遇到让文件夹变文件的 Trojan.Win32.ECode.ee / Trojan-Dropper.Win32.Flystud.ko
endurer 原创
2009-04-29 第1版
最近一位朋友的电脑反应很慢,而且出现了奇怪的现象:U盘中原有来文件夹全变成了文件。请偶帮忙看看。
下载 pe_xscan 扫描 log 并分析,发现如下可疑项(进程模块略):
pe_xscan 09-04-28 by Purple Endurer
2009-4-29 13:7:47
Windows XP Service Pack 2(5.1.2600)
MSIE:7.0.5730.11
管理员用户组
正常模式
O4 - HKLM/../Run: [EB1B66] C:/WINDOWS/system32/3D98FC/EB1B66.EXE
O4 - Startup: EB1B66.lnk -> C:/WINDOWS/system32/3D98FC/EB1B66.EXE
Log要比:
生出.exe尾巴?原来是MS-DOS.com,fonts.exe,Default.exe,HelpHost.com等做怪1
http://blog.csdn.net/Purpleendurer/archive/2009/02/23/3929716.aspx
中的简单,也许是卡卡安全助手的U盘免疫功能在起作用。
到 http://purpleendurer.ys168.com 下载 bat_do 和 FileInfo。
用FileInfo提取文件信息,用 bat_do 打包备份后延时删除。
用IceSword终止进程EB1B66.EXE,强制删除文件。
用卡卡安全助手清理病毒启动项。
用WinRAR浏览U盘,发现原来的文件夹还是存在的,只是被隐藏起来了。用attrib 命令去除这些文件夹的隐藏和系统属性。
附:病毒文件信息:
文件说明符 : C:/WINDOWS/system32/3D98FC/EB1B66.EXE
属性 : -SHR
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2009-4-13 10:35:16
修改时间 : 2009-4-13 10:35:16
大小 : 1403113 字节 1.346 MB
MD5 : 0c7cc2b1b82cae03e9a25f14faf9e4ea
SHA1: 1041469D96DE77EA526350CA9FE4D61EF2708E2A
CRC32: f33b77ec
| 反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
| a-squared | 4.0.0.101 | 2009.04.29 | Trojan.Peed!IK |
| AhnLab-V3 | 5.0.0.2 | 2009.04.28 | - |
| AntiVir | 7.9.0.156 | 2009.04.28 | TR/Dropper.Gen |
| Antiy-AVL | 2.0.3.1 | 2009.04.28 | - |
| Authentium | 5.1.2.4 | 2009.04.27 | W32/Nuj.A.gen!Eldorado |
| Avast | 4.8.1335.0 | 2009.04.28 | - |
| AVG | 8.5.0.287 | 2009.04.28 | - |
| BitDefender | 7.2 | 2009.04.29 | Dropped:Trojan.Peed.Gen |
| CAT-QuickHeal | 10.00 | 2009.04.28 | Win32.Trojan-Dropper.Flystud.ko.5.Pack |
| ClamAV | 0.94.1 | 2009.04.28 | - |
| Comodo | 1140 | 2009.04.28 | - |
| DrWeb | 4.44.0.09170 | 2009.04.29 | - |
| eSafe | 7.0.17.0 | 2009.04.27 | - |
| eTrust-Vet | 31.6.6480 | 2009.04.28 | - |
| F-Prot | 4.4.4.56 | 2009.04.27 | W32/Nuj.A.gen!Eldorado |
| F-Secure | 8.0.14470.0 | 2009.04.29 | Trojan-Dropper.Win32.Flystud.ko |
| Fortinet | 3.117.0.0 | 2009.04.29 | - |
| GData | 19 | 2009.04.29 | Dropped:Trojan.Peed.Gen |
| Ikarus | T3.1.1.49.0 | 2009.04.29 | Trojan.Peed |
| K7AntiVirus | 7.10.717 | 2009.04.27 | Trojan-Dropper.Win32.Flystud.ko |
| Kaspersky | 7.0.0.125 | 2009.04.29 | Trojan-Dropper.Win32.Flystud.ko |
| McAfee | 5599 | 2009.04.28 | W32/Autorun.worm.ev |
| McAfee+Artemis | 5599 | 2009.04.28 | W32/Autorun.worm.ev |
| McAfee-GW-Edition | 6.7.6 | 2009.04.29 | Trojan.Dropper.Gen |
| Microsoft | 1.4602 | 2009.04.28 | Backdoor:Win32/FlyAgent.F |
