一个可疑文件，金山人工鉴定安全

显示全部楼层 · 发表于 2011-6-2 12:21:30

本帖最后由 VISN 于 2011-6-2 12:22 编辑

http://bbs.kafan.cn/thread-997230-1-1.html

诺顿也鉴定是病毒，金山人工无视？？？？

如果真的是病毒，金山如此处理，岂不是严重的安全隐患？希望有人能给金山反映一下，不然对金山的用户真是不负责

显示全部楼层 · 发表于 2011-6-2 12:26:33

本帖最后由李白vs苏轼于 2011-6-2 13:10 编辑

是毒

• File Info
Name Value
Size 2815008
MD5 b7107c1d12674b9c6f4f63a98381ffbe
SHA1 6e711275533f05e7e857dca258fe7c8df2b5a7f0
SHA256 a1497235d6af61685970d3cc22028904a8ac6cc609ab226bb89c26fa73bf62cf
Process Exited

• Keys Created
Name Last Write Time
LM\Software\Classes\ClsId\{EED9F4FB-0B76-0A33-9D38-8F4531EE2121} 2009.01.09 10:54:27.203
LM\Software\Classes\ClsId\{EED9F4FB-0B76-0A33-9D38-8F4531EE2121}\InprocServer32 2009.01.09 10:54:27.203
LM\Software\Classes\ClsId\{EED9F4FB-0B76-0A33-9D38-8F4531EE2121}\ProgID 2009.01.09 10:54:27.203
LM\Software\Microsoft\Active Setup\Installed Components\{987623AB-8888-22d2-9CBD-0000F87A469H} 2009.01.09 10:54:31.734
LM\Software\Microsoft\RFC1156Agent 2009.01.09 10:54:26.796
LM\Software\Microsoft\RFC1156Agent\CurrentVersion 2009.01.09 10:54:26.796
LM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters 2009.01.09 10:54:26.796

• Keys Changed
• Keys Deleted
• Values Created
Name Type Size Value
LM\Software\Classes\ClsId\{EED9F4FB-0B76-0A33-9D38-8F4531EE2121}\ REG_SZ 26 "DAO.Field.36"
LM\Software\Classes\ClsId\{EED9F4FB-0B76-0A33-9D38-8F4531EE2121}\InprocServer32\ REG_SZ 124 "C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll"
LM\Software\Classes\ClsId\{EED9F4FB-0B76-0A33-9D38-8F4531EE2121}\InprocServer32\ThreadingModel REG_SZ 20 "Apartment"
LM\Software\Classes\ClsId\{EED9F4FB-0B76-0A33-9D38-8F4531EE2121}\ProgID\ REG_SZ 26 "DAO.Field.36"
LM\Software\Microsoft\Active Setup\Installed Components\{987623AB-8888-22d2-9CBD-0000F87A469H}\StubPath REG_SZ 48 "D:\Word2003\360Safe.exe"
LM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs REG_DWORD 4 0x3a98

• Values Changed
Name Type Size Value
CU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings REG_BINARY/REG_BINARY 56/56 ?/?

• Values Deleted
• Directories Created
Name Last Write Time Creation Time Last Access Time Attr
C:\Documents and Settings\All Users\Application Data\TEMP 2009.01.09 10:54:27.296 2009.01.09 10:54:27.296 2009.01.09 10:54:27.296 0x10

• Directories Changed
• Directories Deleted
• Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\Program Files\APP.exe 802816 2009.01.09 10:54:27.671 2009.01.09 10:54:27.625 2009.01.09 10:54:27.625 0x20

• Files Changed
• Files Deleted
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes Created
PId Process Name Image Name
0xf0 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
0x1bc APP.exe C:\Program Files\APP.exe

• Processes Terminated
• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0xf0 wmiprvse.exe 0xf4 0x7c810867 MEM_IMAGE 0x1024636 MEM_IMAGE
0xf0 wmiprvse.exe 0xf8 0x7c810856 MEM_IMAGE 0x5f771c49 MEM_IMAGE
0xf0 wmiprvse.exe 0xfc 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0xf0 wmiprvse.exe 0x100 0x7c810856 MEM_IMAGE 0x774f319a MEM_IMAGE
0xf0 wmiprvse.exe 0x104 0x7c810856 MEM_IMAGE 0x100ce42 MEM_IMAGE
0xf0 wmiprvse.exe 0x108 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0xf0 wmiprvse.exe 0x114 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0xf0 wmiprvse.exe 0x170 0x7c810856 MEM_IMAGE 0x716df2be MEM_IMAGE
0x1bc APP.exe 0x1c0 0x7c810867 MEM_IMAGE 0x459bf0 MEM_IMAGE
0x1bc APP.exe 0x1c4 0x7c810856 MEM_IMAGE 0x771d3e0f MEM_IMAGE
0x1bc APP.exe 0x1c8 0x7c810856 MEM_IMAGE 0x7c92798d MEM_IMAGE
0x1bc APP.exe 0x1d0 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x1bc APP.exe 0x1e8 0x7c810856 MEM_IMAGE 0x71a5d5af MEM_IMAGE
0x1bc APP.exe 0x1f0 0x7c810856 MEM_IMAGE 0x7dd1724f MEM_IMAGE
0x1bc APP.exe 0x1f8 0x7c810856 MEM_IMAGE 0x77df9981 MEM_IMAGE
0x1bc APP.exe 0x200 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x1bc APP.exe 0x204 0x7c810856 MEM_IMAGE 0x774f319a MEM_IMAGE
0x1bc APP.exe 0x208 0x7c810856 MEM_IMAGE 0x7dd1724f MEM_IMAGE
0x2b0 lsass.exe 0x10c 0x7c810856 MEM_IMAGE 0x769c8831 MEM_IMAGE
0x348 svchost.exe 0x784 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x3e8 svchost.exe 0x94 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3e8 svchost.exe 0xb8 0x7c810856 MEM_IMAGE 0x762cf010 MEM_IMAGE
0x3e8 svchost.exe 0x168 0x7c810856 MEM_IMAGE 0x0 MEM_FREE
0x3e8 svchost.exe 0x16c 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3e8 svchost.exe 0x17c 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x420 svchost.exe 0x1e4 0x7c810856 MEM_IMAGE 0x77df9981 MEM_IMAGE

