반응형
| rege.exe | File size: 66560 bytes MD5 : 7fe517a3889c587f6affbafb16c3fe83 |
| 파일②는 rege.exe 생성시 생성 . | 파일③은 바로 아래 ②twex.exe 가 실행시 변경 >생성되는 파일 |
| ② twex.exe | File size: 571904 bytes MD5 : bdefdfbf085050213d36a5406fa83fb3 |
| ③ twex.exe | File size: 782336 bytes MD5 : c1c439ac342d4b8651827cf319ba87b6 |
rege.exe 의 바이러스 토탈 검사 결과
| 검사 파일: rege.exe 전송 시각: 2009.02.04 17:12:07 (CET) | |||
| 안티바이러스 | 엔진 버전 | 정의 날짜 | 검사 결과 |
| a-squared | 4.0.0.93 | 2009.02.04 | Trojan-Spy.Win32.Zbot!IK |
| AhnLab-V3 | 5.0.0.2 | 2009.02.04 | - |
| AntiVir | 7.9.0.71 | 2009.02.04 | TR/Spy.ZBot.kqb |
| Authentium | 5.1.0.4 | 2009.02.04 | - |
| Avast | 4.8.1281.0 | 2009.02.03 | Win32:Zbot-AYV |
| AVG | 8.0.0.229 | 2009.02.04 | Win32/Cryptor |
| BitDefender | 7.2 | 2009.02.04 | Backdoor.Bot.78656 |
| CAT-QuickHeal | 10.00 | 2009.02.04 | TrojanSpy.Zbot.kqb |
| ClamAV | 0.94.1 | 2009.02.04 | Trojan.Zbot-2961 |
| Comodo | 964 | 2009.02.04 | - |
| DrWeb | 4.44.0.09170 | 2009.02.04 | - |
| eSafe | 7.0.17.0 | 2009.02.01 | Win32.Kryptik.fh |
| eTrust-Vet | 31.6.6341 | 2009.02.04 | Win32/Kollah.VR |
| F-Prot | 4.4.4.56 | 2009.02.04 | - |
| F-Secure | 8.0.14470.0 | 2009.02.04 | Trojan-Spy.Win32.Zbot.kqb |
| Fortinet | 3.117.0.0 | 2009.02.04 | W32/PWS.Y!tr |
| GData | 19 | 2009.02.04 | Backdoor.Bot.78656 |
| Ikarus | T3.1.1.45.0 | 2009.02.04 | Trojan-Spy.Win32.Zbot |
| K7AntiVirus | 7.10.618 | 2009.02.04 | Trojan-Spy.Win32.Zbot.kqb |
| Kaspersky | 7.0.0.125 | 2009.02.04 | Trojan-Spy.Win32.Zbot.kqb |
| McAfee | 5515 | 2009.02.03 | Generic PWS.y |
| McAfee+Artemis | 5515 | 2009.02.03 | Generic PWS.y |
| Microsoft | 1.4306 | 2009.02.04 | PWS:Win32/Zbot.gen!R |
| NOD32 | 3825 | 2009.02.04 | Win32/Spy.Zbot.HI |
| Norman | 6.00.02 | 2009.02.04 | W32/Zbot.CBW |
| nProtect | 2009.1.8.0 | 2009.02.04 | Trojan-Spy/W32.ZBot.66560.J |
| Panda | 9.5.1.2 | 2009.02.03 | Trj/Sinowal.DW |
| PCTools | 4.4.2.0 | 2009.02.03 | - |
| Prevx1 | V2 | 2009.02.04 | - |
| Rising | 21.15.20.00 | 2009.02.04 | - |
| SecureWeb-Gateway | 6.7.6 | 2009.02.04 | Trojan.Spy.ZBot.kqb |
| Sophos | 4.38.0 | 2009.02.04 | Troj/ZbotPP-Fam |
| Sunbelt | 3.2.1835.2 | 2009.01.16 | - |
| Symantec | 10 | 2009.02.04 | Infostealer.Banker.C |
| TheHacker | 6.3.1.5.246 | 2009.02.04 | Trojan/Spy.Zbot.kqb |
| TrendMicro | 8.700.0.1004 | 2009.02.04 | - |
| VBA32 | 3.12.8.12 | 2009.02.04 | Trojan-Spy.Win32.Zbot.kqb |
| ViRobot | 2009.2.4.1589 | 2009.02.04 | Trojan.Win32.Zbot.66560.AK |
| VirusBuster | 4.5.11.0 | 2009.02.04 | - |
| 추가 정보 | |||
| File size: 66560 bytes | |||
| MD5...: 7fe517a3889c587f6affbafb16c3fe83 | |||
| SHA1..: 8ea04242b8ba89871c261fb29368823446ba6900 | |||
| SHA256: a5c1b94a13abc83bd065c2c44c6df934950a3ebd2ca0a5535bac638124b46b98 | |||
