endurer 原创
2006-04-15 第3版 补充瑞星的回复:manage为Backdoor.Gpigeon.ynj,G_Server.exe为Backdoor.Gpigeon.ykh
2006-04-12 第2版 补充Kaspersky的回复:manage 、G_Server.exe均为Backdoor.Win32.GrayBird.id
2006-04-12 第1版
昨晚帮同事弄使用Win XP SP1的电脑,瑞星开机自动扫描报告:
IEXPLORE.EXE>>c:/Program Files/Internet Explorer/IEXPLORE.EXE感染BackDoor.Gpigeon.5.dq,清除成功。
用HijackThis扫描log,发现可疑服务启动项:
O23 - Service: Media Server - Unknown owner - C:/Program.exe (file missing)
重启到安全模式,设置系统显示所有文件和文件夹,不隐藏已知类型文件扩展名
没有发现文件C:/Program.exe。
到控制面板--》系统工具--》服务中,检查服务Media Server,发现该服务实际对应的文件是:C:/Program Files/Common Files/manage
文件manage的创建时间是:2006-04-11 18:07,文件大小是242 KB (247,808 字节)。
发现文件C:/Program Files/Common Files/1.22.exe,创建时间是:2006-04-11 18:08,经比较,此文件与manage完全相同。
发现文件c:/windows/G_Server.exe,创建时间为:2006-03-22 14:54,文件大小是594 KB (608,335 字节),使用JPG格式的图标,相当有迷惑性。
Server response
Results of a file scan
This is a report processed by VirusTotal on 04/11/2006 at 17:10:19 (CET) after scanning the file "unknown---G_Server.exe.rar" file.
Antivirus | Version | Update | Result |
AntiVir | 6.34.0.24 | 04.11.2006 | Heuristic/Crypted.Layered |
Avast | 4.6.695.0 | 04.03.2006 | no virus found |
AVG | 386 | 04.11.2006 | no virus found |
Avira | 6.34.0.56 | 04.11.2006 | no virus found |
BitDefender | 7.2 | 04.11.2006 | no virus found |
CAT-QuickHeal | 8.00 | 04.11.2006 | no virus found |
ClamAV | devel-20060202 | 04.11.2006 | no virus found |
DrWeb | 4.33 | 04.11.2006 | no virus found |
eTrust-InoculateIT | 23.71.126 | 04.11.2006 | no virus found |
eTrust-Vet | 12.4.2158 | 04.11.2006 | no virus found |
Ewido | 3.5 | 04.11.2006 | no virus found |
Fortinet | 2.71.0.0 | 04.11.2006 | no virus found |
F-Prot | 3.16c | 04.11.2006 | no virus found |
Ikarus | 0.2.59.0 | 04.11.2006 | no virus found |
Kaspersky | 4.0.2.24 | 04.11.2006 | no virus found |
McAfee | 4737 | 04.10.2006 | no virus found |
NOD32v2 | 1.1482 | 04.11.2006 | no virus found |
Norman | 5.90.15 | 04.11.2006 | no virus found |
Panda | 9.0.0.4 | 04.11.2006 | Suspicious file |
Sophos | 4.04.0 | 04.11.2006 | no virus found |
Symantec | 8.0 | 04.11.2006 | no virus found |
TheHacker | 5.9.7.128 | 04.11.2006 | no virus found |
UNA | 1.83 | 04.07.2006 | no virus found |
VBA32 | 3.10.5 | 04.11.2006 | no virus found |