1   1  /  1  页   跳转

可疑文件

收藏
过客2007
头像
版主
  • 帖子:16652
  • 注册: 2006-10-18
  • 来自:¤懒神↗之家£
年度优秀版主奖一帮一小组成员
发表于: 2009-03-25 18:22 | 只看楼主 短消息 资料
字号: 1楼

可疑文件

收到的远程文件

用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; QQDownload 1.7; baiduds; .NET CLR 1.1.4322)

附件附件:

您所在的用户组无法下载或查看附件

传说在很远的古代,一个庙里,有一个大神与一个小鬼住在里面。天下了大雨,庙前的河里长了水。来了一个人,过不了河,就把庙里的大神搬了出去,丢在河里,然后他踏在大神的身上,飞跳了过河。等会又来了
分享到:
gototop
 
天云一剑
头像
叱咤花甲狮
  • 帖子:2028
  • 注册: 2008-07-06
  • 来自:知识折旧派
发表于: 2009-03-25 19:05 | 短消息 资料
字号: 2楼

回复:可疑文件

JQKA Rising 21.22.21.00 2009.03.25  -
JDMA                                                    -
主文件不知道是哪个,看看再说
最后编辑天云一剑 最后编辑于 2009-03-25 19:15:11
汰丸,你妈妈六十大寿让你回家吃饭

http://hi.baidu.com/roxiel
gototop
 
天云一剑
头像
叱咤花甲狮
  • 帖子:2028
  • 注册: 2008-07-06
  • 来自:知识折旧派
发表于: 2009-03-25 19:27 | 短消息 资料
字号: 3楼

回复: 可疑文件

jdma.exe

创建 %System%\jdma.exe  30,472 bytes
MD5: 0xD7886A4D02BC8C5ED636E67168A6AFB6
进程 jdma.exe %System%\jdma.exe 32,768 bytes
服务 jdma jdma "Running" %System%\jdma.exe

新建
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\Set
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma\Enum

[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\Set]
Beizhu = "5.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA\0000]
Service = "jdma"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JDMA]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma\Enum]
0 = "Root\LEGACY_JDMA\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jdma]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\jdma.exe"
DisplayName = "jdma"
ObjectName = "LocalSystem"
Description = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA\0000]
Service = "jdma"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "jdma"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JDMA]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma\Enum]
0 = "Root\LEGACY_JDMA\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdma]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\jdma.exe"
DisplayName = "jdma"
ObjectName = "LocalSystem"
Description = "jdma"

修改
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000C

端口
1033 TCP jdma.exe (%System%\jdma.exe)
请求连接
jkddd2.3322.org
试图与远程主机建立连接
0.0.38.119  --port 1690
255.255.255.255 --port  1690
最后编辑天云一剑 最后编辑于 2009-03-27 10:00:31
汰丸,你妈妈六十大寿让你回家吃饭

http://hi.baidu.com/roxiel
gototop
 
天云一剑
头像
叱咤花甲狮
  • 帖子:2028
  • 注册: 2008-07-06
  • 来自:知识折旧派
发表于: 2009-03-25 19:42 | 短消息 资料
字号: 4楼

回复: 可疑文件

jqka.exe

文件
%System%\jqka.exe  30,984 bytes
进程
jqka.exe %System%\jqka.exe 32,768 bytes
服务
jqka jqka "Running" %System%\jqka.exe
新建
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\Set
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka\Enum

[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\Set]
Beizhu = "5.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA\0000]
Service = "jqka"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JQKA]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka\Enum]
0 = "Root\LEGACY_JQKA\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jqka]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\jqka.exe"
DisplayName = "jqka"
ObjectName = "LocalSystem"
Description = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA\0000]
Service = "jqka"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "jqka"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JQKA]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka\Enum]
0 = "Root\LEGACY_JQKA\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jqka]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\jqka.exe"
DisplayName = "jqka"
ObjectName = "LocalSystem"
Description = "jqka"

修改
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000C

端口
1033 TCP jqka.exe (%System%\jqka.exe)


请求连接
weiqianjiang.3322.org

试图与远程主机建立连接
0.8.129.124 --port 1698
255.255.255.255 --port  1698
下载
http://avzhan.3322.org:81/2.exe c:\m.exe  Trojan.Win32.Nodef.gki
最后编辑天云一剑 最后编辑于 2009-03-25 19:45:59
汰丸,你妈妈六十大寿让你回家吃饭

http://hi.baidu.com/roxiel
gototop
 
天云一剑
头像
叱咤花甲狮
  • 帖子:2028
  • 注册: 2008-07-06
  • 来自:知识折旧派
发表于: 2009-03-25 20:04 | 短消息 资料
字号: 5楼

回复: 可疑文件

sound.exe 广告程序 VT上就两个报了

File MD5: 0x45E59BE412367C95980771EDDF1B1106
Filesize: 50,171 bytes

创建文件夹(可能会有文件隐藏在里面)
%ProgramFiles%\Microsoft Office
%ProgramFiles%\Microsoft Office\SYSTEM
注册表新建
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Apcdli
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apcdli
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Apcdli]
                        TempPath = "%Windir%\Temp\kzdh@webbrowser-lyrics_2048.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apcdli]
                        TempPath = "%Windir%\Temp\kzdh@webbrowser-lyrics_2048.dll"
汰丸,你妈妈六十大寿让你回家吃饭

http://hi.baidu.com/roxiel
gototop
 
夲號ヱ被ジ盜
头像
叱咤花甲狮
  • 帖子:7083
  • 注册: 2008-08-21
  • 来自:昆仑琼华派
论坛8周年活动礼物就爱不长大论坛9周年纪念冰激凌10温馨圣诞十周年国庆61周年十一周年勋章
发表于: 2009-03-25 20:27 | 短消息 资料
字号: 6楼

回复: 可疑文件

研究发现这个伪装瑞星签名
一:创建2个进程jtoq.exe并成为系统运行
二:传递网络信号
三:cmd.exe创建的键值(LS提到)
四:添加服务:c:\windows\system32\jtoq.exe[Beijing Rising Information technology Co., Ltd.]

 附件: 您所在的用户组无法下载或查看附件

 附件: 您所在的用户组无法下载或查看附件

 附件: 您所在的用户组无法下载或查看附件

 附件: 您所在的用户组无法下载或查看附件
最后编辑夲號ヱ被ジ盜 最后编辑于 2009-03-25 20:28:58
gototop
 
vane4503
头像
初生襁褓狮
  • 帖子:1
  • 注册: 2009-03-26
  • 来自:
发表于: 2009-03-26 09:14 | 短消息 资料
字号: 7楼

回复: 可疑文件

kan bu dao
gototop
 
RisingCSC
头像
在线技术支持工程师
  • 帖子:4368
  • 注册: 2008-02-26
  • 来自:
发表于: 2009-03-26 09:57 | 短消息 资料
字号: 8楼

回复:可疑文件

感谢您对瑞星的支持,您所上报的文件已经收集,我们会抓紧分析并跟帖回复。
站内导航:
新人报道  |  反病毒/反流氓软件  |  RAV/RIS求助  |  RFW求助  |  卡卡助手求助
热点推荐:
RIS2009有奖征文  |  春节活动汇总
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT