endurer 原创
2006-10-27 第1版
有位网友的电脑最近开机时自动弹出一个空的记事本窗口,让偶帮忙检查看看。
到 http://endurer.ys168.com 下载 HijackThis 和 ProcView。
先用 HijackThis 扫描log,发现如下可疑项目:
/------
Logfile of HijackThis v1.99.1
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:/windows/system32/wincfgs.exe
C:/WINDOWS/KB20060111.exe
F3 - REG:win.ini: load=C:/windows/system32/wincfgs.exe
------/
运行ProcView,让进程按修改时间逆序排列,发现:
C:/WINDOWS/KB20060111.exe 排在第 1 位,修改时间为:2006-10-27 20:47,图标与Windows自带的记事本相同。
c:/windows/system32/wincfgs.exe 排在第 3 位,修改时间为:2006-10-27 20:47,图标为一个黄色问号。
c:/windows/system32/wincfgs.exe,文件大小为 47,104 字节,上传在线扫描,都报了:
File: wincfgs.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 07adddef653a702b9a11edbcee07e82b
Packers detected: UPX
Scanner results
AntiVir | Found Worm/Delf.AJ.1 |
ArcaVir | Found Worm.Delf.Aj |
Avast | Found Win32:Trojan-gen. |
AVG Antivirus | Found Downloader.Generic2.RPB |
BitDefender | Found Trojan.Agent.AAE |
ClamAV | Found Worm.Delf-21 |
Dr.Web | Found Trojan.MulDrop.3780 |
F-Prot Antivirus | Found W32/Sillyworm.RE |
Fortinet | Found W32/Delf.AJ!worm |
Kaspersky Anti-Virus | Found Worm.Win32.Delf.aj |
NOD32 | Found Win32/Delf.AJ |
Norman Virus Control | Found W32/Delf.OMO |
VirusBuster | Found Worm.Delf.AZX |
VBA32 | Found Worm.Win32.Delf.aj |
c:/windows/KB20060111.exe 则 不见红。
STATUS: FINISHED
Complete scanning result of "KB20060111.exe", received in VirusTotal at 10.27.2006, 15:34:30 (CET).
Antivirus | Version | Update | Result |
AntiVir | 7.2.0.34 | 10.27.2006 | no virus found |
Authentium | 4.93.8 | 10.27.2006 | no virus found |
Avast | 4.7.892.0 | 10.27.2006 | no virus found |
AVG | 386 | 10.27.2006 | no virus found |
BitDefender | 7.2 | 10.27.2006 | no virus found |
CAT-QuickHeal | 8.00 | 10.27.2006 | no virus found |
ClamAV | devel-20060426 | 10.27.2006 | no virus found |
DrWeb | 4.33 | 10.27.2006 | no virus found |
eTrust-InoculateIT | 23.73.38 | 10.27.2006 | no virus found |
eTrust-Vet | 30.3.3162 | 10.27.2006 | no virus found |
Ewido | 4.0 | 10.27.2006 | no virus found |
Fortinet | 2.82.0.0 | 10.27.2006 | no virus found |
F-Prot | 3.16f | 10.27.2006 | no virus found |
F-Prot4 | 4.2.1.29 | 10.27.2006 | no virus found |
Ikarus | 0.2.65.0 | 10.27.2006 | no virus found |
Kaspersky | 4.0.2.24 | 10.27.2006 | no virus found |
McAfee | 4882 | 10.26.2006 | no virus found |
Microsoft | 1.1609 | 10.26.2006 | no virus found |
NOD32v2 | 1.1841 | 10.27.2006 | no virus found |
Norman | 5.80.02 | 10.27.2006 | no virus found |
Panda | 9.0.0.4 | 10.27.2006 | no virus found |
Sophos | 4.10.0 | 10.26.2006 | no virus found |
TheHacker | 6.0.1.106 | 10.26.2006 | no virus found |
UNA | 1.83 | 10.27.2006 | no virus found |
VBA32 | 3.11.1 | 10.26.2006 | no virus found |
VirusBuster | 4.3.15:9 | 10.27.2006 | no virus found |
Aditional Information
File size: 66560 bytes
MD5: 89fe32de8587b0dfd76efce00396eb56
SHA1: 1572b3c4d3dd39832ae500abccc1d2df27ef1b8c