瑞星卡卡安全论坛技术交流区可疑文件交流 20.49.12 无反应的 beep.sys,DOVA

1   1  /  1  页   跳转

20.49.12 无反应的 beep.sys,DOVA

收藏
endurer
头像
社区嘉宾
  • 帖子:22020
  • 注册: 2003-04-29
  • 来自:pe_xscan Studio
论坛8周年活动礼物
发表于: 2008-06-17 17:57 | 只看楼主 短消息 资料
字号: 1楼

20.49.12 无反应的 beep.sys,DOVA

解压密码:virus


 附件: 您所在的用户组无法下载或查看附件


 附件: 您所在的用户组无法下载或查看附件

文件说明符 : c:\windows\system32\drivers\beep.sys
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-6-16 16:30:47
修改时间 : 2008-6-16 16:30:48
大小 : 2278 字节 2.230 KB
MD5 : 57feb7a53fc0fc0d72460c79f6fe4a70
SHA1: 426C70291E57437C7F922055D6E9F780582CB6AD
CRC32: b4f9768e


O23 - 服务: Microsoftpvsy (Microsoftpvsy) - C:\WINDOWS\DOVA | 2008-6-16 2:44:38(自动)


文件说明符 : D:\test\DOVA
属性 : -SHR
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-6-16 2:44:38
修改时间 : 2008-6-16 16:30:50
大小 : 231729 字节 226.305 KB
MD5 : 76d5a93a77a4b266ce590864fe2cdae4
SHA1: E9E2694515A8D0BEF74E5D4094E49DB4DC46E297
CRC32: 3c8f8c39


文件 beep.sys 接收于 2008.06.17 11:48:14 (CET)
反病毒引擎版本最后更新扫描结果
AhnLab-V32008.6.17.02008.06.17-
AntiVir7.8.0.552008.06.17-
Authentium5.1.0.42008.06.17-
Avast4.8.1195.02008.06.16-
AVG7.5.0.5162008.06.16Worm/Agent.N
BitDefender7.22008.06.17-
CAT-QuickHeal9.502008.06.16-
ClamAV0.93.12008.06.17-
DrWeb4.44.0.091702008.06.17-
eSafe7.0.15.02008.06.16-
eTrust-Vet31.6.58812008.06.17-
Ewido4.02008.06.16-
F-Prot4.4.4.562008.06.12-
F-Secure7.60.13501.02008.06.17-
Fortinet3.14.0.02008.06.17-
GData2.0.7306.10232008.06.17-
IkarusT3.1.1.26.02008.06.17-
Kaspersky7.0.0.1252008.06.17-
McAfee53182008.06.16-
Microsoft1.36042008.06.17-
NOD32v231922008.06.17-
Norman5.80.022008.06.16-
Panda9.0.0.42008.06.16-
Prevx1V22008.06.17-
Rising20.49.11.002008.06.17-
Sophos4.30.02008.06.17-
Sunbelt3.0.1153.12008.06.15-
Symantec102008.06.17-
TheHacker6.2.92.3522008.06.17-
TrendMicro8.700.0.10042008.06.17-
VBA323.12.6.72008.06.17-
VirusBuster4.3.26:92008.06.12-
Webwasher-Gateway6.6.22008.06.17-

附加信息
File size: 2278 bytes
MD5...: 57feb7a53fc0fc0d72460c79f6fe4a70
SHA1..: 426c70291e57437c7f922055d6e9f780582cb6ad
SHA256: 8f374788e5331a514bb7af41349fe2e41d1bf747c3cf6f8c0450f70d7700f62a
SHA512: 25496d47a6a7385e517575d4c82b3eaa6f477f5344c0db91d87ee55f0ccec035<BR>834f7cfd854405cdbe784847ffcd5c2c66e1fea2bb34d50bc8bbfef99ffa14da
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x102e6<BR>timedatestamp.....: 0x4853ae23 (Sat Jun 14 11:40:19 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 5 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x2a0 0x23c 0x240 5.84 738686680103bf7136d1d58d91449851<BR>.rdata 0x4e0 0x94 0xa0 2.56 b3ae866fa0e297874aa7207a07840525<BR>.data 0x580 0x18 0x20 0.00 70bc8f4b72a86921468bf8e8441dce51<BR>INIT 0x5a0 0x144 0x160 4.44 5d072eceb6de4a7376bf9d6312676161<BR>.reloc 0x700 0x58 0x60 3.47 d9b273eae760f0b360a5cdc940e91f18<BR><BR>( 1 imports ) <BR>> ntoskrnl.exe: IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IofCompleteRequest, DbgPrint, IoDeleteDevice, IoDeleteSymbolicLink, KeServiceDescriptorTable, ProbeForWrite, ProbeForRead, _except_handler3<BR><BR>( 0 exports ) <BR>


