刚才那个假冒多特的[MD5: F703B3 D77BC2 8BDB3D]

显示全部楼层 · 发表于 2007-6-22 22:43:12

運行5.exe，發現下列行為，被EQ-Secure RC2攔截！

2007-06-22 22:44:24 运行应用程序    操作:允许
进程路径:C:\windows\Explorer.EXE
文件路径:D:\桌面\virus\龘virus\5.exe
规则:应用程序规则->系統程序->%windir%\Explorer.EXE

2007-06-22 22:44:24 创建文件    操作:阻止
进程路径:D:\桌面\virus\龘virus\5.exe
文件路径:C:\Program Files\Internet Explorer\Connection Wizard\isignup.dll
规则:所有程序规则->保護安全軟體->C:\Program Files\*

2007-06-22 22:44:24 创建文件    操作:阻止
进程路径:D:\桌面\virus\龘virus\5.exe
文件路径:C:\Program Files\Internet Explorer\Connection Wizard\isignup.dll
规则:所有程序规则->保護安全軟體->C:\Program Files\*

2007-06-22 22:44:24 创建文件    操作:阻止
进程路径:D:\桌面\virus\龘virus\5.exe
文件路径:C:\Program Files\Internet Explorer\Connection Wizard\isignup.dll
规则:所有程序规则->保護安全軟體->C:\Program Files\*

2007-06-22 22:44:24 创建文件    操作:阻止
进程路径:D:\桌面\virus\龘virus\5.exe
文件路径:C:\Program Files\Internet Explorer\Connection Wizard\isignup.sys
规则:所有程序规则->保護安全軟體->C:\Program Files\*

2007-06-22 22:44:24 创建注册表值    操作:阻止
进程路径:D:\桌面\virus\龘virus\5.exe
注册表路径:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
注册表名称:{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
规则:所有程序规则->資源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*

2007-06-22 22:44:24 创建文件    操作:阻止
进程路径:D:\桌面\virus\龘virus\5.exe
文件路径:D:\桌面\virus\龘virus\_xiaran.bat
规则:所有程序规则->2.1.5组：限制部份高危格式文件和文件夹的操作->*.bat

1.他會在C:\Program Files\Internet Explorer\Connection Wizard\產生
isignup.dll
2.他會创建注册表值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
3.他會在他旁邊產生_xiaran.bat

显示全部楼层 · 发表于 2007-6-22 22:43:28

咖啡报鸽子

显示全部楼层 · 发表于 2007-6-22 22:52:03

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\My Documents\virus'
C:\Documents and Settings\Administrator\My Documents\virus\
  4.exe
   [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
   [INFO]    The file was deleted!
  5.exe
   [DETECTION] Contains suspicious code HEUR/Crypted
   [INFO]    The file was moved to '46e0e359.qua'!
  isignup.sys
   [DETECTION] Contains suspicious code HEUR/Crypted
   [INFO]    The file was moved to '46e4e3a0.qua'!

显示全部楼层 · 发表于 2007-6-23 00:30:33

微点杀掉

显示全部楼层 · 发表于 2007-6-23 05:47:36

Virus: Backdoor.Win32.Hupigon.ezg, Trojan-PSW.Win32.WOW.ri

Virus found while downloading Web content.

Address: bbs.kafan.cn

[病毒样本] 刚才那个假冒多特的[MD5: F703B3 D77BC2 8BDB3D]

红伞又是启发，野路子