| NOD32 | 4041 | 2009.04.28 | - |
| Norman | 6.00.06 | 2009.04.28 | - |
| nProtect | 2009.1.8.0 | 2009.04.28 | Trojan-Dropper/W32.FlyStudio.1403113 |
| Panda | 10.0.0.14 | 2009.04.28 | - |
| PCTools | 4.4.2.0 | 2009.04.28 | - |
| Prevx1 | 3.0 | 2009.04.29 | - |
| Rising | 21.27.20.00 | 2009.04.29 | Trojan.Win32.ECode.ee |
| Sophos | 4.41.0 | 2009.04.29 | Mal/EncPk-GF |
| Sunbelt | 3.2.1858.2 | 2009.04.28 | - |
| Symantec | 1.4.4.12 | 2009.04.29 | - |
| TheHacker | 6.3.4.1.315 | 2009.04.28 | Trojan/Dropper.Flystud.ko |
| TrendMicro | 8.700.0.1004 | 2009.04.28 | - |
| VBA32 | 3.12.10.3 | 2009.04.29 | Trojan-Dropper.Win32.Flystud.ko |
| ViRobot | 2009.4.29.1713 | 2009.04.29 | - |
| VirusBuster | 4.6.5.0 | 2009.04.28 | - |
| 附加信息 |
|---|
| File size: 1403113 bytes |
| MD5...: 0c7cc2b1b82cae03e9a25f14faf9e4ea |
| SHA1..: 1041469d96de77ea526350ca9fe4d61ef2708e2a |
| SHA256: 83e1b43c05713852cc634fc9f207668fed3b064e55ec9e3e610a41711f0e29b1 |
| SHA512: df8223a0d016a4d629a341295fc3bceb8f53b8b8bef7dd5558896abdfa0bbced e3772b2a89fe58267eda1d73d46d229b83731d5ea861716f18561fc940472606 |
| ssdeep: 24576:lRylsJDvWrHuW9ly4S6DhQMjiWY0bEAq6J1kU+TPdFpGpH/6CxMSAbhAje jpRuYs:bylsZvWLLdLaM2WY0QAJb+TQ/RxshAQ+ |
| PEiD..: - |
| TrID..: File type identification Win32 Executable MS Visual C++ (generic) (62.9%) Win32 Executable Generic (14.2%) Win32 Dynamic Link Library (generic) (12.6%) Clipper DOS Executable (3.3%) Generic Win/DOS Executable (3.3%) |
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1196 timedatestamp.....: 0x59bffa3 (Mon Dec 25 05:33:23 1972) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x51ec 0x6000 7.00 670e499c5b780a8681954f88d5fd72b6 .rdata 0x7000 0xa4a 0x1000 3.58 367b7ce38d0c4c17f01e370dc697df5b .data 0x8000 0x1f58 0x2000 4.61 3c091462b8b46c0a497bde20c727eec4 .data 0xa000 0x22000 0x22000 7.82 61731cd337d924e0b4c229312caf0aae .rsrc 0x2c000 0x45b0 0x5000 4.33 2848a5a5ec1e2ae2bba1498f6767692d ( 2 imports ) > KERNEL32.dll: GetProcAddress, LoadLibraryA, CloseHandle, WriteFile, CreateDirectoryA, GetTempPathA, ReadFile, SetFilePointer, CreateFileA, GetModuleFileNameA, GetStringTypeA, LCMapStringW, LCMapStringA, HeapAlloc, HeapFree, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, MultiByteToWideChar, GetStringTypeW > USER32.dll: MessageBoxA, wsprintfA ( 0 exports ) |
| PDFiD.: - |
| RDS...: NSRL Reference Data Set - |
| packers (Kaspersky): PE-Crypt.CF |
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
