[病毒样本] 据说是2天前磁碟机

sharkkong

卡巴目前不报的，大蜘蛛也无视
沙盘下运行可发现
将在计算机重新启动后删除: 病毒 Virus.Win32.Xorer.du        文件: C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\Com\netcfg.dll//PE_Patch.UPX//UPX
已删除: 病毒 Virus.Win32.Xorer.dt        文件: C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\com\smss.exe
已删除: 病毒 Virus.Win32.Xorer.du        文件: C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\com\netcfg.000//PE_Patch.UPX//UPX
已删除: 病毒 Virus.Win32.Xorer.du        文件: C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\dnsq.dll//PE_Patch.UPX//UPX

sharkkong

2008-2-7 9:37:54        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 可疑操作，试图删除系统启动时的自动执行模块列表 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL  值:  数据:)。
2008-2-7 9:38:17        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 试图删除系统启动时的自动执行模块列表 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL  值:  数据:)被允许。
2008-2-7 9:38:17        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 可疑操作，试图删除系统启动时的自动执行模块列表 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI  值:  数据:)。
2008-2-7 9:38:26        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 试图删除系统启动时的自动执行模块列表 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI  值:  数据:)被允许。
2008-2-7 9:38:26        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 可疑操作，试图删除系统启动时的自动执行模块列表 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS  值:  数据:)。
2008-2-7 9:38:29        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 试图删除系统启动时的自动执行模块列表 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS  值:  数据:)被允许。
2008-2-7 9:38:29        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 可疑操作，试图删除系统启动时的自动执行模块列表 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Run\OptionalComponents  值:  数据:)。
2008-2-7 9:38:31        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 试图删除系统启动时的自动执行模块列表 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Run\OptionalComponents  值:  数据:)被允许。
2008-2-7 9:38:31        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 可疑操作，试图创建计算机安全设置 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\user\current\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced  值:ShowSuperHidden  数据:0x00000000 (0))。
2008-2-7 9:38:32        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 试图创建计算机安全设置 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\user\current\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced  值:ShowSuperHidden  数据:0x00000000 (0))被允许。
2008-2-7 9:38:32        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 可疑操作，试图创建计算机安全设置 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\user\current\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer  值:NoDriveTypeAutoRun  数据:0x00000091 (145))。
2008-2-7 9:38:34        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 试图创建计算机安全设置 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\user\current\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer  值:NoDriveTypeAutoRun  数据:0x00000091 (145))被允许。
2008-2-7 9:38:34        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 可疑操作，试图创建计算机安全设置 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden  值:Type  数据:72 00 61 00 64 00 69 00 6f 00 00 00 6f 00 78 00 00 00 00 00 62 00 00 00 6f 00 00 00 78 00 00 00 00 00 00 00 57 00 69 00 6e 00 52 00 41 00 52 00 5c 00 57 00 69 00 6e 00 52 00 41 00 52 00 2e 00 65 00 78 00 65 00 22 00 20 00 22 00 25 00 31 00 22 00 00 00 52 00 00 00 41 00 00 00 52 00 00 00 5c 00 00 00 57 00 00 00 69 00 00 00 6e 00 00 00 52 00 00 00 41 00 00 00 52 00 00 00 2e 00 00 00 65 00 00 00 78 00 00 00 65 00 00 00 22 00 00 00 20 00 00 00 22 00 00 00 25 00 00 00 31 00 00 00 22 00 00 00 00 00 00 00 52 00 00 00 45 00 00 00 2e 00 00 00 45 00 00 00 58 00 00 00 45 00 00 00 22 00 00 00 20 00 00 00 25 00 00 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00)。
2008-2-7 9:38:41        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 试图创建计算机安全设置 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\machine\software\microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden  值:Type  数据:72 00 61 00 64 00 69 00 6f 00 00 00 6f 00 78 00 00 00 00 00 62 00 00 00 6f 00 00 00 78 00 00 00 00 00 00 00 57 00 69 00 6e 00 52 00 41 00 52 00 5c 00 57 00 69 00 6e 00 52 00 41 00 52 00 2e 00 65 00 78 00 65 00 22 00 20 00 22 00 25 00 31 00 22 00 00 00 52 00 00 00 41 00 00 00 52 00 00 00 5c 00 00 00 57 00 00 00 69 00 00 00 6e 00 00 00 52 00 00 00 41 00 00 00 52 00 00 00 2e 00 00 00 65 00 00 00 78 00 00 00 65 00 00 00 22 00 00 00 20 00 00 00 22 00 00 00 25 00 00 00 31 00 00 00 22 00 00 00 00 00 00 00 52 00 00 00 45 00 00 00 2e 00 00 00 45 00 00 00 58 00 00 00 45 00 00 00 22 00 00 00 20 00 00 00 25 00 00 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00)被允许。
2008-2-7 9:38:41        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 可疑操作，试图删除计算机安全设置 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\user\current\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C749DF39-AADA-4507-A1CB-21EA09151AE3}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer  值:  数据:)。
2008-2-7 9:38:43        进程 C:\Sandbox\紫枫\DefaultBox\user\current\Local Settings\Temp\Rar$EX00.797\Happy new year.exe （PID: 2824）: 试图删除计算机安全设置 (键:HKEY_USERS\SANDBOX_紫枫_DEFAULTBOX\user\current\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C749DF39-AADA-4507-A1CB-21EA09151AE3}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer  值:  数据:)被允许。
2008-2-7 9:38:46        进程  （PID 2824） 试图访问卡巴斯基反病毒软件进程（PID 1896），该操作已被自我保护功能阻止，您不需要采取任何动作。
2008-2-7 9:38:46        进程  （PID 2824） 试图访问卡巴斯基反病毒软件进程（PID 1072），该操作已被自我保护功能阻止，您不需要采取任何动作。2008-2-7 9:38:50        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\Com\netcfg.dll//PE_Patch.UPX//UPX: 检测到病毒
“Virus.Win32.Xorer.du”。
2008-2-7 9:38:50        已检测到安全威胁，建议您立即进行处理。
2008-2-7 9:39:01        进程  （PID 3700） 试图访问卡巴斯基反病毒软件进程（PID 1896），该操作已被自我保护功能阻止，您不需要采取任何动作。
2008-2-7 9:39:01        进程  （PID 3700） 试图访问卡巴斯基反病毒软件进程（PID 1072），该操作已被自我保护功能阻止，您不需要采取任何动作。
2008-2-7 9:39:06        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\com\smss.exe: 检测到病毒
“Virus.Win32.Xorer.dt”。
2008-2-7 9:39:10        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\Com\netcfg.dll 将在系统重新启动后被删除。
2008-2-7 9:39:17        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\com\smss.exe: 已删除。
2008-2-7 9:39:19        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\com\netcfg.dll//PE_Patch.UPX//UPX: 检测到病毒
“Virus.Win32.Xorer.du”。
2008-2-7 9:39:19        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\com\netcfg.000//PE_Patch.UPX//UPX: 检测到病毒
“Virus.Win32.Xorer.du”。 用户: apple\紫枫, 计算机: localhost。
2008-2-7 9:39:19        已检测到安全威胁，建议您立即进行处理。
2008-2-7 9:39:22        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\com\netcfg.dll: 已删除。
2008-2-7 9:39:22        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\Com\netcfg.000//PE_Patch.UPX//UPX: 检测到病毒
“Virus.Win32.Xorer.du”。
2008-2-7 9:39:24        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\com\netcfg.000: 已删除。
2008-2-7 9:39:26        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\Com\netcfg.000 无法删除。
2008-2-7 9:39:28        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\dnsq.dll//PE_Patch.UPX//UPX: 检测到病毒
“Virus.Win32.Xorer.du”。
2008-2-7 9:39:28        已检测到安全威胁，建议您立即进行处理。
2008-2-7 9:39:31        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\dnsq.dll//PE_Patch.UPX//UPX: 检测到病毒
“Virus.Win32.Xorer.du”。
2008-2-7 9:39:34        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\dnsq.dll: 已删除。
2008-2-7 9:39:34        文件 C:\Sandbox\紫枫\DefaultBox\drive\C\WINDOWS\system32\dnsq.dll//PE_Patch.UPX//UPX 无法删除。

嘿嘿，卡巴的自我保护还算不错。清除能力也不错，很期待传说中V8将加入的应对驱动级别高于卡巴的功能。

[ 本帖最后由 sharkkong 于 2008-2-7 09:57 编辑 ]

worker321

小红伞基因启发

C:\Documents and Settings\BlueWater\桌面\Happy_new_year.rar
  [0] Archive type: RAR
  --> Happy new year.exe
      [DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
      [WARNING]   The file was ignored!

worker321

nod也报了

已扫描的磁盘，文件夹及文件：C:\Documents and Settings\BlueWater\桌面\Happy_new_year.rar
C:\Documents and Settings\BlueWater\桌面\Happy_new_year.rar >>RAR >>Happy new year.exe - 可能是 Win32/Genetik 木马 的一个变种
已扫描的文件数目：1
已发现的病毒数目：1

悠悠我心

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.2.6.10	2008.02.05	-
AntiVir	7.6.0.62	2008.02.06	TR/Crypt.CFI.Gen
Authentium	4.93.8	2008.02.06	-
Avast	4.7.1098.0	2008.02.06	-
AVG	7.5.0.516	2008.02.06	Generic9.AXZN
BitDefender	7.2	2008.02.07	-
CAT-QuickHeal	9.00	2008.02.04	-
ClamAV	0.92	2008.02.07	-
DrWeb	4.44.0.09170	2008.02.06	-
eSafe	7.0.15.0	2008.01.28	suspicious Trojan/Worm
eTrust-Vet	31.3.5517	2008.02.07	-
Ewido	4.0	2008.02.06	-
FileAdvisor	1	2008.02.07	-
Fortinet	3.14.0.0	2008.02.06	-
F-Prot	4.4.2.54	2008.02.06	-
F-Secure	6.70.13260.0	2008.02.07	-
Ikarus	T3.1.1.20	2008.02.07	-
Kaspersky	7.0.0.125	2008.02.07	-
McAfee	5224	2008.02.06	-
Microsoft	1.3204	2008.02.06	Virus:Win32/Xorer.A
NOD32v2	2854	2008.02.06	Win32/Xorer.NAC
Norman	5.80.02	2008.02.06	-
Panda	9.0.0.4	2008.02.07	Suspicious file
Prevx1	V2	2008.02.07	-
Rising	20.29.22.00	2008.01.30	-
Sophos	4.26.0	2008.02.07	W32/Xorer-B
Sunbelt	2.2.907.0	2008.02.07	-
Symantec	10	2008.02.07	-
TheHacker	6.2.9.211	2008.02.06	-
VBA32	3.12.6.0	2008.02.07	-
VirusBuster	4.3.26:9	2008.02.06	Win32.Xorer.Gen
Webwasher-Gateway	6.6.2	2008.02.07	Trojan.Crypt.CFI.Gen

附加信息

File size: 92808 bytes

MD5: 4759f9f9d901ec45129c9da9a5d44345

SHA1: 06aa44fcf7916c2373b12c5164ae10ddab5e493c

PEiD: -

packers: UPX

packers: UPX

packers: PE_Patch.UPX, UPX

4848023

好厉害噢，把偶滴微点干掉了，偶在虚拟机里运行，然后电脑停顿了一会就重起了。
过程中微点没有任何反应，重起后微点无法启动了，现在连冰刃也无法打开了。

sharkkong

原帖由 小小猪 于 2008-2-7 15:12 发表

全部是卡巴的日志？卡巴的沙盘？？？

我自己机器上的沙盘，卡巴只有虚拟机启发杀毒，呵呵，要是他有沙盘就太完美了。别的软件就没法活了，不过可能也更占资源了。呵呵
不过日志确实都是卡巴的。我在沙盘下运行的。

另外回复7楼的朋友，虽然卡巴直到主防才报毒，不过他们试图入侵卡巴，都被住址了，个人觉得MP1的自我防护更强了。其实微点也不错，但是如果这些病毒的驱动级别高于杀软，那么基本上就完了。个人觉得杀软的自我保护要求越来越重要了。个人也比较期待国软的微点和费尔。

[ 本帖最后由 sharkkong 于 2008-2-7 20:36 编辑 ]

空白

C:\DOCUMENTS AND SETTINGS\77\LOCAL SETTINGS\TEMP\TWIEX0\HAPPY NEW YEAR.EXE        W32.Xorer.NAC.rxbo        病毒        还未处理
C:\Documents and Settings\77\My Documents\Happy_new_year.rar>>Happy new year.exe        W32.Xorer.NAC.rxbo        病毒        还未处理

swans

确实厉害，了解了