Board logo

标题: 过微点主防和360杀毒的样本 [打印本页]
作者: xdsn     时间: 2009-11-19 22:04    标题: 过微点主防和360杀毒的样本

今天在剑盟解网马的时候,顺便把样本下下来了,没想到微点主防没反应,我没有右键晃了几下也没反应,难道真的让我运行木马微点才会反应吗?

360杀毒被过那是必然,不信你们看一下:
反病毒引擎 版本 最后更新 扫描结果
a-squared 4.5.0.41 2009.11.19 Trojan-Dropper.Win32.Small!IK
AhnLab-V3 5.0.0.2 2009.11.19 Dropper/Downloader.26112.AF
AntiVir 7.9.1.72 2009.11.19 TR/Drop.Small.eay.12
Antiy-AVL 2.0.3.7 2009.11.19 Trojan/Win32.Small
Authentium 5.2.0.5 2009.11.19 W32/Sisron.A!Generic
Avast 4.8.1351.0 2009.11.19 Win32:Trojan-gen
AVG 8.5.0.425 2009.11.19 Dropper.Generic.BEZF
BitDefender 7.2 2009.11.19 -
CAT-QuickHeal 10.00 2009.11.19 TrojanDropper.Small.eay
ClamAV 0.94.1 2009.11.19 -
Comodo 2979 2009.11.18 -
DrWeb 5.0.0.12182 2009.11.19 Trojan.MulDrop.45380
eSafe 7.0.17.0 2009.11.18 Win32.TRDrop.Small.E
eTrust-Vet 35.1.7130 2009.11.19 Win32/KillAV.MM
F-Prot 4.5.1.85 2009.11.19 W32/Sisron.A!Generic
F-Secure 9.0.15370.0 2009.11.17 -
Fortinet 3.120.0.0 2009.11.19 W32/BXL!tr.dldr
GData 19 2009.11.19 Win32:Trojan-gen
Ikarus T3.1.1.74.0 2009.11.19 Trojan-Dropper.Win32.Small
Jiangmin 11.0.800 2009.11.19 TrojanDropper.Small.dxf
K7AntiVirus 7.10.900 2009.11.19 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.11.19 Trojan-Dropper.Win32.Small.eay
McAfee 5806 2009.11.18 Downloader-BXL
McAfee+Artemis 5806 2009.11.18 Downloader-BXL
McAfee-GW-Edition 6.8.5 2009.11.19 Heuristic.BehavesLike.Win32.PasswordStealer.L
Microsoft 1.5302 2009.11.19 TrojanDropper:Win32/Jadtre.B
NOD32 4622 2009.11.19 Win32/KillAV.NGK
Norman 6.03.02 2009.11.19 -
nProtect 2009.1.8.0 2009.11.19 Trojan-Dropper/W32.Small.26112.L
Panda 10.0.2.2 2009.11.18 Trj/CI.A
PCTools 7.0.3.5 2009.11.19 Trojan.Dropper
Prevx 3.0 2009.11.19 Medium Risk Malware
Rising 22.22.03.09 2009.11.19 Trojan.DL.Win32.Mnless.fyk
Sophos 4.47.0 2009.11.19 Troj/Mdrop-CID
Sunbelt 3.2.1858.2 2009.11.19 Trojan.Win32.Generic!BT
Symantec 1.4.4.12 2009.11.19 Trojan.Dropper
TheHacker 6.5.0.2.073 2009.11.18 -
TrendMicro 9.0.0.1003 2009.11.19 TROJ_JADTRE.A
VBA32 3.12.12.0 2009.11.19 Trojan-Dropper.Win32.Small.eay
ViRobot 2009.11.19.2045 2009.11.19 Dropper.Small.26112.G
VirusBuster 5.0.21.0 2009.11.18 Trojan.DR.Small.CRVO
附加信息
File size: 26112 bytes
MD5...: d89c060903d62d5db826ac809e01f932
SHA1..: a366537046684f8d4a754495334d50462bece25e
SHA256: ed1eac6dcdd884d44c610c046b5f684c38b744a5d9c62599a4111b778a325e17
ssdeep: 384:LFYPCm11GMaMzFO2wc9bHioAaqMTFkuImHBW29/0o:LFjmrGwlwcg1aqMTFk
ub1

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x19bc
timedatestamp.....: 0x4afbcdbf (Thu Nov 12 08:56:31 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb4c 0xc00 5.52 b79d5e75cc827db666b1c4ba202fb57c
.rdata 0x2000 0x78c 0x800 5.03 dc3049e90b0e625af933ac55a5b2d62d
.data 0x3000 0x18c 0x200 4.21 ff6a357d1adcd8b6614dea5bbe01d9bc
.rsrc 0x4000 0x4870 0x4a00 5.91 5174b0e3ce6f82580f27c5834cd6985b
.reloc 0x9000 0x1da 0x200 4.49 5b5734d7498b5f008627b4ba46ce6bd0

( 5 imports )
> MSVCRT.dll: memcpy, _acmdln, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, strlen, memset, _exit, __getmainargs, _XcptFilter, _adjust_fdiv, __setusermatherr, _initterm, exit
> SHLWAPI.dll: PathFileExistsA
> KERNEL32.dll: GetStartupInfoA, GetTempPathA, CloseHandle, GetCurrentThreadId, GetModuleHandleA, LoadLibraryA, GetProcAddress, MultiByteToWideChar, SizeofResource, CreateFileA, SetFilePointer, lstrlenA, SetEndOfFile, FindResourceW, FreeLibrary, LoadResource, GlobalLock, SetFileTime, GetWindowsDirectoryA, WriteFile
> USER32.dll: PostThreadMessageA, wsprintfA, GetInputState, GetMessageA
> ADVAPI32.dll: ControlService, QueryServiceStatus, RegOpenKeyExA, RegCreateKeyExA, StartServiceA, CreateServiceA, RegQueryValueExA, RegSetValueExA, CloseServiceHandle, OpenServiceA

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=3A63587B0050521566F300435971AC0061346173' target='_blank'>http://info.prevx.com/aboutprogr ... 0435971AC0061346173</a>
packers (Antiy-AVL): Armadillo 1.71
packers (F-Prot): embedded
作者: xdsn     时间: 2009-11-19 22:05
因为BD没报
作者: xdsn     时间: 2009-11-19 22:15
已通过电子邮局上报
作者: Legend     时间: 2009-11-19 22:21
谢谢您的反馈,建议您上报的时候把样本文件及微点的技术支持信息一并上报,然后把您填写的邮箱地址通过论坛短消息发给我下,便于对您的问题的跟踪处理。
作者: simonfour     时间: 2009-11-20 02:04
晕。。。。都没运行就说过微点。。。。。。。。。。
无语
作者: sharpyou123     时间: 2009-11-20 11:15
微点采用的是第三大烦病毒技术。即病毒不运行不报警。
作者: zhcoffish     时间: 2009-11-20 12:27
所以微点出了扫描版
作者: Legend     时间: 2009-11-23 17:42
楼主反馈的文件,我们已经分析测试
文件:server.exe
结果:Trojan-Downloader.Win32.Agent.a
请等待微点的更新,此主题暂做关闭处理,如有其它问题请另开新帖讨论。



欢迎光临 微点交流论坛 (http://bbs.micropoint.com.cn/) bbs.micropoint.com.cn