7位随机字母(07.06.12)

今天收到的样本,跟以前的差不多``
 
屏蔽的关键字增加了:
 
QQ医生、微点、上报、举报
 
````
 
``北斗的壳``Delphi写的```
 
还是一贯作风```
 
  破坏安全模式、显示隐藏文件//IFEO劫持、遍历Autorun.inf、关杀软、安全工具//禁服务、写RUN启动等等````
 
能干的坏事都做光了```
 
详细的解决方法:
 
[url]http://gudugengkekao.blog.51cto.com/blog/172212/29172[/url]
 
最近玩网游```就跟踪了一段时间``懒得写详细了````
 
 
附上一些资料:
 
 
MD2_128  : 63F7B14AD1AC6F0CA2BC0D5B638DA567
MD4_128  : 4932957C04FB07345BD5CB7964005CE5
MD5_128  : C52CB8FE848D635BCF42CFB7B5EA8813
SHA160   : AFD6AD534C89A5AB92EDBF3A962CC6B30791F07B
SHA256   : FDF13B62A783BAD7841E8E8B1572B0CE3870C19F1FCFA8D042E14E83CA07410A
SHA384   : 3548FE44C0587C7FEA337D2049B42CB581B1B90F90B5241BAE5011A01F2ABF32739FABC37790CFCBFE345F43C3703F2A
SHA512   : E0014B90DCDDCE972D169AC470D449BE6B7EC9B4535F546906A27249167C8E8F8834DB4A08DBB1CB453D7A8E821123969A323FEE99ED4DEDC60B973DC4C3424C
CRC32    : 334D8866
RIPEMD160: EE13254D76EEDC6B7127FBD0EE7559CC5FABE5C6
Tiger_192: 917C027DF6DA3AF8F8300B9C8F43738C7F63D59F5196F188
PanamaHash_256: 4407D9D5F5275250F2FBA6172B80AA688431A39ED3D5C1C087854B3C082A1CF3
HAVAL(128bit,pass=3): 4E37CA893146526BD967E477CA460849
HAVAL(160bit,pass=3): 494311073F65B0C31D2C3BFB64770FA11030D644
HAVAL(192bit,pass=3): 3F13763622DD829845988D67597E1DE3EF0BC49A5BA3DF3A
HAVAL(224bit,pass=3): A6830AAA545EE72FCC0B8E873565ADE578164B41266EEE3AD5E4311D
HAVAL(256bit,pass=3): D31327958D110EF54B3539FCA04F31E85EB48FBDC7B06CC0D38427C440524628
HAVAL(128bit,pass=4): D52D4E09F9388B52D3E6692B1672731C
HAVAL(160bit,pass=4): 7F67337A08045EFDC0F7F866CBD68FCD5544625C
HAVAL(192bit,pass=4): 9AFBFCDA9C8DDC91AFA53EBE2221824653253D66BC1CF2DB
HAVAL(224bit,pass=4): C6582E76873D09060C9E171983179ECD011ED8414F25511E74579DFD
HAVAL(256bit,pass=4): A9DCD73CCD81E6D6CAC73CC7230E184C5D90F8BCC1E430C240CB7457E290EAD6
HAVAL(128bit,pass=5): 39A0907EEB25DA81F665C2CDF2AD4797
HAVAL(160bit,pass=5): 7D975A05005D46916937BE600BE13CFF83D34404
HAVAL(192bit,pass=5): B58199818F38E607006624761700ECE5D49D5D8E894478AA
HAVAL(224bit,pass=5): AF1F63969A9B731E533060277C3F9270EAAED16017C0E61F05A56599
HAVAL(256bit,pass=5): 1909D816406F8FD39B997C8D6273DBBFA0A69D667701D69F625FA7CB0B3841CC
 

AhnLab-V3 2007.6.12.0 06.11.2007  no virus found
AntiVir 7.4.0.32 06.11.2007 TR/Crypt.NSPI.Gen
Authentium 4.93.8 06.11.2007 Possibly a new variant of W32/Threat-HLLIN-Slipper-based!Maximus
Avast 4.7.997.0 06.09.2007 Win32:Delf-ERE
AVG 7.5.0.467 06.11.2007 Worm/Generic.BVB
BitDefender 7.2 06.12.2007 Generic.Malware.SP!dldPk!g.E44824E9
CAT-QuickHeal 9.00 06.11.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 06.12.2007  no virus found
DrWeb 4.33 06.11.2007 DLOADER.Trojan
eSafe 7.0.15.0 06.11.2007 Virus.Win32.AutoRun.
eTrust-Vet 30.7.3712 06.11.2007  no virus found
Ewido 4.0 06.11.2007 Heuristic.Win32.AVKiller
