sys28.exe病毒-Storm

　　sys28.exe传到Norman上，分析结果如下，虽然报NO MALWARE(只能说Norman没查出来)，但看报告内容，明显是病毒无疑：

sys28.exe : Not detected by Sandbox (Signature: W32/Smalltroj.BPDH)

[ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: W32/Smalltroj.BPDH
    * Compressed: YES
    * TLS hooks: NO
    * Executable type: Application
    * Executable file structure: OK

[ General information ]
* **Locates window "金山毒霸 [class #32770]" on desktop.找金山毒霸（怎么只找金山？）

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\del.bat.（释放文件）

[ Changes to registry ]（修改注册表）
    * Creates key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\16BF120E.EXE -k" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "DisplayName"="FC5B1166" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "Description"="C9C972BA" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Creates key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "Description"="C9C972BA" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "DisplayName"="FC5B1166" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "ErrorControl"="" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\16BF120E.EXE -k" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "ObjectName"="LocalSystem" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "ObjectName"="LocalSystem" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "Start"="" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "Type"="" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".

[ Process/window information ]
    * Enumerates running processes.
    * Attempts to access service "FC5B1166".
    * Creates service "FC5B1166 (FC5B1166)" as "C:\WINDOWS\SYSTEM32\16BF120E.EXE -k".（创建一个服务）

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\del.bat (97 bytes) : no signature detection.

转载时请注明：转载自 Storm_Center 　原文地址：http://www.stormcn.cn/post/39.html
——凡文章内未标注转载来源者均为原创文章　【恭候您的意见】　谢谢！——

导航

2008-12-24 15:10:39

sys28.exe病毒

Tags: 金山 金山毒霸 病毒

作者:流风33 | 分类:病毒救援 | 评论:0 | 浏览:

最新发表

最新评论及回复

本站出现的所有广告均不代表本人及本站观点立场. [关于我] [网站地图] [联系邮箱]. 闽ICP备09000343号
Copyright 2008-2012 www.stormcn.cn. All Rights Reserved. Powered By Z-Blog. [返回顶部]

导航