• Modules Loaded
PId Process Name Base Size Flags Image Name
0x348 svchost.exe 0x76fd0000 0x7f000 0x800c4004 C:\WINDOWS\system32\CLBCATQ.DLL
0x348 svchost.exe 0x77050000 0xc5000 0x800c4006 C:\WINDOWS\system32\COMRes.dll
0x348 svchost.exe 0x77b40000 0x22000 0x800c4004 C:\WINDOWS\system32\Apphelp.dll
0x3e8 svchost.exe 0x74ed0000 0xe000 0x80084004 C:\WINDOWS\system32\wbem\wbemsvc.dll

• Windows Api Calls
• DNS Queries
DNS Query Text
eedyy.com IN A +

• HTTP Queries
HTTP Query Text
eedyy.com GET /v6/tytv/ HTTP/1.1

• Verdict
Auto Analysis Verdict
Suspicious+

• Description
Suspicious Actions Detected
Creates autorun records
Creates files in program files directory
Registers dynamic link libraries

• Mutexes Created or Opened
PId Image Name Address Mutex Name
0x1bc C:\Program Files\APP.exe 0x76ee3a34 RasPbFile
0x1bc C:\Program Files\APP.exe 0x771ba3ae _!MSFTHISTORY!_
0x1bc C:\Program Files\APP.exe 0x771bc21c WininetConnectionMutex
0x1bc C:\Program Files\APP.exe 0x771bc23d WininetProxyRegistryMutex
0x1bc C:\Program Files\APP.exe 0x771bc2dd WininetStartupMutex
0x1bc C:\Program Files\APP.exe 0x771d9710 c:!documents and settings!user!cookies!
0x1bc C:\Program Files\APP.exe 0x771d9710 c:!documents and settings!user!local settings!history!history.ie5!
0x1bc C:\Program Files\APP.exe 0x771d9710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x1bc C:\Program Files\APP.exe 0x777904d3 WininetStartupMutex
0xd8 C:\TEST\sample.exe 0x7c859add DBWinMutex
0xd8 C:\TEST\sample.exe 0xee401d EADD55DE::WK
0xd8 C:\TEST\sample.exe 0xf301f4 RALEADD55DE
0xd8 C:\TEST\sample.exe 0xf31651 RALEADD55DE

• Events Created or Opened
PId Image Name Address Event Name
0x1bc C:\Program Files\APP.exe 0x769c4ec2 Global\userenv: User Profile setup event
0x1bc C:\Program Files\APP.exe 0x77a89422 Global\crypt32LogoffEvent
0x1bc C:\Program Files\APP.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX
0xd8 C:\TEST\sample.exe 0x77a89422 Global\crypt32LogoffEvent
0xd8 C:\TEST\sample.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX

显示全部楼层 · 发表于 2011-6-2 12:49:21

本帖最后由 wanghai360good 于 2011-6-2 12:49 编辑

金山也不是万能的，最靠得住的还是自己

显示全部楼层 · 发表于 2011-6-2 12:57:15

本帖最后由 qwe12301 于 2011-6-2 12:59 编辑

蜂巢的鉴定结果，仅供参考吧
http://www.hivesoft.cn/scanpage. ... b0e6326804a1ff2dda7

毛豆云沙盘的分析
http://camas.comodo.com/cgi-bin/ ... 26bb89c26fa73bf62cf

显示全部楼层 · 发表于 2011-6-2 13:12:16

qwe12301 发表于 2011-6-2 12:57
蜂巢的鉴定结果，仅供参考吧
http://www.hivesoft.cn/scanpage.php?file_id=c09212cc66bd6b0e6326804a1ff2 ...

是毒

显示全部楼层 · 发表于 2011-6-2 13:27:46

到底是不是病毒啊

显示全部楼层 · 发表于 2011-6-2 13:28:09

已经黑了

显示全部楼层 · 发表于 2011-6-2 13:34:34

感觉人工鉴定不如自动鉴定，人毕竟有疲劳的时候。

显示全部楼层 · 发表于 2011-6-2 13:47:28

很多次了，我以前发过三个样本被金山云鉴定器鉴定成安全文件的病毒

显示全部楼层 · 发表于 2011-6-2 14:01:21

qwe12301 发表于 2011-6-2 12:57
蜂巢的鉴定结果，仅供参考吧
http://www.hivesoft.cn/scanpage.php?file_id=c09212cc66bd6b0e6326804a1ff2 ...

我用右键的提交到云扫描出不来结果的

[金山] 一个可疑文件，金山人工鉴定安全