| -=lebed=- |
06.11.2008 11:16 |
Нужен анализ файла!
Отчёт VirusTotal http://www.virustotal.com/ru/analisis/85b43c981ae3d4fb8471fc2aeb9d5d69
Цитата:
Антивирус Версия Обновление Результат
AhnLab-V3 2008.11.5.3 2008.11.06 -
AntiVir 7.9.0.26 2008.11.05 -
Authentium 5.1.0.4 2008.11.06 -
Avast 4.8.1248.0 2008.11.05 -
AVG 8.0.0.161 2008.11.05 -
BitDefender 7.2 2008.11.06 -
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.06 -
DrWeb 4.44.0.09170 2008.11.06 -
eSafe 7.0.17.0 2008.11.05 -
eTrust-Vet 31.6.6194 2008.11.06 -
Ewido 4.0 2008.11.05 -
F-Prot 4.4.4.56 2008.11.06 -
F-Secure 8.0.14332.0 2008.11.06 Suspicious:W32/Zlob!Gemini
Fortinet 3.117.0.0 2008.11.05 -
GData 19 2008.11.06 -
Ikarus T3.1.1.45.0 2008.11.06 -
K7AntiVirus 7.10.517 2008.11.05 -
Kaspersky 7.0.0.125 2008.11.06 -
McAfee 5425 2008.11.05 -
Microsoft 1.4005 2008.11.06 -
NOD32 3589 2008.11.06 -
Norman 5.80.02 2008.11.05 -
Panda 9.0.0.4 2008.11.05 -
PCTools 4.4.2.0 2008.11.05 -
Prevx1 V2 2008.11.06 -
Rising 21.02.30.00 2008.11.06 -
SecureWeb-Gateway 6.7.6 2008.11.06 -
Sophos 4.35.0 2008.11.06 -
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.06 -
TheHacker 6.3.1.1.141 2008.11.05 -
TrendMicro 8.700.0.1004 2008.11.06 -
VBA32 3.12.8.9 2008.11.05 -
ViRobot 2008.11.6.1454 2008.11.06 -
VirusBuster 4.5.11.0 2008.11.05 -
Дополнительная информация
File size: 646144 bytes
MD5...: cc5d7054676a9472f9b8232095f6014c
SHA1..: 4a73f92b9fb3fff3c616c624c3c7c9a9da36cc20
SHA256: b46667f811d0b419c3716f39a78a1c93a47ad67d0e729a0ac8 2c17d550502e59
SHA512: e6570f73d4c48618dea66035ed2d8ae8e0b2898ea0376817ea 233d15a7a9917b
6714dc617966c980f18fec11c70b432a41fa525206b0fbf782 be14e53cda9907
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x457bd9
timedatestamp.....: 0x4891a9e4 (Thu Jul 31 12:02:44 2008)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7e9ea 0x7ea00 6.59 74c59782b0a519e29b66d6d901ace778
.rdata 0x80000 0x1a8ea 0x1aa00 5.52 113dbdf0f8439a3f7b83a14461ba559a
.data 0x9b000 0x83c4 0x2a00 4.44 4e900fa469a188dec0c7f17286629ba4
.rsrc 0xa4000 0x1870 0x1a00 4.69 e25fcdca197139f321fd1b58073fd97e
( 15 imports )
> VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA
> MSWSOCK.dll: TransmitFile
> KERNEL32.dll: FindFirstFileA, FindNextFileA, FindClose, CreateTimerQueue, CreateTimerQueueTimer, DeleteTimerQueueEx, SetFileAttributesA, FreeLibrary, GetProcAddress, LoadLibraryA, CreateDirectoryA, SetProcessWorkingSetSize, DeleteFileA, CreateProcessA, SetThreadPriorityBoost, WaitForMultipleObjects, TerminateProcess, SystemTimeToTzSpecificLocalTime, ReleaseMutex, GetSystemDirectoryA, GetFileSize, SetLastError, SetUnhandledExceptionFilter, SetProcessAffinityMask, SetErrorMode, SetConsoleCP, SetConsoleOutputCP, ChangeTimerQueueTimer, lstrcmpW, MoveFileExA, GetCurrentDirectoryA, GetFileAttributesA, DeviceIoControl, InterlockedExchange, InterlockedDecrement, lstrcatW, HeapReAlloc, lstrcpyW, GetSystemTimeAsFileTime, ReadFile, WriteConsoleA, GetStdHandle, CreateMutexA, GetVersion, GetFileAttributesW, GetDriveTypeA, HeapCreate, HeapDestroy, InterlockedCompareExchange, InterlockedIncrement, LoadLibraryExA, EnumResourceNamesA, VerLanguageNameA, GetCommandLineA, GetConsoleMode, GetConsoleCP, IsDebuggerPresent, UnhandledExceptionFilter, HeapSize, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, TlsAlloc, TlsSetValue, TlsFree, SetHandleCount, GetTickCount, GetSystemTime, GetFileType, GetStartupInfoA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, LCMapStringW, CreateFileW, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, GetTimeZoneInformation, GetStringTypeA, GetStringTypeW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, FlushFileBuffers, TryEnterCriticalSection, SetThreadPriority, GetCurrentThread, CreateFileA, SetFilePointer, WriteFile, InitializeCriticalSectionAndSpinCount, InitializeCriticalSection, ExitProcess, DeleteCriticalSection, FormatMessageA, LocalFree, GetLocalTime, GetCurrentProcessId, GetWindowsDirectoryA, FileTimeToLocalFileTime, GetProcessTimes, OpenProcess, GetVersionExA, Process32Next, Process32First, CreateToolhelp32Snapshot, SystemTimeToFileTime, FileTimeToSystemTime, ExitThread, SleepEx, CreateThread, TerminateThread, CloseHandle, ResetEvent, GetDateFormatA, GetTimeFormatA, GetUserDefaultLangID, HeapFree, GetProcessHeap, HeapAlloc, CompareStringA, lstrcmpiA, GetLocaleInfoA, GetSystemDefaultUILanguage, GetModuleHandleA, Sleep, LockResource, SizeofResource, FindResourceExA, WideCharToMultiByte, GetModuleFileNameA, LoadResource, FindResourceA, MultiByteToWideChar, GetCurrentProcess, FlushInstructionCache, CreateEventA, WaitForSingleObject, SetEvent, lstrlenW, lstrcpyA, lstrlenA, RaiseException, GetCurrentThreadId, LeaveCriticalSection, EnterCriticalSection, GetLastError, RtlUnwind, GetModuleHandleW, SetEndOfFile, CompareStringW, SetEnvironmentVariableA, TlsGetValue
> USER32.dll: EnumWindows, CharUpperA, CharLowerA, DrawFocusRect, DrawTextA, EndDialog, OffsetRect, GetCursorPos, PtInRect, GetCapture, DialogBoxParamA, CallWindowProcA, GetActiveWindow, LoadIconA, SetDlgItemTextW, SetWindowTextW, PostQuitMessage, SetCursor, LoadCursorA, DefWindowProcA, ReleaseCapture, GetWindowThreadProcessId, GetForegroundWindow, RegisterDeviceNotificationA, UnregisterDeviceNotification, PeekMessageA, FillRect, GetFocus, CharNextA, GetMessageA, UnregisterClassA, DispatchMessageA, SystemParametersInfoA, SetForegroundWindow, GetMonitorInfoA, MonitorFromWindow, GetClassNameA, GetDlgItem, GetDlgCtrlID, GetParent, GetWindow, SendDlgItemMessageA, SetFocus, SetCapture, IsWindowEnabled, IsWindowVisible, ShowWindow, InvalidateRect, UpdateWindow, ReleaseDC, GetDC, CreateDialogParamA, UnhookWindowsHookEx, SetWindowsHookExA, MsgWaitForMultipleObjects, GetWindowTextW, GetKeyState, GetKeyboardLayout, EndPaint, BeginPaint, MapWindowPoints, ScreenToClient, GetClientRect, GetWindowRect, SetWindowPos, ToUnicodeEx, GetKeyNameTextW, CallNextHookEx, wsprintfA, InSendMessage, GetWindowTextLengthA, GetWindowTextA, SetWindowTextA, SendMessageA, CreateWindowExA, GetWindowLongA, DestroyWindow, SetWindowLongA, IsWindow, GetSysColor, SetRectEmpty, TranslateMessage
> GDI32.dll: GetStockObject, GetObjectA, CreateFontIndirectA, SelectObject, DeleteObject, DeleteDC, SetBkMode, SetTextColor, GetDeviceCaps, CreateCompatibleBitmap, CreateCompatibleDC, BitBlt, GetDIBits, RealizePalette, GetObjectW
> WINSPOOL.DRV: EnumPrintersW, FreePrinterNotifyInfo, FindNextPrinterChangeNotification, FindFirstPrinterChangeNotification, OpenPrinterW
> ADVAPI32.dll: RegEnumKeyExA, AdjustTokenPrivileges, LookupAccountSidW, GetTokenInformation, DeleteService, CreateServiceA, GetUserNameW, ControlService, QueryServiceStatus, StartServiceA, RegSetValueExA, RegCreateKeyExA, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerExA, ReportEventA, RegisterEventSourceA, SetServiceStatus, DeregisterEventSource, CloseServiceHandle, ChangeServiceConfig2A, OpenServiceA, RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegNotifyChangeKeyValue, RegQueryInfoKeyA, LookupPrivilegeValueA, GetUserNameA, OpenProcessToken, OpenSCManagerA
> SHELL32.dll: SHCreateDirectoryExA, ShellExecuteA, Shell_NotifyIconA
> ole32.dll: CoCreateInstance, CoUninitialize, CoInitializeEx
> OLEAUT32.dll: -, -, -, -, -
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> PSAPI.DLL: EnumProcessModules, GetModuleBaseNameW, EnumProcesses, EmptyWorkingSet, GetModuleBaseNameA, GetModuleFileNameExA
> COMCTL32.dll: _TrackMouseEvent
> msi.dll: -, -, -, -
> SETUPAPI.dll: SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailW, SetupDiGetDeviceInstanceIdW, SetupDiGetDeviceRegistryPropertyW, SetupDiDestroyDeviceInfoList, SetupDiGetClassDevsW
( 0 exports )
|
Ставится как служба, в обычном диспечере процессов невидим, при убивании в Process Explorer запускается вновь (там виден в процессах).
Напоминает кейлоггер или программу-шпион (чисто мои подозрения) Если бы был руткит, то я думаю он бы позаботился о сокрытии себя в списке служб - там его видно...) Что за зверь такой, если раскажите буду благодарен...
Скачать подопытного |
