반응형
| 테스트를 실시한 환경은 Windows XP SP2 Professional 입니다 . |
파일 정보
| r.exe | File size: 68608 bytes MD5...: 1ed1d899561e79488132cd59dfd2d3b4 |
r.exe 의 바이러스 토탈 검사 결과
| 검사 파일: r.exe 전송 시각: 2009.02.13 17:20:36 (CET) | |||
| 안티바이러스 | 엔진 버전 | 정의 날짜 | 검사 결과 |
| a-squared | 4.0.0.93 | 2009.02.13 | Virus.Win32.Zbot!IK |
| AhnLab-V3 | 5.0.0.2 | 2009.02.13 | Win-Trojan/Agent.68608.CM |
| AntiVir | 7.9.0.79 | 2009.02.13 | TR/Spy.ZBot.mtu |
| Authentium | 5.1.0.4 | 2009.02.13 | - |
| Avast | 4.8.1335.0 | 2009.02.12 | Win32:Zbot-AZQ |
| AVG | 8.0.0.237 | 2009.02.13 | Crypt.CJL |
| BitDefender | 7.2 | 2009.02.13 | - |
| CAT-QuickHeal | 10.00 | 2009.02.13 | - |
| ClamAV | 0.94.1 | 2009.02.13 | - |
| Comodo | 976 | 2009.02.13 | - |
| DrWeb | 4.44.0.09170 | 2009.02.13 | Trojan.Packed.139 |
| eSafe | 7.0.17.0 | 2009.02.12 | - |
| eTrust-Vet | 31.6.6355 | 2009.02.13 | - |
| F-Prot | 4.4.4.56 | 2009.02.13 | - |
| F-Secure | 8.0.14470.0 | 2009.02.13 | Trojan-Spy.Win32.Zbot.mtu |
| Fortinet | 3.117.0.0 | 2009.02.13 | - |
| GData | 19 | 2009.02.13 | Win32:Zbot-AZQ |
| Ikarus | T3.1.1.45.0 | 2009.02.13 | Virus.Win32.Zbot |
| K7AntiVirus | 7.10.629 | 2009.02.13 | - |
| Kaspersky | 7.0.0.125 | 2009.02.13 | Trojan-Spy.Win32.Zbot.mtu |
| McAfee | 5524 | 2009.02.12 | - |
| McAfee+Artemis | 5524 | 2009.02.12 | Generic!Artemis |
| Microsoft | 1.4306 | 2009.02.13 | PWS:Win32/Zbot.gen!R |
| NOD32 | 3851 | 2009.02.13 | Win32/Spy.Zbot.IB |
| Norman | 6.00.02 | 2009.02.13 | W32/Malware.FKHB |
| nProtect | 2009.1.8.0 | 2009.02.13 | Trojan-Spy/W32.ZBot.309760 |
| Panda | 10.0.0.10 | 2009.02.13 | Trj/CI.A |
| PCTools | 4.4.2.0 | 2009.02.13 | - |
| Prevx1 | V2 | 2009.02.13 | Rootkit |
| Rising | 21.16.42.00 | 2009.02.13 | - |
| SecureWeb-Gateway | 6.7.6 | 2009.02.13 | Trojan.Spy.ZBot.mtu |
| Sophos | 4.38.0 | 2009.02.13 | Troj/ZbotPP-Fam |
| Sunbelt | 3.2.1851.2 | 2009.02.12 | RiskTool.Win32.ProcessPatcher.Nor!cobra (v) |
| Symantec | 10 | 2009.02.13 | - |
| TheHacker | 6.3.1.9.255 | 2009.02.13 | Trojan/Spy.Zbot.lom |
| TrendMicro | 8.700.0.1004 | 2009.02.13 | - |
| VBA32 | 3.12.8.12 | 2009.02.13 | - |
| ViRobot | 2009.2.13.1605 | 2009.02.13 | Trojan.Win32.Zbot.68608.AC |
| VirusBuster | 4.5.11.0 | 2009.02.13 | - |
| 추가 정보 | |||
| File size: 68608 bytes | |||
| MD5...: 1ed1d899561e79488132cd59dfd2d3b4 | |||
| SHA1..: e0d1ee1cd5d0cc0202d1321ef4e89471a4e816e7 | |||
| SHA256: 3bbd555366e82b419626a5c8f3e817f1710e8194f05490377b86e79122512c92 | |||
| SHA512: 4ad153a7cc353a67178bd2daa1eecc631b4ceddc9800c1c8a696a9750f921f5e c258f2bc406f5fb810ca77fdf9b9a14b0582715132fdd1ccce7dba16c4d4f3a9 | |||
| ssdeep: 1536:lnvRU3fdXV9Bou+RkELMc/IAzEs5rnrOm44:BvMdXBXj4bNl | |||
| PEiD..: - | |||
| TrID..: File type identification Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) | |||
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x62f2 timedatestamp.....: 0x4863b393 (Thu Jun 26 15:19:47 2008) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x10578 0x10600 6.78 90bf557709e06d73b12ceb7729c979c0 .data 0x12000 0x4034 0x200 0.12 6585e4db32666c2095cefa8e7ee87e85 ( 4 imports ) > ADVAPI32.dll: CryptDestroyHash, RegEnumKeyExA, CryptHashData, RegDeleteValueA, CryptGetHashParam, RegCreateKeyExA, CryptReleaseContext, RegSetValueExA, GetUserNameW, DuplicateTokenEx, CryptCreateHash > KERNEL32.dll: GetFileAttributesA, GetVersionExW, LeaveCriticalSection, GetTickCount, VirtualAlloc, GetSystemTime, GetFileAttributesW, FindNextFileW, GetUserDefaultUILanguage, SystemTimeToFileTime, GetProcAddress, WideCharToMultiByte, EnterCriticalSection, GetLocalTime, ExpandEnvironmentStringsW, InitializeCriticalSection, GlobalUnlock, VirtualProtect, GetModuleHandleA, lstrcatA, FindResourceW, GetFileSizeEx > USER32.dll: GetWindowThreadProcessId, MsgWaitForMultipleObjects, OpenWindowStationA, PeekMessageA, GetClipboardData, DispatchMessageA, GetClassNameA, SetProcessWindowStation, SendMessageA > SHLWAPI.dll: StrCmpNIA, SHDeleteKeyA, wvnsprintfA, wnsprintfA, PathCombineW, PathFindFileNameW, StrStrW, wvnsprintfW, wnsprintfW, PathMatchSpecW, PathRemoveFileSpecW ( 0 exports ) | |||
| ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=1ed1d899561e79488132cd59dfd2d3b4' target='_blank'>http://www.threatexpert.com/report.aspx?md5=1ed1d899561e79488132cd59dfd2d3b4</a> | |||
| Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=06AD249E00A30C160CC101F142302D003BEE5F16' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=06AD249E00A30C160CC101F142302D003BEE5F16</a> | |||
r.exe 의 실행이 시스템에 준 변화
| 파일생성 |
| windows\system32\twex.exe |
| 레지스트리 변화 |
| [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "userinit"="C:\WINDOWS\system32\userinit.exe," 위 정상 값이 아래처럼 바뀜 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe," |
twex.exe의 파일정보
| twex.exe | File size: 494080 bytes MD5...: 0139ceb97b7198135df5d4d6e81ba959 |
| 관련 글 보기 ① 손쉽게 파일 정보 확인 하기 2009/02/05 - [유용한 팁들] - 바이러스 검사 - Virus Total / VirScan ② 삭제되지 않는 파일 삭제하기 2009/02/04 - [유용한 팁들] - movefile 활용 |
반응형
'Malwares 분석' 카테고리의 다른 글
| load.exe (0) | 2009.02.15 |
|---|---|
| sunrise.exe (0) | 2009.02.15 |
| update.exe (0) | 2009.02.15 |
| load.exe (0) | 2009.02.15 |
| twixz.exe (0) | 2009.02.13 |
| keygen.LimeWire.5.0.6.PRo.exe (0) | 2009.02.06 |
| loader.exe (0) | 2009.02.05 |
| rege.exe (0) | 2009.02.05 |
댓글