0
点赞
收藏
分享

微信扫一扫

遭遇Windows Update.exe/Trojan.Win32.Autoit.fc,情se发布器.exe/AdWare.Win32.Undef.eko


遭遇Windows Update.exe/Trojan.Win32.Autoit.fc,情se发布器.exe/AdWare.Win32.Undef.eko

 

endurer 原创
2009-05-19 第1版

 

一位朋友的电脑最近出现了奇怪的毛病,请偶帮忙检修。

打开电脑进入Windows桌面后,感觉电脑很卡,除了超级巡警窗口,打开其它窗口都像是不停地自动在进行前台程序和后台程序的切换,一闪一闪的,很难操作。

打开任务管理器,检查进程的CPU占用率,发现CPU使用率100%,其中进程Windows Update.exe占用了70%左右。

重启电脑到“带命令行提示的安全模式”,运行pe_xscan扫描log并分析,发现如下可疑项:

 

 

pe_xscan 09-04-28 by Purple Endurer
2009-05-19 14:12:4
Windows XP Service Pack 3(5.1.2600)
MSIE:6.0.2900.5512
管理员用户组
带命令行提示的安全模式

F2 - REG: system.ini: UserInit = <C:/WINDOWS/system32/userinit.exe,C:/WINDOWS/system32/Windows Update.exe>

O30 - IeOpenHomePage =

 

另外在c:/ 发现 情se发布器.exe,WMP的图标,可疑。

用FileInfo提取文件信息,用bat_do打包备份后删除。

 

用HijackThis修复F2项。

 

O30项说明注册表中的

 

[HKEY_CLASSES_ROOT/CLSID/{871C5380-42A0-1069-A2EA-08002B30309D}/shell/OpenHomePage/Command,

 

的值被修改了,手工把后面的网址去掉就行了。

 

 

附:恶意程序文件信息

 

 

文件说明符 : C:/WINDOWS/system32/Windows Update.exe
属性 : A---
数字签名:否
PE文件:是
语言 : 中文(中国)
文件版本 : 1.0
说明 : Windows Update
版权 : ​​​http://www.microsoft.com/​​​备注 : Windows Update
创建时间 : 2009-2-22 2:41:3
修改时间 : 2009-2-22 2:41:14
大小 : 325939 字节 318.307 KB
MD5 : 422221553bcd2e13612719068973b69a
SHA1: F56611D1BE5E7AB17B3F3A9D7997D153AABE34FC
CRC32: 457d6ebf

 


文件 Windows_Update.exe.del 接收于 2009.05.19 08:16:07 (CET)


 

反病毒引擎

版本

最后更新

扫描结果

a-squared

4.0.0.101

2009.05.19

MalwareScope.Backdoor.Hupigon.3!IK

AhnLab-V3

5.0.0.2

2009.05.19

-

AntiVir

7.9.0.168

2009.05.19

TR/Crypt.CFI.Gen

Antiy-AVL

2.0.3.1

2009.05.18

Trojan/Win32.StartPage

Authentium

5.1.2.4

2009.05.19

-

Avast

4.8.1335.0

2009.05.18

-

AVG

8.5.0.336

2009.05.18

-

BitDefender

7.2

2009.05.19

-

CAT-QuickHeal

10.00

2009.05.15

Trojan.Agent.ATV

ClamAV

0.94.1

2009.05.19

-

Comodo

1157

2009.05.08

-

DrWeb

5.0.0.12182

2009.05.19

-

eSafe

7.0.17.0

2009.05.18

Suspicious File

eTrust-Vet

31.6.6509

2009.05.18

-

F-Prot

4.4.4.56

2009.05.18

-

F-Secure

8.0.14470.0

2009.05.19

-

Fortinet

3.117.0.0

2009.05.18

-

GData

19

2009.05.19

-

Ikarus

T3.1.1.49.0

2009.05.19

MalwareScope.Backdoor.Hupigon.3

K7AntiVirus

7.10.737

2009.05.16

-

Kaspersky

7.0.0.125

2009.05.19

-

McAfee

5619

2009.05.18

-

McAfee+Artemis

5619

2009.05.18

-

McAfee-GW-Edition

6.7.6

2009.05.19

Trojan.Crypt.CFI.Gen

Microsoft

1.4602

2009.05.19

-

NOD32

4085

2009.05.19

-

Norman

6.01.05

2009.05.18

Smalltroj.LZEA

nProtect

2009.1.8.0

2009.05.19

-

Panda

10.0.0.14

2009.05.18

Bck/Agent.LQR

PCTools

4.4.2.0

2009.05.18

-

Prevx

3.0

2009.05.19

-

Rising

21.30.10.00

2009.05.19

Trojan.Win32.Autoit.fc

Sophos

4.41.0

2009.05.19

-

Sunbelt

3.2.1858.2

2009.05.18

-

Symantec

1.4.4.12

2009.05.19

-

TheHacker

6.3.4.1.327

2009.05.19

-

TrendMicro

8.950.0.1092

2009.05.19

-

ViRobot

2009.5.19.1740

2009.05.19

-

VirusBuster

4.6.5.0

2009.05.18

-

 

附加信息

File size: 325939 bytes

MD5...: 422221553bcd2e13612719068973b69a

SHA1..: f56611d1be5e7ab17b3f3a9d7997d153aabe34fc

SHA256: 1b44aa550df933bad777a956201d7d1d6a52b4d369fef4024fe2795ace8b8b93

SHA512: 7c50b7bf3b05055a414ea1a652f7fe583f434f66e053d6d87a6eec1e50e9a61b

f1bb1f08951f38dd6dd922c78d3990f2196aa7e6a80b7cceb9ab26b41358e5d5

ssdeep: 6144:PlZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76wf6Lss34yRwV:PHLUMuiv9Rg

fSjAzRt7fCpjU

PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

TrID..: File type identification

UPX compressed Win32 Executable (43.8%)

Win32 EXE Yoda's Crypter (38.1%)

Win32 Executable Generic (12.2%)

Generic Win/DOS Executable (2.8%)

DOS Executable Generic (2.8%)

PEInfo: PE Structure information


( base data )

entrypointaddress.: 0xab0e0

timedatestamp.....: 0x4951fa17 (Wed Dec 24 09:00:07 2008)

machinetype.......: 0x14c (I386)


( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

UPX0 0x1000 0x6b000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 0x6c000 0x40000 0x3f400 7.93 e946dee236b5ce856d3776cb75eea917

.rsrc 0xac000 0x5000 0x4e00 5.26 cb3d8421caed79623919b9748aef2c18


( 16 imports )

> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

> ADVAPI32.dll: AddAce

> COMCTL32.dll: ImageList_Remove

> COMDLG32.dll: GetSaveFileNameW

> GDI32.dll: BitBlt

> MPR.dll: WNetGetConnectionW

> ole32.dll: CoInitialize

> OLEAUT32.dll: -

> PSAPI.DLL: EnumProcesses

> SHELL32.dll: DragFinish

> USER32.dll: GetDC

> USERENV.dll: LoadUserProfileW

> VERSION.dll: VerQueryValueW

> WININET.dll: FtpOpenFileW

> WINMM.dll: timeGetTime

> WSOCK32.dll: -


( 0 exports )

PDFiD.: -

RDS...: NSRL Reference Data Set

-

packers (Kaspersky): PE_Patch.UPX, UPX

packers (F-Prot): UPX

 

 

 

主 题: RE: 422221553bcd2e13612719068973b69a---Windows Update.exe [KLAN-30650641]
发件人: ​​newvirus@kaspersky.com​​日 期: 2009-5-19 16:33:44
Hello,

WindowsUpdate.exe_.unp - Trojan-Downloader.Win32.Agent.bydr

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Pavel Firsov
Virus analyst, Kaspersky Lab.
e-mail: ​​newvirus@kaspersky.com​​​http://www.kaspersky.com/​​

​​http://www.kaspersky.com/virusscanner​​​ - free online virus scanner.
​​​http://www.kaspersky.com/helpdesk.html​​ - technical support.

 

 

 

文件说明符 : C:/情se发布器.exe
属性 : A---
数字签名:否
PE文件:是
语言 : 中文(中国)
文件版本 : 1.0.0.0
说明 : 电影播放器
版权 : 电影播放器
备注 : 电影播放器
创建时间 : 2009-2-16 19:56:51
修改时间 : 2009-2-22 3:5:32
大小 : 327051 字节 319.395 KB
MD5 : 110230c200611c32ed487b9fec1e6076
SHA1: 5481AFA2BEDD051D70F39DE1FA0060F507A0345F
CRC32: 7ac87b88

 


文件 _______________.exe.del 接收于 2009.05.19 08:27:22 (CET)


 

反病毒引擎

版本

最后更新

扫描结果

a-squared

4.0.0.101

2009.05.19

Trojan.AgentMB!IK

AhnLab-V3

5.0.0.2

2009.05.19

-

AntiVir

7.9.0.168

2009.05.19

TR/Crypt.CFI.Gen

Antiy-AVL

2.0.3.1

2009.05.18

-

Authentium

5.1.2.4

2009.05.19

-

Avast

4.8.1335.0

2009.05.18

Win32:Crypt-DOC

AVG

8.5.0.336

2009.05.18

-

BitDefender

7.2

2009.05.19

Gen:Trojan.Heur.3106677233

CAT-QuickHeal

10.00

2009.05.15

Trojan.Agent.ATV

ClamAV

0.94.1

2009.05.19

-

Comodo

1157

2009.05.08

-

DrWeb

5.0.0.12182

2009.05.19

-

eSafe

7.0.17.0

2009.05.18

Suspicious File

eTrust-Vet

31.6.6509

2009.05.18

-

F-Prot

4.4.4.56

2009.05.18

-

F-Secure

8.0.14470.0

2009.05.19

-

Fortinet

3.117.0.0

2009.05.18

-

GData

19

2009.05.19

Gen:Trojan.Heur.3106677233

Ikarus

T3.1.1.49.0

2009.05.19

Trojan.AgentMB

K7AntiVirus

7.10.737

2009.05.16

-

Kaspersky

7.0.0.125

2009.05.19

-

McAfee

5619

2009.05.18

-

McAfee+Artemis

5619

2009.05.18

-

McAfee-GW-Edition

6.7.6

2009.05.19

Trojan.Crypt.CFI.Gen

Microsoft

1.4602

2009.05.19

-

NOD32

4085

2009.05.19

-

Norman

6.01.05

2009.05.18

Smalltroj.LQVY

nProtect

2009.1.8.0

2009.05.19

-

Panda

10.0.0.14

2009.05.18

-

PCTools

4.4.2.0

2009.05.18

-

Prevx

3.0

2009.05.19

Medium Risk Malware

Rising

21.30.10.00

2009.05.19

AdWare.Win32.Undef.eko

Sophos

4.41.0

2009.05.19

-

Sunbelt

3.2.1858.2

2009.05.18

-

Symantec

1.4.4.12

2009.05.19

Downloader

TheHacker

6.3.4.1.327

2009.05.19

-

TrendMicro

8.950.0.1092

2009.05.19

-

VBA32

3.12.10.5

2009.05.19

-

ViRobot

2009.5.19.1740

2009.05.19

-

VirusBuster

4.6.5.0

2009.05.18

-

 

附加信息

File size: 327051 bytes

MD5...: 110230c200611c32ed487b9fec1e6076

SHA1..: 5481afa2bedd051d70f39de1fa0060f507a0345f

SHA256: f6bfe2e9e5c2a3dd29c9aa622b0c8723922a0df012b4772b7aab8721ab76a370

SHA512: 2e10bfcd2e10bf7b9e108f19205ee32b382babafcfc62c881c63e1b5b7eac0bb

7fa584f7228677d2c6029d7abd3161743a1cef31556b697d857a73c63420a269

ssdeep: 6144:plZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76wQ0qapLibDi:pHLUMuiv9Rgf

SjAzRt74bW

PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

TrID..: File type identification

UPX compressed Win32 Executable (43.8%)

Win32 EXE Yoda's Crypter (38.1%)

Win32 Executable Generic (12.2%)

Generic Win/DOS Executable (2.8%)

DOS Executable Generic (2.8%)

PEInfo: PE Structure information


( base data )

entrypointaddress.: 0xae0e0

timedatestamp.....: 0x4951fa17 (Wed Dec 24 09:00:07 2008)

machinetype.......: 0x14c (I386)


( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

UPX0 0x1000 0x6e000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 0x6f000 0x40000 0x3f400 7.93 1de6866c729aedc69f7e1b0f019b0210

.rsrc 0xaf000 0x8000 0x7600 5.78 e127ca9f0d06f723c60cb7833d91f99a


( 16 imports )

> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

> ADVAPI32.dll: AddAce

> COMCTL32.dll: ImageList_Remove

> COMDLG32.dll: GetSaveFileNameW

> GDI32.dll: BitBlt

> MPR.dll: WNetGetConnectionW

> ole32.dll: CoInitialize

> OLEAUT32.dll: -

> PSAPI.DLL: EnumProcesses

> SHELL32.dll: DragFinish

> USER32.dll: GetDC

> USERENV.dll: LoadUserProfileW

> VERSION.dll: VerQueryValueW

> WININET.dll: FtpOpenFileW

> WINMM.dll: timeGetTime

> WSOCK32.dll: -


( 0 exports )

PDFiD.: -

RDS...: NSRL Reference Data Set

-

packers (Kaspersky): PE_Patch.UPX, UPX

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=BD2396B38BD33D88FDA604CBF58D55006644A0D9' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=BD2396B38BD33D88FDA604CBF58D55006644A0D9</a>

packers (F-Prot): UPX

举报

相关推荐

0 条评论