1   1  /  1  页   跳转

[RAV] 恶意行为拦截的手都软了

收藏
89100062
头像
初生襁褓狮
  • 帖子:66
  • 注册: 2008-02-03
  • 来自:
发表于: 2009-07-11 18:37 | 只看楼主 短消息 资料
字号: 1楼

恶意行为拦截的手都软了

本世纪最囧的拦截,运行样本后无限次拦截始终弹出提示框,点击隔离删除后再次弹出相同的提示窗口,看看记录报告点击了160多次了还在弹出手软了,咱还是重启吧
建议干脆木马行为防御提示也加一个应用到所有或者关机前执行此操作,否则点一辈子都点不完
样本

附件: movie.rar (2009-7-11 18:37:28, 457.50 K)
该附件被下载次数 167






病毒行为分析


引用:
71a274df    RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)   
71a280c4    RegOpenKeyExA (Protocol_Catalog9)   
71a2777e    RegOpenKeyExA (00000009)   
71a2764d    RegOpenKeyExA (Catalog_Entries)   
71a27cea    RegOpenKeyExA (000000000001)   
71a27cea    RegOpenKeyExA (000000000002)   
71a27cea    RegOpenKeyExA (000000000003)   
71a27cea    RegOpenKeyExA (000000000004)   
71a27cea    RegOpenKeyExA (000000000005)   
71a27cea    RegOpenKeyExA (000000000006)   
71a27cea    RegOpenKeyExA (000000000007)   
71a27cea    RegOpenKeyExA (000000000008)   
71a27cea    RegOpenKeyExA (000000000009)   
71a27cea    RegOpenKeyExA (000000000010)   
71a27cea    RegOpenKeyExA (000000000011)   
71a27cea    RegOpenKeyExA (000000000012)   
71a27cea    RegOpenKeyExA (000000000013)   
71a22623    WaitForSingleObject(798,0)   
71a287c6    RegOpenKeyExA (NameSpace_Catalog5)   
71a2777e    RegOpenKeyExA (00000004)   
71a2835b    RegOpenKeyExA (Catalog_Entries)   
71a284ef    RegOpenKeyExA (000000000001)   
71a284ef    RegOpenKeyExA (000000000002)   
71a284ef    RegOpenKeyExA (000000000003)   
71a22623    WaitForSingleObject(790,0)   
71a11af2    RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)   
71a1198e    GlobalAlloc()   
7c80b72f    ExitThread()   
76ef72fc    GetVersionExA()   
76ef71c0    RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Tcpip\Parameters)   
76d3554d    GetVersionExA()   
76d357ff    CreateFileA(\\.\Ip)   
76d35ad2    RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage)   
76d35aec    RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\)   
76d35b03    RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces)   
76d35b1d    RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters)   
5d173344    GetVersionExA()   
5d1733ab    GetCommandLineA()   
5d174952    GetVersionExA()   
5d1754e8    GetCurrentProcessId()=1404   
5d175742    GetVersionExA()   
7d5f708b    GetVersionExA()   
230f3bd0    LoadLibraryA(KERNEL32.DLL)=7c800000   
230f3bd0    LoadLibraryA(ADVAPI32.dll)=77da0000   
230f3bd0    LoadLibraryA(DNSAPI.dll)=76ef0000   
230f3bd0    LoadLibraryA(iphlpapi.dll)=76d30000   
230f3bd0    LoadLibraryA(ole32.dll)=76990000   
230f3bd0    LoadLibraryA(OLEAUT32.dll)=770f0000   
230f3bd0    LoadLibraryA(PSAPI.DLL)=76bc0000   
230f3bd0    LoadLibraryA(SHELL32.dll)=7d590000   
230f3bd0    LoadLibraryA(USER32.dll)=77d10000   
230f3bd0    LoadLibraryA(WININET.dll)=76680000   
230f3bd0    LoadLibraryA(WS2_32.dll)=71a20000   
230a0afa    GetCurrentProcessId()=1404   
23094471    GetVersionExA()   
23094530    GetCommandLineA()   
7c8106f5    CreateRemoteThread(h=ffffffff, start=23004da6)   
23003794    RegCreateKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion,(null))   
2304f43d    WaitForSingleObject(750,0)   
2304f43d    WaitForSingleObject(750,37)   
23035f40    RegCreateKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\Run,(null))   
23035f40    RegCreateKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run,(null))   
23035ed7    RegCreateKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\Run,(null))   
23035efe    RegSetValueExA (PromoReg)   
2304278e    WaitForSingleObject(740,0)   
23004bf5    CreateFileA(c:\AUTOEXEC.BAT)   
23004c47    ReadFile()   
23042c46    WaitForSingleObject(740,0)   
23004bf5    CreateFileA(c:\boot.ini)   
23004bf5    CreateFileA(c:\bootfont.bin)   
23041be1    GetSystemTime()   
2307faf6    GetVersionExA()   
2307fb03    LoadLibraryA(ADVAPI32.DLL)=77da0000   
2307fb10    LoadLibraryA(KERNEL32.DLL)=7c800000   
2307fb19    LoadLibraryA(NETAPI32.DLL)=5fdd0000   
77e6c7ce    RegOpenKeyExA (HKLM\Software\Microsoft\Rpc)   
23004bf5    CreateFileA(c:\CONFIG.SYS)   
77db991b    RegOpenKeyExA (SOFTWARE\Microsoft\Cryptography\Providers\Type 001)   
77db99ab    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001)   
77db7a7b    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider)   
77db8d6c    ReadFile()   
7c821a94    CreateFileA(C:\WINDOWS\system32\rsaenh.dll)   
68026005    ReadFile()   
680265ce    RegOpenKeyExA (HKLM\Software\Policies\Microsoft\Cryptography)   
77db8830    LoadLibraryA(rsaenh.dll)=68000000   
680223ff    RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography)   
680257b0    RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\Offload)   
77db7a7b    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Intel Hardware Cryptographic Service Provider)   
2307fd5b    LoadLibraryA(USER32.DLL)=77d10000   
7c866274    GetCurrentProcessId()=1404   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\desktop.ini)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\ettb2.cfg)   
23080272    GetCurrentProcessId()=1404   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\ettb2.cfg.pi)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\feature.dat)   
23035de0    RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion)   
23035d3a    RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion)   
23035d78    RegSetValueExA (RList)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\ksoapp.cfg)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\plgpf\plgcfg\ksocards\config\ksocards.cfg)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\plgpf\plgcfg\openplugin\config\lg.lst)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\plgpf\wpshome\config.xml)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\searchicon\google.ico)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\searchicon\google_Pic.ico)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\searchicon\iciba.ico)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\searchicon\iciba_Pic.ico)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\templates\2052\newfile.dps)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\templates\2052\newfile.et)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\templates\2052\newfile.wps)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\templates\Normal.wpt)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\ueic.cfg)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\wpstb2.cfg)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Kingsoft\office6\wpstb2.cfg.pi)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol)   
