一个dowloader，请找出它的下载列表

a256886572008

如题，这只下载者会下载很多木马。


有没有人能找出它的 download lists  ？

9L 的列表

1. 2:http://121.12.168.129:987/yuyu/bho1.exe
   
2. 1:http://121.12.168.129:987/yuyu/bho2.exe
   
3. 2:http://121.12.168.129:987/yuyu/bho3.exe
   
4. 2:http://121.12.168.129:987/yuyu/bho4.exe
   
5. 1:http://121.12.168.129:987/yuyu/bho5.exe
   
6. 1:http://121.12.168.129:987/yuyu/bho6.exe
   
7. 1:http://121.12.168.129:987/yuyu/bho7.exe
   
8. 1:http://121.12.168.129:987/yuyu/bho8.exe
   
9. 1:http://121.12.168.129:987/yuyu/bho22.exe
   
10. 1:http://121.12.168.129:987/yuyu/bho23.exe
    
11. 1:http://121.12.168.129:987/yuyu/bho24.exe
    
12. 1:http://121.12.168.129:987/yuyu/bho25.exe

复制代码

瓜皮猫

eset  kill
C:\Users\微亿毫\Desktop\ss.rar » RAR » ss.exe - Win32/Agent.SNY trojan

好吧，它貌似认得沙盘。。。

z2009

过comodo，

毒霸，红伞，360卫士均杀

bluelily

过大蜘蛛 已上报

hx1997

三生缘石 发表于 2011-6-3 19:29
eset  kill
C:\Users\微亿毫\Desktop\ss.rar » RAR » ss.exe - Win32/Agent.SNY trojan

是在线沙盘还是本地？SBIE可以运行
PS: 刚才发现HIPS设为全局询问时样本才能运行...否则就退出了

2011-6-3 20:00:45        文件系统实时防护        文件        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        Win32/Agent.SNY 特洛伊木马                HX-C0987054243B\HX        在应用程序新建的文件上发生事件: G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe.

2011-6-3 19:52:38        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go5463G.exe        allowed        0.Samples Testing Mode
2011-6-3 19:52:35        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go0813G.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal        allowed        0.Samples Testing Mode
2011-6-3 19:52:20        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go0813G.exe        allowed        0.Samples Testing Mode
2011-6-3 19:51:55        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go2453G.exe        allowed        0.Samples Testing Mode
2011-6-3 19:51:41        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go7173G.exe        create process        G:\windows\system32\rundll32.exe        allowed        22.%windir%\system32\rundll32.exe
2011-6-3 19:51:34        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go5583G.exe        allowed        22.%windir%\system32\sc.exe
2011-6-3 19:51:21        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go7173G.exe        create process        G:\windows\system32\sc.exe        blocked        22.%windir%\system32\sc.exe
2011-6-3 19:51:16        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go3163G.exe        allowed        22.%windir%\system32\sc.exe
2011-6-3 19:51:06        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go7173G.exe        create process        G:\windows\system32\sc.exe        blocked        22.%windir%\system32\sc.exe
2011-6-3 19:50:56        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go8463G.exe        allowed        0.Samples Testing Mode
2011-6-3 19:50:53        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go7173G.exe        create process        G:\windows\system32\net.exe        blocked        22.%windir%\system32\net.exe
2011-6-3 19:50:48        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go0813G.exe        create process        G:\windows\system32\rundll32.exe        allowed        22.%windir%\system32\rundll32.exe
2011-6-3 19:50:36        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go2443G.exe        allowed        22.%windir%\system32\sc.exe
2011-6-3 19:50:26        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go0813G.exe        create process        G:\windows\system32\sc.exe        blocked        22.%windir%\system32\sc.exe
2011-6-3 19:50:22        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go5313G.exe        blocked        0.Samples Testing Mode
2011-6-3 19:50:17        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go0813G.exe        create process        G:\windows\system32\sc.exe        blocked        22.%windir%\system32\sc.exe
2011-6-3 19:50:09        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go7173G.exe        allowed        0.Samples Testing Mode
2011-6-3 19:50:04        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go0813G.exe        create process        G:\windows\system32\net.exe        blocked        22.%windir%\system32\net.exe
2011-6-3 19:49:57        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\Temp\Go0813G.exe        allowed        0.Samples Testing Mode
2011-6-3 19:48:40        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        create process        G:\Sandbox\HX\Virus\drive\G\windows\svchost.exe        allowed        0.Samples Testing Mode
2011-6-3 19:48:34        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\ShellNoRoam\MUICache\g:\windows\svchost.exe        allowed        0.Samples Testing Mode
2011-6-3 19:48:26        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies        allowed        0.Samples Testing Mode
2011-6-3 19:48:24        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache        allowed        0.Samples Testing Mode
2011-6-3 19:47:59        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\machine\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop        allowed        0.Samples Testing Mode
2011-6-3 19:47:57        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop        allowed        0.Samples Testing Mode
2011-6-3 19:47:54        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\machine\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents        allowed        0.Samples Testing Mode
2011-6-3 19:47:51        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:49        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:47        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:45        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:42        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:40        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:38        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:36        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:34        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:31        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:30        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:28        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:25        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:23        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A\BaseClass        blocked        0.Samples Testing Mode
2011-6-3 19:47:20        G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\ss.exe        set value        HKEY_USERS\SANDBOX_HX_VIRUS\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal        allowed        0.Samples Testing Mode

瓜皮猫

hx1997 发表于 2011-6-3 20:05
是在线沙盘还是本地？SBIE可以运行
PS: 刚才发现HIPS设为全局询问时样本才能运行...否则就退出了

本地的sbie 几乎默认设置，win 7不能运行

荷韵诗

hx1997

三生缘石 发表于 2011-6-3 20:14
本地的sbie 几乎默认设置，win 7不能运行

啊我错了我错了......不管HIPS的事，只要把文件监控关闭就可以运行样本了
因为文件监控阻止了对病毒衍生物的访问，母体无法运行衍生物就自动退出了...

衍生物看来可以杀，但是还有很多，我没让它下载完
G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\Go7693G.exe - Win32/PSW.OnLineGames.PIR 特洛伊木马 的变种
G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\Go8323G.exe - Win32/PSW.OnLineGames.PIR 特洛伊木马 的变种
G:\Documents and Settings\Administrator.HX-C0987054243B\桌面\Go9243G.exe - Win32/PSW.OnLineGames.PIR 特洛伊木马 的变种

svchost.exe连接以下地址，看看能不能找出下载列表：
customer.krypt.com:321
121.12.168.129:987

522586971

http://121.12.168.129:987/cc.txt

瓜皮猫

hx1997 发表于 2011-6-3 20:27
啊我错了我错了......不管HIPS的事，只要把文件监控关闭就可以运行样本了
因为文件监控阻止了对病毒衍生 ...

沙盘能运行的，不过我怎么禁用了eset的组件，运行还直接被kill了