possible country of origin:
  

China

• The HOSTS file was updated with the following URL-to-IP mappings:
  

127.0.0.1       tianshi11.cn127.0.0.1       www.zuihaook.cn127.0.0.1       www.doopx.com127.0.0.1       xx.exiao01.com127.0.0.1       v0.extreme-dm.com127.0.0.1       v1.extreme-dm.com127.0.0.1       www.msnshe11.cn127.0.0.1       tradebizcn.com127.0.0.1       www.9688kmm.cn127.0.0.1       www.2008.366ent.com127.0.0.2       ymsdasdw1.cn127.0.0.3       biao.sport.mo.cn127.0.0.1       bind.ppplllooo.cn127.0.0.1       www.xxv7688.cn127.0.0.2       bnasnd83nd.cn127.0.0.3       hjmsx.eicp.net127.0.0.1       baidu.to63.com127.0.0.1       che.kutime.info127.1.1.1       yiyicn.gicp.net127.0.0.1       cryxy.gicp.net127.0.0.1       www.942qq.com127.0.0.1       m723.com127.0.0.1       1.xdf4311.mo.cx127.0.0.1       hostafdasf.8800.org127.0.0.1       otf.mesuo.net127.0.0.1       anyhub.net127.0.0.1       www.anyhub.net127.0.0.1       zzzz876530929.3322.org127.0.0.1       www.cfshen.com127.0.0.1       img001.com127.0.0.1       2.xdf4311.mo.cx127.0.0.1       9527idc.vicp.net127.0.0.1       img002.com127.0.0.1       pthidc.com127.0.0.1       down.114anhui.com127.0.0.1       www.114baines.com127.0.0.1       aa.9234.net127.0.0.1       b.ipshougou.com127.0.0.1       txt.gthyt.co127.0.0.1       www.djkk1.cn127.0.0.1       www.ipshougou.com127.0.0.1       333.123131l.com127.0.0.1       333.1sese1.com127.0.0.1       333.asda1l.com127.0.0.1       jjj.2012wyt.com127.0.0.0       user1.12-27.net127.0.0.1       8749.com127.0.0.0       fengent.cn127.0.0.1       4199.com127.0.0.1       user1.16-22.net127.0.0.1       7379.com127.0.0.1       go.chajian01.cn127.0.0.1       7255.com127.0.0.1       d.aidws.com127.0.0.1       txt.hsdee.com127.0.0.1       txt.mojwq.com127.0.0.1       www.img-o.com127.0.0.1       www.7688xxv.cn127.0.0.1       www.pvs007.cn127.0.0.1       d.opqxn.com127.0.0.1       wwww.ttfabb.com127.0.0.1       www.wopxs.com127.0.0.1       www.mmd178.cn127.0.0.1       pa.tt-09.com127.0.0.1       3448.com127.0.0.1       www.guccia.net127.0.0.1       7939.com127.0.0.1       a.o1o1o1.nEt127.0.0.1       8009.com127.0.0.1       user1.12-73.cn127.0.0.1       piaoxue.com127.0.0.1       3n8nlasd.cn127.0.0.1       kzdh.com127.0.0.0       www.sony888.cn127.0.0.1       www.wdswe.com127.0.0.0       user1.asp-33.cn127.0.0.1       6781.com127.0.0.0       www.netkwek.cn127.0.0.1       7322.com127.0.0.0       ymsdkad6.cn127.0.0.1       localhost127.0.0.0       www.lkwueir.cn127.0.0.1       06.jacai.com127.0.1.1       user1.23-17.net127.0.0.1       1.jopenkk.com127.0.0.0       upa.luzhiai.net127.0.0.1       1.jopenqc.com127.0.0.0       www.guccia.net127.0.0.1       1.joppnqq.com127.0.0.0       4m9mnlmi.cn127.0.0.1       1.xqhgm.com127.0.0.0       mm119mkssd.cn127.0.0.1       100.332233.com127.0.0.0       61.128.171.115:8080127.0.0.1       121.11.90.79127.0.0.0       www.1119111.com127.0.0.1       121565.net127.0.0.0       win.nihao69.cn127.0.0.1       125.90.88.38127.0.0.1       16888.6to23.com[/td]

• There were registered attempts to establish connection with the remote hosts. The connection details are:
  

Remote Host	Port Number
121.10.107.78 [td]88[/td][tr]
222.73.45.135 [td]81[/td][tr][/tr]

• The data identified by the following URLs was then requested from the remote web server:
  
  • http://121.10.107.78:88/b7/8.exe
  • http://121.10.107.78:88/b7/9.exe
  • http://121.10.107.78:88/b7/10.exe
  • http://121.10.107.78:88/b7/0.exe
  • http://121.10.107.78:88/b7/1.exe
  • http://121.10.107.78:88/b7/2.exe
  • http://121.10.107.78:88/b7/3.exe
  • http://121.10.107.78:88/b7/4.exe
  • http://121.10.107.78:88/b7/5.exe
  • http://121.10.107.78:88/b7/6.exe
  • http://121.10.107.78:88/b7/7.exe
  • http://bmw.3l31.com:81/mt.txt
  • http://crr.dmy2.com:81/ip/host.txt
    

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.
The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2011 ThreatExpert. All rights reserved.

Hacker29cn

典型的复合型病毒，木马下载者恶意软件和盗号软件的杂交！

星风烈日

卡巴杀

liulangzhecgr

jayavira 发表于 2011-4-29 08:25
的确是鬼影
ess kill

第一代鬼影不感染MBR  ？！