瑞星卡卡安全论坛

首页 » 技术交流区 » 可疑文件交流 » 可疑文件
过客2007 - 2009-3-25 18:22:00
收到的远程文件

用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; QQDownload 1.7; baiduds; .NET CLR 1.1.4322)

附件: 新建文件夹 (3).rar
天云一剑 - 2009-3-25 19:05:00
JQKA Rising 21.22.21.00 2009.03.25  -
JDMA                                                    -
主文件不知道是哪个,看看再说
天云一剑 - 2009-3-25 19:27:00
jdma.exe

创建 %System%\jdma.exe  30,472 bytes
MD5: 0xD7886A4D02BC8C5ED636E67168A6AFB6
进程 jdma.exe %System%\jdma.exe 32,768 bytes
服务 jdma jdma "Running" %System%\jdma.exe

新建
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\Set
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma\Enum

[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\Set]
Beizhu = "5.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA\0000]
Service = "jdma"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma\Enum]
0 = "Root\LEGACY_JDMA\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\jdma.exe"
DisplayName = "jdma"
ObjectName = "LocalSystem"
Description = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA\0000]
Service = "jdma"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma\Enum]
0 = "Root\LEGACY_JDMA\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\jdma.exe"
DisplayName = "jdma"
ObjectName = "LocalSystem"
Description = "jdma"

修改
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000C

端口
1033 TCP jdma.exe (%System%\jdma.exe)
请求连接
jkddd2.3322.org
试图与远程主机建立连接
0.0.38.119  --port 1690
255.255.255.255 --port  1690
天云一剑 - 2009-3-25 19:42:00
jqka.exe

文件
%System%\jqka.exe  30,984 bytes
进程
jqka.exe %System%\jqka.exe 32,768 bytes
服务
jqka jqka "Running" %System%\jqka.exe
新建
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\Set
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka\Enum

[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\Set]
Beizhu = "5.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA\0000]
Service = "jqka"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka\Enum]
0 = "Root\LEGACY_JQKA\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\jqka.exe"
DisplayName = "jqka"
ObjectName = "LocalSystem"
Description = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA\0000]
Service = "jqka"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka\Enum]
0 = "Root\LEGACY_JQKA\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\jqka.exe"
DisplayName = "jqka"
ObjectName = "LocalSystem"
Description = "jqka"

修改
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000C

端口
1033 TCP jqka.exe (%System%\jqka.exe)


请求连接
weiqianjiang.3322.org

试图与远程主机建立连接
0.8.129.124 --port 1698
255.255.255.255 --port  1698
下载
http://avzhan.3322.org:81/2.exe c:\m.exe  Trojan.Win32.Nodef.gki
天云一剑 - 2009-3-25 20:04:00
sound.exe 广告程序 VT上就两个报了

File MD5: 0x45E59BE412367C95980771EDDF1B1106
Filesize: 50,171 bytes

创建文件夹(可能会有文件隐藏在里面)
%ProgramFiles%\Microsoft Office
%ProgramFiles%\Microsoft Office\SYSTEM
注册表新建
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Apcdli
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apcdli
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Apcdli]
                        TempPath = "%Windir%\Temp\kzdh@webbrowser-lyrics_2048.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apcdli]
                        TempPath = "%Windir%\Temp\kzdh@webbrowser-lyrics_2048.dll"
夲號ヱ被ジ盜 - 2009-3-25 20:27:00
研究发现这个伪装瑞星签名
一:创建2个进程jtoq.exe并成为系统运行
二:传递网络信号
三:cmd.exe创建的键值(LS提到)
四:添加服务:c:\windows\system32\jtoq.exe[Beijing Rising Information technology Co., Ltd.]

 附件: 您所在的用户组无法下载或查看附件

 附件: 您所在的用户组无法下载或查看附件

 附件: 您所在的用户组无法下载或查看附件

 附件: 您所在的用户组无法下载或查看附件
vane4503 - 2009-3-26 9:14:00
kan bu dao
RisingCSC - 2009-3-26 9:57:00
感谢您对瑞星的支持,您所上报的文件已经收集,我们会抓紧分析并跟帖回复。
1
查看完整版本: 可疑文件
© 2000 - 2025 Rising Corp. Ltd.