FileAdvisor 1 06.12.2007  no virus found
Fortinet 2.85.0.0 06.11.2007  no virus found
F-Prot 4.3.2.48 06.11.2007 W32/Threat-HLLIN-Slipper-based!Maximus
F-Secure 6.70.13030.0 06.12.2007 Virus.Win32.AutoRun.ao
Ikarus T3.1.1.8 06.11.2007 Backdoor.Win32.PcClient.GV
Kaspersky 4.0.2.24 06.12.2007 Virus.Win32.AutoRun.ao
McAfee 5050 06.11.2007 New Malware.aq
Microsoft 1.2503 06.12.2007  no virus found
NOD32v2 2323 06.11.2007 Win32/Delf.NDF
Norman 5.80.02 06.11.2007  no virus found
Panda 9.0.0.4 06.12.2007 Suspicious file
Prevx1 V2 06.12.2007  no virus found
Sophos 4.18.0 06.01.2007 Mal/SillyFDC-A
Sunbelt 2.2.907.0 06.09.2007 VIPRE.Suspicious
Symantec 10 06.12.2007 W32.Dotex
TheHacker 6.1.6.132 06.11.2007  no virus found
VBA32 3.12.0.1 06.11.2007 Worm.Win32.Delf.NDF
VirusBuster 4.3.23:9 06.11.2007 
Webwasher-Gateway 6.0.1 06.11.2007 Trojan.Crypt.NSPI.Gen

Aditional Information
File size: 23419 bytes
MD5: c52cb8fe848d635bcf42cfb7b5ea8813
SHA1: afd6ad534c89a5ab92edbf3a962cc6b30791f07b
packers: NsPack
 

Parent process:
   Path: C:\Documents and Settings\admin\桌面\xywrebh(已脱壳).exe
   PID: 1420
Child process:
   Path: C:\Program Files\Common Files\System\.exe
   Command line:"C:\Program Files\Common Files\System\.exe"
 
 
Parent process:
   Path: C:\Documents and Settings\admin\桌面\xywrebh(已脱壳).exe
   PID: 1420
Child process:
   Path: C:\Program Files\Common Files\Microsoft Shared\.exe
   Command line:"C:\Program Files\Common Files\Microsoft Shared\.exe"
 

Process:
   Path: C:\Program Files\Common Files\System\.exe
   PID: 1432
Registry Group: System
Object:
   Registry key: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Image File Execution Options\avp.exe
 

Process:
   Path: C:\Program Files\Common Files\System\.exe
   PID: 1432
Registry Group: Services
Object:
   Registry key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
   Registry value: Start
   New value:
      Type: REG_DWORD
      Value: 00000004
   Previous value:
      Type: REG_DWORD
      Value: 00000003
 
 
Process:
   Path: C:\Program Files\Common Files\System\.exe
   PID: 1432
Registry Group: Services
Object:
   Registry key: HKLM\SYSTEM\CurrentControlSet\Services\RSPPSYS
   Registry value: Start
   New value:
      Type: REG_DWORD
      Value: 00000004
   Previous value:
      Type: REG_DWORD
      Value: 00000002
 
 
 
Parent process:
   Path: C:\Documents and Settings\admin\桌面\xywrebh.exe
   PID: 25868
Child process:
   Path: C:\Program Files\Common Files\Microsoft Shared\nuygtvw.exe
   Command line:"C:\Program Files\Common Files\Microsoft Shared\nuygtvw.exe"
 
 
一些图:

图片点击可在新窗口打开查看
 


图片点击可在新窗口打开查看


图片点击可在新窗口打开查看


图片点击可在新窗口打开查看


图片点击可在新窗口打开查看

你可能感兴趣的:(职场,病毒,休闲,7位随机字母)