5addbdf9    GetCurrentProcessId()=1404   
5adca0e2    IsDebuggerPresent()   
7468270e    GetVersionExA()   
7468322b    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\Compatibility\movie.exe)   
7468322b    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\SystemShared\)   
7468322b    RegOpenKeyExA (HKCU\Keyboard Layout\Toggle)   
7468266e    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\)   
74684606    GetCurrentProcessId()=1404   
746824c1    CreateMutex(CTF.TimListCache.FMPDefaultS-1-5-21-329068152-1364589140-842925246-500MUTEX.DefaultS-1-5-21-329068152-1364589140-842925246-500)   
7469d74a    WaitForSingleObject(6d0,1388)   
746b6302    GetCurrentProcessId()=1404   
76fa4b9e    GetVersionExA()   
769c2cc5    LoadLibraryA(CLBCATQ.DLL)=76fa0000   
769c34a1    LoadLibraryA(CLBCATQ.DLL)=76fa0000   
7c8165b3    WaitForSingleObject(6cc,64)   
76fa6641    GetVersionExA()   
76fdadf4    ReadFile()   
769bfbc7    GetCurrentProcessId()=1404   
73658f83    GetVersionExA()   
73665275    GetVersionExA()   
7365d544    LoadLibraryA(C:\WINDOWS\system32\ole32.dll)=76990000   
77e7f2ff    RegOpenKeyExA (HKLM\Software\Microsoft\Rpc\SecurityService)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-329068152-1364589140-842925246-500\a18ca4003deb042bbee7a40f15e1970b_1a457744-de48-442e-8a3e-40114b15a69b)   
769dfa76    LoadLibraryA(oleaut32.dll)=770f0000   
60febf16    LoadLibraryA(OLEAUT32.dll)=770f0000   
60febf16    LoadLibraryA(SHLWAPI.dll)=77f40000   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\IME\winabc\tmmr.rem)   
769af96d    WaitForSingleObject(6bc,0)   
769af96d    WaitForSingleObject(6b4,0)   
769af96d    WaitForSingleObject(6ac,0)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\IME\winabc\user.rem)   
2304e1c7    socket(family=2,type=2,proto=11)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak)   
71a278f1    LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=719c0000   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt)   
77f48c16    RegOpenKeyExA (HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings)   
766cd8db    RegOpenKeyExA (HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings)   
766cd8f9    RegOpenKeyExA (HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings)   
719cc359    LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=719c0000   
766cd912    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings)   
766cd92f    RegOpenKeyExA (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings)   
77db5439    LoadLibraryA(Secur32.dll)=77fc0000   
766840d6    RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache)   
71a117d6    GlobalAlloc()   
766840d6    RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)   
7668778a    RegOpenKeyExA (HKLM\System\Setup)   
766840d6    RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders)   
766840d6    RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)   
766840d6    RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders)   
2304e18e    bind(580, port=53)   
60febf16    LoadLibraryA(WS2_32.dll)=71a20000   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt)   
766862e1    RegOpenKeyExA (Content)   
766880ae    LoadLibraryA(shell32.dll)=7d590000   
77f46aed    WaitForSingleObject(4fc,0)   
766862e1    RegOpenKeyExA (Paths)   
766862e1    RegOpenKeyExA (Path1)   
766862e1    RegOpenKeyExA (Path2)   
766862e1    RegOpenKeyExA (Path3)   
766862e1    RegOpenKeyExA (Path4)   
766862e1    RegOpenKeyExA (Special Paths)   
766a2eb7    RegSetValueExA (Directory)   
766a2f1c    RegSetValueExA (Paths)   
766a2eb7    RegSetValueExA (CachePath)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini)   
766a2f1c    RegSetValueExA (CacheLimit)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\显示桌面.scf)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\暴风影音.lnk)   
766862e1    RegOpenKeyExA (Cookies)   
23004bf5    CreateFileA(c:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\瑞星杀毒软件.lnk)   
766862e1    RegOpenKeyExA (History)   
2304bf04    WaitForSingleObject(550,0)   
2304bf04    WaitForSingleObject(430,0)   
7668374d    WaitForSingleObject(558,ffffffff)   
2304bf04    WaitForSingleObject(4bc,0)   
2304bf04    WaitForSingleObject(42c,0)   
2304c1c6    WaitForSingleObject(75c,0)   
2304bf04    WaitForSingleObject(41c,0)   
2304bf04    WaitForSingleObject(410,0)   
76685a56    CreateFileA(C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat)   
76685b60    CreateFileA(C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat)   
7668374d    WaitForSingleObject(370,ffffffff)   
76685a56    CreateFileA(C:\Documents and Settings\Administrator\Cookies\index.dat)   
76685b60    CreateFileA(C:\Documents and Settings\Administrator\Cookies\index.dat)   
7668374d    WaitForSingleObject(340,ffffffff)   
76685a56    CreateFileA(C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat)   
76685b60    CreateFileA(C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat)   
766862e1    RegOpenKeyExA (Extensible Cache)   
7668796f    WaitForSingleObject(560,ea60)   
766862e1    RegOpenKeyExA (MSHist012009070920090710)   
766862e1    RegOpenKeyExA (MSHist012009071120090712)   
2305421e    LoadLibraryA(wpcap.dll)=0   
77f501b2    RegOpenKeyExA (HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings)   
230041e7    socket(family=2,type=1,proto=6)   
766891cb    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings)   
7668a3c2    RegOpenKeyExA (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)   
766cd747    RegOpenKeyExA (HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)   
766cd765    RegOpenKeyExA (HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)   
766cd77e    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)   
766cd79b    RegOpenKeyExA (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)   
77f48c16    RegOpenKeyExA (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings)   
77f48e14    RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings)   
2304bf04    WaitForSingleObject(404,0)   
2304bf04    WaitForSingleObject(3fc,0)   
2304bf04    WaitForSingleObject(3ec,0)   
2304bf04    WaitForSingleObject(3e0,0)   