文件 DOVA 接收于 2008.06.17 11:49:53 (CET)
反病毒引擎版本最后更新扫描结果
AhnLab-V32008.6.17.02008.06.17Win32/NSAnti.suspicious
AntiVir7.8.0.552008.06.17BDS/Backdoor.Gen
Authentium5.1.0.42008.06.17W32/Hupigon.A.gen!Eldorado
Avast4.8.1195.02008.06.16Win32:Hupigon-ZA
AVG7.5.0.5162008.06.16Generic10.ANTC
BitDefender7.22008.06.17MemScan:Backdoor.Hupigon.ZUW
CAT-QuickHeal9.502008.06.16Win32.Packed.NSAnti.r
ClamAV0.93.12008.06.17-
DrWeb4.44.0.091702008.06.17BackDoor.Pigeon.2254
eSafe7.0.15.02008.06.16suspicious Trojan/Worm
eTrust-Vet31.6.58812008.06.17-
Ewido4.02008.06.16Backdoor.GrayBird.kx
F-Prot4.4.4.562008.06.12W32/Hupigon.A.gen!Eldorado
Fortinet3.14.0.02008.06.17-
GData2.0.7306.10232008.06.17Backdoor.Win32.Hupigon.clpz
IkarusT3.1.1.26.02008.06.17Packed.Win32.Klone.af
Kaspersky7.0.0.1252008.06.17Backdoor.Win32.Hupigon.clpz
McAfee53182008.06.16-
Microsoft1.36042008.06.17VirTool:Win32/Obfuscator.A
NOD32v231932008.06.17-
Norman5.80.022008.06.16W32/Suspicious_N.gen
Panda9.0.0.42008.06.16Suspicious file
Prevx1V22008.06.17Suspicious
Rising20.49.11.002008.06.17-
Sophos4.30.02008.06.17Sus/UnkPacker
Sunbelt3.0.1153.12008.06.15VIPRE.Suspicious
Symantec102008.06.17-
TheHacker6.2.92.3522008.06.17-
TrendMicro8.700.0.10042008.06.17-
VBA323.12.6.72008.06.17suspected of Backdoor.XiaoBird.1
VirusBuster4.3.26:92008.06.12Packed/NSPack
Webwasher-Gateway6.6.22008.06.17Trojan.Backdoor.Backdoor.Gen

附加信息
File size: 231729 bytes
MD5...: 76d5a93a77a4b266ce590864fe2cdae4
SHA1..: e9e2694515a8d0bef74e5d4094e49db4dc46e297
SHA256: 56002d8d72834e91189ac226b809be2968ddcd199edf74486b8baa527ae64c81
SHA512: 8f414f7d1f035e621db966d760dbba76ff18aeb895c62398e1368522094f45f5<BR>7161dfe25018fca5aff40e881adb66169511403d931220017f334e0e1b8ca80f
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x4df028<BR>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>0x1000 0xde000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>0xdf000 0x39000 0x38531 8.00 15910b31c9cfb5449b6989cf64121b8e<BR>0x118000 0x88a 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR><BR>( 25 imports ) <BR>> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>> USER32.DLL: GetKeyboardType<BR>> ADVAPI32.DLL: RegQueryValueExA<BR>> OLEAUT32.DLL: SysFreeString<BR>> KERNEL32.DLL: TlsSetValue<BR>> ADVAPI32.DLL: RegSetValueExA<BR>> KERNEL32.DLL: lstrcpyA<BR>> MPR.DLL: WNetOpenEnumA<BR>> VERSION.DLL: VerQueryValueA<BR>> GDI32.DLL: UnrealizeObject<BR>> USER32.DLL: CreateWindowExA<BR>> KERNEL32.DLL: Sleep<BR>> OLEAUT32.DLL: SafeArrayPtrOfIndex<BR>> COMCTL32.DLL: ImageList_SetIconSize<BR>> SHELL32.DLL: Shell_NotifyIconA<BR>> WININET.DLL: InternetReadFile<BR>> ADVAPI32.DLL: StartServiceA<BR>> WSOCK32.DLL: WSACleanup<BR>> IMAGEHLP.DLL: CheckSumMappedFile<BR>> WINMM.DLL: waveOutWrite<BR>> AVICAP32.DLL: capCreateCaptureWindowA<BR>> MSACM32.DLL: acmFormatChooseA<BR>> WS2_32.DLL: WSAIoctl<BR>> ADVAPI32.DLL: SetSecurityInfo<BR>> AVICAP32.DLL: capGetDriverDescriptionA<BR><BR>( 0 exports ) <BR>
Prevx info: http://info.prevx.com/aboutprogr ... 378A1F6E80097A6ED84
packers (Avast): NsPack, NsPack
packers (F-Prot): NSPack
packers (Authentium): NSPack


用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
http://blog.csdn.net/purpleendurer

宠辱不惊,笑看堂前花开花落; 去留无意,漫随天外云卷云舒。
分享到:
gototop
 
轩辕小聪
头像
卡卡技术团队
  • 帖子:8368
  • 注册: 2006-01-09
  • 来自:
卡卡名人堂论坛9周年纪念
发表于: 2008-06-18 00:39 | 短消息 资料
字号: 2楼

回复: 20.49.12 无反应的 beep.sys,DOVA

beep.sys是一个科普级的接收Ring3程序的DeviceIoControl来还原SSDT的驱动,就这么点行为,杀软不理它也属正常。详细的不用说了,放上idb

附件附件:

您所在的用户组无法下载或查看附件

病毒样本请发到可疑文件交流区
gototop
 
endurer
头像
社区嘉宾
  • 帖子:22020
  • 注册: 2003-04-29
  • 来自:pe_xscan Studio
论坛8周年活动礼物
发表于: 2008-06-20 15:34 | 只看楼主 短消息 资料
字号: 3楼

回复:20.49.12 无反应的 beep.sys,DOVA

主 题: RE: beep.sys [KLAB-5393973]
发件人: "" <newvirus@kaspersky.com>
发送时间:2008-06-17 19:51:01

Hello,

beep.sys - Backdoor.Win32.Agent.krx

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.
--
Best regards, Andrey Ladikov
Virus analyst, Kaspersky Lab.

e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/
http://blog.csdn.net/purpleendurer

宠辱不惊,笑看堂前花开花落; 去留无意,漫随天外云卷云舒。
gototop
 
endurer
头像
社区嘉宾
  • 帖子:22020
  • 注册: 2003-04-29
  • 来自:pe_xscan Studio
论坛8周年活动礼物
发表于: 2008-06-22 12:29 | 只看楼主 短消息 资料
字号: 4楼

回复: 20.49.12 无反应的 beep.sys,DOVA

两个东东瑞星现在还没反应

真是为谁辛苦为谁忙

文件 beep.sys 接收于 2008.06.22 06:26:38 (CET)
反病毒引擎版本最后更新扫描结果
AhnLab-V32008.6.22.02008.06.22-
AntiVir7.8.0.592008.06.21-
Authentium5.1.0.42008.06.21W32/SYStroj.N.gen!Eldorado
Avast4.8.1195.02008.06.21-
AVG7.5.0.5162008.06.21Worm/Agent.N
BitDefender7.22008.06.22-
CAT-QuickHeal9.502008.06.20Backdoor.Agent.krx
ClamAV0.93.12008.06.22-
DrWeb4.44.0.091702008.06.21-
eSafe7.0.15.02008.06.19-
eTrust-Vet31.6.58922008.06.21-
Ewido4.02008.06.21-
F-Prot4.4.4.562008.06.21W32/SYStroj.N.gen!Eldorado
F-Secure7.60.13501.02008.06.20Backdoor.Win32.Agent.krx
Fortinet3.14.0.02008.06.22-
GData2.0.7306.10232008.06.22Backdoor.Win32.Agent.krx
IkarusT3.1.1.26.02008.06.22Backdoor.Win32.Agent.krx
Kaspersky7.0.0.1252008.06.22Backdoor.Win32.Agent.krx
McAfee53222008.06.20-
Microsoft1.36042008.06.22-
NOD32v232062008.06.21-
Norman5.80.022008.06.20-
Panda9.0.0.42008.06.21-
Prevx1V22008.06.22-
Rising20.49.52.002008.06.21-
Sophos4.30.02008.06.21-
Sunbelt3.0.1153.12008.06.15-
Symantec102008.06.22-
TheHacker6.2.92.3582008.06.21Backdoor/Agent.krx
TrendMicro8.700.0.10042008.06.20-
VBA323.12.6.72008.06.21-
VirusBuster4.3.26:92008.06.12-
Webwasher-Gateway6.6.22008.06.22-

附加信息
File size: 2278 bytes
MD5...: 57feb7a53fc0fc0d72460c79f6fe4a70
SHA1..: 426c70291e57437c7f922055d6e9f780582cb6ad
SHA256: 8f374788e5331a514bb7af41349fe2e41d1bf747c3cf6f8c0450f70d7700f62a
SHA512: 25496d47a6a7385e517575d4c82b3eaa6f477f5344c0db91d87ee55f0ccec035<BR>834f7cfd854405cdbe784847ffcd5c2c66e1fea2bb34d50bc8bbfef99ffa14da
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x102e6<BR>timedatestamp.....: 0x4853ae23 (Sat Jun 14 11:40:19 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 5 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x2a0 0x23c 0x240 5.84 738686680103bf7136d1d58d91449851<BR>.rdata 0x4e0 0x94 0xa0 2.56 b3ae866fa0e297874aa7207a07840525<BR>.data 0x580 0x18 0x20 0.00 70bc8f4b72a86921468bf8e8441dce51<BR>INIT 0x5a0 0x144 0x160 4.44 5d072eceb6de4a7376bf9d6312676161<BR>.reloc 0x700 0x58 0x60 3.47 d9b273eae760f0b360a5cdc940e91f18<BR><BR>( 1 imports ) <BR>> ntoskrnl.exe: IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IofCompleteRequest, DbgPrint, IoDeleteDevice, IoDeleteSymbolicLink, KeServiceDescriptorTable, ProbeForWrite, ProbeForRead, _except_handler3<BR><BR>( 0 exports ) <BR>
http://blog.csdn.net/purpleendurer

宠辱不惊,笑看堂前花开花落; 去留无意,漫随天外云卷云舒。
gototop
 
RisingCSC
头像
在线技术支持工程师
  • 帖子:4368
  • 注册: 2008-02-26
  • 来自:
发表于: 2008-06-23 10:25 | 短消息 资料
字号: 5楼

回复: 20.49.12 无反应的 beep.sys,DOVA



引用:
原帖由 endurer 于 2008-6-22 12:29:00 发表
两个东东瑞星现在还没反应

真是为谁辛苦为谁忙

文件 beep.sys 接收于 2008.06.22 06:26:38 (CET)
[table][tr][td]反病毒引擎[/td][td]版本[/td][td]最后更新[/td][td]扫描结果[/td][/tr][tr][td]A......


您好,我们会尽快进行分析,感谢您对瑞星的支持。
gototop
 
RisingCSC
头像
在线技术支持工程师
  • 帖子:4368
  • 注册: 2008-02-26
  • 来自:
发表于: 2008-06-23 14:03 | 短消息 资料
字号: 6楼

回复:20.49.12 无反应的 beep.sys,DOVA

1.文件名:beep.sys
病毒名:Suspicious.Rootkit.Win32.XSSDT.a
分析说明:

2.文件名:DOVA
病毒名:Backdoor.Win32.Gpigeon2007.mqf
分析说明:

您所上报的病毒文件将在瑞星2008的20.50.00版本(瑞星2007的19.81.00版本)中处理解决,如遇特殊情况可能会推后几个版本。
gototop
 
魔法学徒
头像
卡卡技术团队
  • 帖子:11465
  • 注册: 2004-10-03
  • 来自:
发表于: 2008-06-24 15:14 | 短消息 资料
字号: 7楼

回复:20.49.12 无反应的 beep.sys,DOVA

XSSDT………………这名字起的
gototop
 
yessky
头像
拙长孩提狮
  • 帖子:152
  • 注册: 2005-11-12
  • 来自:
发表于: 2009-01-01 18:00 | 短消息 资料
字号: 8楼

回复:20.49.12 无反应的 beep.sys,DOVA

cvxzcx
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT