sys28.exe病毒

　　sys28.exe传到Norman上，分析结果如下，虽然报NO MALWARE(只能说Norman没查出来)，但看报告内容，明显是病毒无疑：

sys28.exe : Not detected by Sandbox (Signature: W32/Smalltroj.BPDH)

 [ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: W32/Smalltroj.BPDH
    * Compressed: YES
    * TLS hooks: NO
    * Executable type: Application
    * Executable file structure: OK

 [ General information ]
    * **Locates window "金山毒霸 [class #32770]" on desktop.找金山毒霸（怎么只找金山？）

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\del.bat.（释放文件）

 [ Changes to registry ]（修改注册表）
    * Creates key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\16BF120E.EXE -k" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "DisplayName"="FC5B1166" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "Description"="C9C972BA" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Creates key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "Description"="C9C972BA" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "DisplayName"="FC5B1166" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "ErrorControl"="
" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\16BF120E.EXE -k" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "ObjectName"="LocalSystem" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "ObjectName"="LocalSystem" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\FC5B1166".
    * Sets value "Start"="" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".
    * Sets value "Type"="" in key "HKLM\System\CurrentControlSet\Services\FC5B1166".

 [ Process/window information ]
    * Enumerates running processes.
    * Attempts to access service "FC5B1166".
    * Creates service "FC5B1166 (FC5B1166)" as "C:\WINDOWS\SYSTEM32\16BF120E.EXE -k".（创建一个服务）

 [ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\del.bat (97 bytes) : no signature detection.  

>> 除非说明均为原创，如转载请注明来源于http://www.stormcn.cn/post/39.html

Tags: 杀毒软件  病毒 木马  

作者:流风33 | 分类:

病毒救援

| 评论:0 | 浏览: