瑞星卡卡安全论坛

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.10.22.0	2008.10.23	-
AntiVir	7.9.0.5	2008.10.23	TR/Dropper.Gen
Authentium	5.1.0.4	2008.10.23	W32/Injector.A.gen!Eldorado
Avast	4.8.1248.0	2008.10.23	Win32:AutoRun-IC
AVG	8.0.0.161	2008.10.23	Downloader.Generic7.BDAM
BitDefender	7.2	2008.10.23	Win32.Worm.Winko.I
CAT-QuickHeal	9.50	2008.10.23	-
ClamAV	0.93.1	2008.10.23	-
DrWeb	4.44.0.09170	2008.10.23	Trojan.Popwin.origin
eSafe	7.0.17.0	2008.10.22	Suspicious File
eTrust-Vet	31.6.6164	2008.10.22	Win32/Pipown!generic
Ewido	4.0	2008.10.23	-
F-Prot	4.4.4.56	2008.10.22	W32/Injector.A.gen!Eldorado
F-Secure	8.0.14332.0	2008.10.23	Suspicious:W32/Malware!Gemini
Fortinet	3.113.0.0	2008.10.23	PossibleThreat
GData	19	2008.10.23	Win32.Worm.Winko.I
Ikarus	T3.1.1.44.0	2008.10.23	Trojan.Win32.Agent
K7AntiVirus	7.10.503	2008.10.22	-
Kaspersky	7.0.0.125	2008.10.23	Trojan.Win32.Pakes.lgv
McAfee	5412	2008.10.23	-
Microsoft	1.4005	2008.10.23	Backdoor:Win32/Popwin.gen!H
NOD32	3548	2008.10.23	probably a variant of Win32/TrojanDownloader.Flux
Norman	5.80.02	2008.10.22	-
Panda	9.0.0.4	2008.10.23	Suspicious file
PCTools	4.4.2.0	2008.10.23	-
Prevx1	V2	2008.10.23	-
Rising	21.00.32.00	2008.10.23	-
SecureWeb-Gateway	6.7.6	2008.10.23	Trojan.Dropper.Gen
Sophos	4.34.0	2008.10.23	Mal/Behav-027
Sunbelt	3.1.1747.1	2008.10.23	-
Symantec	10	2008.10.23	-
TheHacker	6.3.1.0.124	2008.10.23	-
TrendMicro	8.700.0.1004	2008.10.23	BKDR_POPWIN.AW
VBA32	3.12.8.8	2008.10.22	suspected of Trojan-PSW.Game.62 (paranoid heuristics)
ViRobot	2008.10.23.1434	2008.10.23	-
VirusBuster	4.5.11.0	2008.10.22	-

附加信息

File size: 25654 bytes

MD5...: cba31f142a6a9ac33cfee1d271ba32af

SHA1..: 88bdb30c5380a59e44f2c5b95c7cb5e904ffde95

SHA256: 7d9d8b539cadd5417e129cc38222eb006c80de972d33ff8166e20fd76352c2dd

SHA512: 819531e7d8ea33a752a4fca751d67cbcfe2552da4d02ed53fc64e2674cff33aa 53bebcac1ee3caeeb464e344870769f6fb13a21ea99def8de4c96ec99b8d28e4

PEiD..: ASPack v2.12

TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x418001 timedatestamp.....: 0x48ff462b (Wed Oct 22 15:26:35 2008) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x7000 0x1200 7.60 c817c1ddfb2a0a88d9018d010936830d .rdata 0x8000 0x1000 0x600 6.45 5c2b0e97674effb80c21f8c72d7c5592 .data 0x9000 0xe000 0x3200 7.93 9366c395db6a15ff43e244ced0149b32 .rsrc 0x17000 0x1000 0x200 0.89 a2c613757ed4c8b4e7449ceb457c713c .aspack 0x18000 0x2000 0x1200 5.87 7ccdd791e5dc6ab475dabe5e17a08d9c .adata 0x1a000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 5 imports ) > kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA > msvcrt.dll: _controlfp > user32.dll: FindWindowExA > advapi32.dll: RegCreateKeyExA > shell32.dll: ShellExecuteA ( 0 exports )

packers (Avast): ASPack

packers (Kaspersky): ASPack 2008-10-23 15:18瑞星病毒库无法检出

用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)

附件: 88642F08.zip

文件: 88642F08.EXE
大小: 25654 字节
MD5: CBA31F142A6A9AC33CFEE1D271BA32AF
SHA1: 88BDB30C5380A59E44F2C5B95C7CB5E904FFDE95
CRC32: DD0435C2
加壳类型:ASPack
编写语言:Microsoft Visual C++ 6.0

简单行为分析:

试图结束explorer.exe,

创建文件:
%windir%\Fonts\71AFC10C.DLL
%windir%\FONTS\F57BE19A.EXE
%windir%\Fonts\copy2090000.bat
%windir%\Fonts\del.bat

添加服务:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services,2643DD6F

释放文件并运行将自身拷贝到C:\WINDOWS\FONTS\目录下:
%windir%\Fonts\copy2090000.bat

其中描述如下:




运行F57BE19A.EXE控制winlogon.EXE然后利用winlogon.exe控制当前进程中的所有进程;

调用PostMessageA函数向各个窗口发送WM_CLOSE消息;

释放文件C:\WINDOWS\Fonts\del.bat调用cmd删除88642F08.EXE及自身;
del.bat描述如下:


;

文件名：88642F08.EXE

病毒名：Trojan.Win32.Undef.sau


您所上报的病毒文件将在瑞星2008的20.68.40版本中处理解决，如遇特殊问题，可能会推后几个版本。