| SHA512: da82fb46e542b3222e0ea5e37b3334b6874568ddda7d6fa4b985b877429eaacf b8c5dca5239c68bf6199a5ebc8b41e23d460d7181363e94b4a70f67efa1c5a3e | |||
| ssdeep: 1536:WgzOvajIMk2mZllQFUHf4Uwld/Rj5vP65KdtL67UHrN7DT+o:UPlyH/zvS5 KdFV3 | |||
| PEiD..: - | |||
| TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.1%) Win16/32 Executable Delphi generic (9.3%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%) | |||
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40ca timedatestamp.....: 0x478fbe42 (Thu Jan 17 20:44:50 2008) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xfc1c 0xfe00 6.77 ac53c3bfadf3f6a20f1ce6766535621c .data 0x11000 0x4115 0x200 0.76 cde6ecbaf8635588ba78a93aa7578626 ( 4 imports ) > USER32.dll: GetForegroundWindow, FindWindowExA, SetThreadDesktop, GetKeyboardState, GetWindowThreadProcessId, ToUnicode, GetWindowLongA, EndDialog, MsgWaitForMultipleObjects, GetClassNameA, LoadCursorA, GetIconInfo, CloseDesktop, OpenDesktopA, SetProcessWindowStation, GetKeyState, DispatchMessageA > KERNEL32.dll: GlobalUnlock, SetFilePointer, lstrcmpiW, VirtualProtect, GetFileAttributesA, HeapAlloc, lstrlenA, GetModuleFileNameW, FindNextFileW, VirtualAlloc, ReleaseMutex, HeapFree, GetProcAddress, GetSystemTimeAsFileTime, lstrcatW, GetFileSize, GetLastError, lstrcpyA, HeapReAlloc, CreateMutexW, lstrcpyW, GetUserDefaultUILanguage, GetTimeZoneInformation > ADVAPI32.dll: RegCreateKeyExA, DuplicateTokenEx, RegEnumKeyExA, CryptAcquireContextW, CryptCreateHash, CryptGetHashParam, RegSetValueExA, RegDeleteValueA, CryptReleaseContext, GetUserNameW, RegQueryValueExA, RegCloseKey > SHLWAPI.dll: PathRemoveFileSpecW, PathFileExistsW, StrCmpNIA, wnsprintfW, PathCombineW, wvnsprintfW, PathMatchSpecW, wvnsprintfA, wnsprintfA, PathFindFileNameW, StrCmpNIW, SHDeleteKeyA ( 0 exports ) | |||
② twex.exe 의 바이러스 토탈 검사 결과
| 검사 파일: twex.exe 전송 시각: 2009.02.04 17:24:54 (CET) | |||
| 안티바이러스 | 엔진 버전 | 정의 날짜 | 검사 결과 |
| a-squared | 4.0.0.93 | 2009.02.04 | - |
| AhnLab-V3 | 5.0.0.2 | 2009.02.04 | - |
| AntiVir | 7.9.0.71 | 2009.02.04 | TR/Dropper.Gen |
| Authentium | 5.1.0.4 | 2009.02.04 | - |
| Avast | 4.8.1281.0 | 2009.02.03 | Win32:Zbot-AYV |
| AVG | 8.0.0.229 | 2009.02.04 | Win32/Cryptor |
| BitDefender | 7.2 | 2009.02.04 | Backdoor.Bot.78656 |
| CAT-QuickHeal | 10.00 | 2009.02.04 | TrojanSpy.Zbot.kqb |
| ClamAV | 0.94.1 | 2009.02.04 | Trojan.Zbot-2961 |
| Comodo | 964 | 2009.02.04 | - |
| DrWeb | 4.44.0.09170 | 2009.02.04 | - |
| eSafe | 7.0.17.0 | 2009.02.01 | - |
| eTrust-Vet | 31.6.6341 | 2009.02.04 | Win32/Kollah.VR |
| F-Prot | 4.4.4.56 | 2009.02.04 | - |
| F-Secure | 8.0.14470.0 | 2009.02.04 | - |
| Fortinet | 3.117.0.0 | 2009.02.04 | - |