用户系统信息:Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5
最后编辑89100062 最后编辑于 2009-07-11 18:48:09
分享到:
gototop
 
萧嗨
头像
在线工程师
  • 帖子:429
  • 注册: 2009-06-27
  • 来自:
发表于: 2009-07-11 18:39 | 短消息 资料
字号: 2楼

回复:恶意行为拦截的手都软了

感谢您的反馈,我们会尽快反馈到相关部门进行检测,欢迎继续测试2010版
gototop
 
小P~
头像
自信弱冠狮
  • 帖子:326
  • 注册: 2009-06-28
  • 来自:卡饭-江湖的fans
发表于: 2009-07-11 20:33 | 短消息 资料
字号: 3楼

回复:恶意行为拦截的手都软了

LZ是卡饭的

我是江湖的fans
卡饭-江湖的fans
gototop
 
baohe
头像
大版主
  • 帖子:72578
  • 注册: 2003-04-10
  • 来自:
年度优秀版主奖端午辟邪香囊卡卡名人堂就爱不长大论坛9周年纪念09欢乐圣诞十周年年度风云人物2012我眼中的你们茶馆劳模瑞星金牌用户十一周年勋章
发表于: 2009-07-11 20:40 | 短消息 资料
字号: 4楼

回复:恶意行为拦截的手都软了

瑞星22.03.05.22已经能杀
gototop
 
89100062
头像
初生襁褓狮
  • 帖子:66
  • 注册: 2008-02-03
  • 来自:
发表于: 2009-07-11 20:42 | 只看楼主 短消息 资料
字号: 5楼

回复 3F 小P~ 的帖子

咱偷偷的来
gototop
 
89100062
头像
初生襁褓狮
  • 帖子:66
  • 注册: 2008-02-03
  • 来自:
发表于: 2009-07-11 20:42 | 只看楼主 短消息 资料
字号: 6楼

回复 4F baohe 的帖子

是可以查杀了
但是木马行为拦截就是提示不完
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT