装傻跟某马来西亚黑客要来的。(自半锁）

zhagjun

回复 19楼 xiaoyaosanren 的帖子

还是微点好啊，本来想中午用虚拟机试试，看来不用了

zyx9

安装的驱动居然在金山白名单内？！惊..

KOI9009

瑞星2011 主防拦截
捕获.PNG

hj5abc

这东西在UAC下无法加载服务，无法添加自启动，估计也无法联网，反正实机XueTr没看见什么异常

留侯

大蜘蛛clean，已上報求真相。

seehere

已经联网，但无法运行

tokthoo

我想说。。。这个样本分开来分析是没用的。很明显样本包内的全部程序都是白文件。其中那些dll都是 netman (网络人，用于正常远控的软件）的程序模块，有数字签名。。。
svchost.exe 这个应该是offcie里的程序模块，原本名称是officesever.exe, 想当然也是白名单文件。。而这个样本是又几个白名单文件放在一起，不懂怎样修改后就拿来作恶了。

451102995

我上报给了sophos....得到的分析结果是clean
SophosLabs has analyzed the submitted file(s) and determined they are not malicious.

CDLL.dll -- clean
videos.dll -- clean
vnchooks.dll -- clean
system.ini -- non-malicious
svchost.exe -- clean
SData.dll -- clean
mttsoft.zip -- archive file
OfficeServer.ini -- non-malicious

Sophos Anti-Virus for Windows 2000+: authorizing suspicious items:
http://www.sophos.com/support/knowledgebase/article/25227.html

When installing software that you trust, you may authorize any HIPS/ or SUS/ alerts detected, or enable Alert Only in the HIPS runtime behavior settings until you have finished installing the software.

Please see the following KBs for more information regarding HIPS:

The HIPS best practice guide can be found at
http://www.sophos.com/support/knowledgebase/article/50160.html

The HIPS FAQ can be found at
http://www.sophos.com/support/knowledgebase/article/48765.html

An overview of HIPS can be found at
http://www.sophos.com/support/knowledgebase/article/25044.html

A HIPS decision-making guide can be found at
http://www.sophos.com/support/knowledgebase/article/25472.html
Please do not hesitate in contacting us by replying to this email if you have any questions or concerns.

Qoome

果断所谓的监控都是白名单监控，蹭进白名单行列无视监控
这就是杀软优化流畅度和监控的结果，hips必须有

3801187

怎么没样本？