| GData | 19 | 2009.02.04 | Backdoor.Bot.78656 |
| Ikarus | T3.1.1.45.0 | 2009.02.04 | - |
| K7AntiVirus | 7.10.618 | 2009.02.04 | Trojan-Spy.Win32.Zbot.kqb |
| Kaspersky | 7.0.0.125 | 2009.02.04 | - |
| McAfee | 5515 | 2009.02.03 | - |
| McAfee+Artemis | 5515 | 2009.02.03 | - |
| Microsoft | 1.4306 | 2009.02.04 | PWS:Win32/Zbot.gen!R |
| NOD32 | 3826 | 2009.02.04 | Win32/Spy.Zbot.HI |
| Norman | 6.00.02 | 2009.02.04 | W32/Zbot.CBW |
| nProtect | 2009.1.8.0 | 2009.02.04 | Trojan-Spy/W32.ZBot.66560.J |
| Panda | 9.5.1.2 | 2009.02.03 | - |
| PCTools | 4.4.2.0 | 2009.02.03 | - |
| Prevx1 | V2 | 2009.02.04 | - |
| Rising | 21.15.20.00 | 2009.02.04 | - |
| SecureWeb-Gateway | 6.7.6 | 2009.02.04 | Trojan.Dropper.Gen |
| Sophos | 4.38.0 | 2009.02.04 | Troj/ZbotPP-Fam |
| Sunbelt | 3.2.1835.2 | 2009.01.16 | - |
| Symantec | 10 | 2009.02.04 | Infostealer.Banker.C |
| TheHacker | 6.3.1.5.246 | 2009.02.04 | Trojan/Spy.Zbot.kqb |
| TrendMicro | 8.700.0.1004 | 2009.02.04 | - |
| VBA32 | 3.12.8.12 | 2009.02.04 | Trojan-Spy.Win32.Zbot.kqb |
| ViRobot | 2009.2.4.1589 | 2009.02.04 | Trojan.Win32.Zbot.66560.AK |
| VirusBuster | 4.5.11.0 | 2009.02.04 | - |
| 추가 정보 | |||
| File size: 571904 bytes | |||
| MD5...: bdefdfbf085050213d36a5406fa83fb3 | |||
| SHA1..: 742466fd9c84c41e2e6cc227b2d9f620ff0bbd76 | |||
| SHA256: f5faa68d76e78416041b3cb92afe891ca2bf2a71ed124f31d9fab9d4b3193253 | |||
| SHA512: a786d3ff1116509fd0bcc91e4a59f3b6a1b74da489fe4deefba8f538a5627f5b b55174bd010705abfeacd731e66aa21961d01b632a0c9102a6ecd51676f4429e | |||
| ssdeep: 12288:Bqo3iYvJCKMV8hKRE91x+K57aGc4LMsnZYp09xm:B13i2JC/GKmVJzR4/ | |||
| PEiD..: - | |||
| TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.1%) Win16/32 Executable Delphi generic (9.3%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%) | |||
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40ca timedatestamp.....: 0x478fbe42 (Thu Jan 17 20:44:50 2008) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xfc1c 0xfe00 6.77 ac53c3bfadf3f6a20f1ce6766535621c .data 0x11000 0x4115 0x200 0.76 cde6ecbaf8635588ba78a93aa7578626 ( 4 imports ) > USER32.dll: GetForegroundWindow, FindWindowExA, SetThreadDesktop, GetKeyboardState, GetWindowThreadProcessId, ToUnicode, GetWindowLongA, EndDialog, MsgWaitForMultipleObjects, GetClassNameA, LoadCursorA, GetIconInfo, CloseDesktop, OpenDesktopA, SetProcessWindowStation, GetKeyState, DispatchMessageA > KERNEL32.dll: GlobalUnlock, SetFilePointer, lstrcmpiW, VirtualProtect, GetFileAttributesA, HeapAlloc, lstrlenA, GetModuleFileNameW, FindNextFileW, VirtualAlloc, ReleaseMutex, HeapFree, GetProcAddress, GetSystemTimeAsFileTime, lstrcatW, GetFileSize, GetLastError, lstrcpyA, HeapReAlloc, CreateMutexW, lstrcpyW, GetUserDefaultUILanguage, GetTimeZoneInformation > ADVAPI32.dll: RegCreateKeyExA, DuplicateTokenEx, RegEnumKeyExA, CryptAcquireContextW, CryptCreateHash, CryptGetHashParam, RegSetValueExA, RegDeleteValueA, CryptReleaseContext, GetUserNameW, RegQueryValueExA, RegCloseKey > SHLWAPI.dll: PathRemoveFileSpecW, PathFileExistsW, StrCmpNIA, wnsprintfW, PathCombineW, wvnsprintfW, PathMatchSpecW, wvnsprintfA, wnsprintfA, PathFindFileNameW, StrCmpNIW, SHDeleteKeyA ( 0 exports ) | |||
③ twex.exe 의 바이러스 토탈 검사 결과
| 검사 파일: twex.exe 전송 시각: 2009.02.04 17:34:14 (CET) | |||
| 안티바이러스 | 엔진 버전 | 정의 날짜 | 검사 결과 |
| a-squared | 4.0.0.93 | 2009.02.04 | - |
| AhnLab-V3 | 5.0.0.2 | 2009.02.04 | - |
| AntiVir | 7.9.0.71 | 2009.02.04 | TR/Dropper.Gen |
| Authentium | 5.1.0.4 | 2009.02.04 | - |
| Avast | 4.8.1281.0 | 2009.02.03 | Win32:Zbot-AYV |
| AVG | 8.0.0.229 | 2009.02.04 | Win32/Cryptor |
| BitDefender | 7.2 | 2009.02.04 | Backdoor.Bot.78656 |
| CAT-QuickHeal | 10.00 | 2009.02.04 | TrojanSpy.Zbot.kqb |
| ClamAV | 0.94.1 | 2009.02.04 | Trojan.Zbot-2961 |
| Comodo | 964 | 2009.02.04 | - |
| DrWeb | 4.44.0.09170 | 2009.02.04 | - |
| eSafe | 7.0.17.0 | 2009.02.01 | - |
| eTrust-Vet | 31.6.6341 | 2009.02.04 | Win32/Kollah.VR |
| F-Prot | 4.4.4.56 | 2009.02.04 | - |
| F-Secure | 8.0.14470.0 | 2009.02.04 | - |
| Fortinet | 3.117.0.0 | 2009.02.04 | - |
| GData | 19 | 2009.02.04 | Backdoor.Bot.78656 |
| Ikarus | T3.1.1.45.0 | 2009.02.04 | - |
| K7AntiVirus | 7.10.618 | 2009.02.04 | Trojan-Spy.Win32.Zbot.kqb |
| Kaspersky | 7.0.0.125 | 2009.02.04 | - |
| McAfee | 5515 | 2009.02.03 | - |
| McAfee+Artemis | 5515 | 2009.02.03 | - |
| Microsoft | 1.4306 | 2009.02.04 | PWS:Win32/Zbot.gen!R |
| NOD32 | 3826 | 2009.02.04 | Win32/Spy.Zbot.HI |
| Norman | 6.00.02 | 2009.02.04 | W32/Zbot.CBW |
| nProtect | 2009.1.8.0 | 2009.02.04 | Trojan-Spy/W32.ZBot.66560.J |
| Panda | 9.5.1.2 | 2009.02.03 | - |
| PCTools | 4.4.2.0 | 2009.02.03 | - |
| Prevx1 | V2 | 2009.02.04 | - |
| Rising | 21.15.20.00 | 2009.02.04 | - |
| SecureWeb-Gateway | 6.7.6 | 2009.02.04 | Trojan.Dropper.Gen |
| Sophos | 4.38.0 | 2009.02.04 | Troj/ZbotPP-Fam |
| Sunbelt | 3.2.1835.2 | 2009.01.16 | - |
| Symantec | 10 | 2009.02.04 | Infostealer.Banker.C |
| TheHacker | 6.3.1.5.246 | 2009.02.04 | Trojan/Spy.Zbot.kqb |
| TrendMicro | 8.700.0.1004 | 2009.02.04 | - |
| VBA32 | 3.12.8.12 | 2009.02.04 | Trojan-Spy.Win32.Zbot.kqb |
| ViRobot | 2009.2.4.1589 | 2009.02.04 | Trojan.Win32.Zbot.66560.AK |
| VirusBuster | 4.5.11.0 | 2009.02.04 | - |
| 추가 정보 | |||
| File size: 782336 bytes | |||
| MD5...: c1c439ac342d4b8651827cf319ba87b6 | |||
| SHA1..: 3bc0ff6f1c8c1a800739fad93e142192ad077654 | |||
| SHA256: fe8c085b9c68e6ee364b9607ef0c14d26945a86cbb4c3ca40be1549d074dc9b7 | |||
