讓我們來看看這個例子:AntivirusXP
注意:敝人於虛擬機(Shadow Defender)上執行,所以不會對實機造成影響,平時請不要在電腦上執行,否則後果自負!
一開啟就會開始掃瞄:
並顯示有多個病毒:
當你要點選Remove All時,就跳出註冊視窗:
點擊購買鍵,會連到該網站(已經移除……應該是被發現啦),Firefix的WOT顯示危險網站:
敝人試著尋找電腦中所為的「病毒」,並未發現任何檔案:
主畫面,簡潔有力:
右下角隨時顯示電腦有問題:
卻不給你關閉……
還可以更新呢,不過是騙人的,因為更新時硬碟沒有任何動作,被識破:
這算老樣本了,被多家防毒軟體偵測:
http://www.virustotal.com/analisis/ca4fe2a5c544c646858ad37f89b15a99a9776c0fed808cdf231b00215936e2c6-1244457036
a-squared 4.0.0.101 2009.06.04 Trojan.Win32.Fakeinit!IK
AhnLab-V3 5.0.0.2 2009.06.08 Win-Trojan/Fakeav.1752576
AntiVir 7.9.0.180 2009.06.08 PHISH/Fraud.XPAntivirus.aat
Antiy-AVL 2.0.3.1 2009.06.08 FraudTool/Win32.XPAntivirus
Authentium 5.1.2.4 2009.06.08 -
Avast 4.8.1335.0 2009.06.07 Win32:Trojan-gen {Other}
AVG 8.5.0.339 2009.06.08 SHeur2.MYH
BitDefender 7.2 2009.06.08 Trojan.FakeAlert.AUO
CAT-QuickHeal 10.00 2009.06.08 FraudTool.XPAntivirus.aat (Not a Virus)
ClamAV 0.94.1 2009.06.08 -
Comodo 1283 2009.06.08 ApplicUnsaf.Win32.FraudTool.XPAntiVirusPro.~SAA
DrWeb 5.0.0.12182 2009.06.08 Trojan.Fakealert.3910
eSafe 7.0.17.0 2009.06.07 Win32.Banker
eTrust-Vet 31.6.6547 2009.06.08 Win32/VMalum.ELXM
F-Prot 4.4.4.56 2009.06.08 -
F-Secure 8.0.14470.0 2009.06.08 FraudTool.Win32.XPAntivirus.aat
Fortinet 3.117.0.0 2009.06.08 Misc/XPAntivirus
GData 19 2009.06.08 Trojan.FakeAlert.AUO
Ikarus T3.1.1.59.0 2009.06.08 -
K7AntiVirus 7.10.754 2009.06.04 Non-Virus:
Kaspersky 7.0.0.125 2009.06.08 not-a-virus:FraudTool.Win32.XPAntivirus.aat
McAfee 5639 2009.06.07 -
McAfee+Artemis 5639 2009.06.07 potentially unwanted program Artemis!A3E166E3B70D
McAfee-GW-Edition 6.7.6 2009.06.08 -
Microsoft 1.4701 2009.06.08 Trojan:Win32/Fakeinit
NOD32 4137 2009.06.08 Win32/Adware.VirusIsolator
Norman 6.01.09 2009.06.05 W32/AntiVirus2008.CHT
nProtect 2009.1.8.0 2009.06.08 -
Panda 10.0.0.14 2009.06.07 Adware/AntiVirusXP2009
PCTools 4.4.2.0 2009.06.06 -
Prevx 3.0 2009.06.08 High Risk Worm
Rising 21.33.02.00 2009.06.08 AdWare.Win32.FakeAV.m
Sophos 4.42.0 2009.06.08 Troj/FakeAV-JE
Sunbelt 3.2.1858.2 2009.06.07 FraudTool.Win32.XPAntivirus.GeN
Symantec 1.4.4.12 2009.06.08 -
TheHacker 6.3.4.3.342 2009.06.08 -
TrendMicro 8.950.0.1092 2009.06.08 -
VBA32 3.12.10.6 2009.06.08 -
ViRobot 2009.6.5.1771 2009.06.05 Adware.XPAntivirus.R.1752576.B
VirusBuster 4.6.5.0 2009.06.07 Fraudtool.XPAntivirus.BCWK
佔用資源:
分析檔案:
http://www.threatexpert.com/report.aspx?md5=a3e166e3b70d9af948d055c29ac873b5
• File MD5: 0xA3E166E3B70D9AF948D055C29AC873B5
• File SHA-1: 0x0E79A28E860635B51ED24E3D20F5FFCCB2E888E0
• Filesize: 1,752,576 bytes
生成下列檔案:
%DesktopDir%\AntivirusXP.lnk
%Temp%\stylrit0.tmp
%Programs%\AntivirusXP\AntivirusXP.lnk
%ProgramFiles%\AntivirusXP\AntivirusXP.exe
生成目錄:
%Programs%\AntivirusXP
%ProgramFiles%\AntivirusXP
%ProgramFiles%\AntivirusXP\Infected
%ProgramFiles%\AntivirusXP\Suspicious
增加進程:
[filename of the sample #1][file and pathname of the sample #1]
增加註冊表:
The following Registry Key was created:
HKEY_CURRENT_USER\Software\AntivirusXP
The newly created Registry Values are:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
AntivirusXP.exe = "%ProgramFiles%\AntivirusXP\AntivirusXP.exe"
so that AntivirusXP.exe runs every time Windows starts
[HKEY_CURRENT_USER\Software\AntivirusXP]
Autorun = 0x00000001
RegisterShellExtension = 0x00000001
CheckForUpdates = 0x00000000
QuickScanAtStartup = 0x00000001
StartMinimized = 0x00000000
ID = 0x00000001
ScanArchives = 0x00000001
ScanFiles = 0x00000001
ScanMail = 0x00000001
ScanProcesses = 0x00000001
ScanRegistry = 0x00000001
真的很好玩,騙子就站在你家門前,你卻可能渾然不知XD
本貼同步刊登於AVPClub:
http://www.avpclub.ddns.info/discuz/thread-18119-1-1.html
其餘請參考:
http://www.avpclub.ddns.info/discuz/thread-14488-1-1.html
http://www.411-spyware.com
沒有留言:
張貼留言