| SHA512: d22c5aa72bbedc1bee7747eb90f9fca5d3e73a0379797dbe4812ebee6a26494d e9f505199de066e8100d0b9e101d2c3df999bb31bf186ef398314ae9380bbf36 | |||
| ssdeep: 12288:Bqo3iYvJCKMV8hKRE91x+K57aGc4LMsnZYp09xb7iF35j/OJ5FzxRqbKun :B13i2JC/GKmVJzR4K7ixy5tCbKun | |||
| PEiD..: - | |||
| TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.1%) Win16/32 Executable Delphi generic (9.3%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%) | |||
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40ca timedatestamp.....: 0x478fbe42 (Thu Jan 17 20:44:50 2008) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xfc1c 0xfe00 6.77 ac53c3bfadf3f6a20f1ce6766535621c .data 0x11000 0x4115 0x200 0.76 cde6ecbaf8635588ba78a93aa7578626 ( 4 imports ) > USER32.dll: GetForegroundWindow, FindWindowExA, SetThreadDesktop, GetKeyboardState, GetWindowThreadProcessId, ToUnicode, GetWindowLongA, EndDialog, MsgWaitForMultipleObjects, GetClassNameA, LoadCursorA, GetIconInfo, CloseDesktop, OpenDesktopA, SetProcessWindowStation, GetKeyState, DispatchMessageA > KERNEL32.dll: GlobalUnlock, SetFilePointer, lstrcmpiW, VirtualProtect, GetFileAttributesA, HeapAlloc, lstrlenA, GetModuleFileNameW, FindNextFileW, VirtualAlloc, ReleaseMutex, HeapFree, GetProcAddress, GetSystemTimeAsFileTime, lstrcatW, GetFileSize, GetLastError, lstrcpyA, HeapReAlloc, CreateMutexW, lstrcpyW, GetUserDefaultUILanguage, GetTimeZoneInformation > ADVAPI32.dll: RegCreateKeyExA, DuplicateTokenEx, RegEnumKeyExA, CryptAcquireContextW, CryptCreateHash, CryptGetHashParam, RegSetValueExA, RegDeleteValueA, CryptReleaseContext, GetUserNameW, RegQueryValueExA, RegCloseKey > SHLWAPI.dll: PathRemoveFileSpecW, PathFileExistsW, StrCmpNIA, wnsprintfW, PathCombineW, wvnsprintfW, PathMatchSpecW, wvnsprintfA, wnsprintfA, PathFindFileNameW, StrCmpNIW, SHDeleteKeyA ( 0 exports ) | |||
| rege.exe 실행시 시스템 변경 사항 . |
| 파일 변경 사항 C:\WINDOWS\system32\twex.exe (571904 bytes) 생성 (②번) 레지스트리 변경 사항 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt \currentversion\winlogon] "userinit"="C:\WINDOWS\system32\userinit.exe," 위 정상 값을 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt \currentversion\winlogon] "userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe," 으로 변경 . |
| ② twex.exe 실행시 시스템 변경 사항 . |
| 파일 변경 사항 C\WINDOWS\system32\twex.exe (782336 bytes) 생성 (③번) |
|
알려진 레지스트리와 파일로써 악성툴을 삭제 하려면 ? |
반응형
'Malwares 분석' 카테고리의 다른 글
| update.exe (0) | 2009.02.15 |
|---|---|
| load.exe (0) | 2009.02.15 |
| r.exe (2) | 2009.02.14 |
| twixz.exe (0) | 2009.02.13 |
| keygen.LimeWire.5.0.6.PRo.exe (0) | 2009.02.06 |
| loader.exe (0) | 2009.02.05 |
| ldr.exe (0) | 2009.02.03 |
| svchost.exe (0) | 2009.01.31 |
댓글