NORTON AntiBot是賽門鐵客所出的一款輔助程式,利用行為方式來監控惡意程式做出判斷,進而攔截和移除。
作業系統:windows xp sp3
測試軟體:NORTON AntiBot 1.1.851
病毒:隨身碟病毒一隻
USB病毒一隻
NORTON ANTIBOT 主畫面
運行病毒後NORTON ANTIBOT 出現偵測到新威脅,選擇Quarantine後會出現是否同意移除
威脅移除畫面(不過需要幾分鐘的時間,有點久)
移除後要重新開機
這是這隻隨身碟的病毒autorun的內容
病毒運作的分析by Norman
[ DetectionInfo ]
* Sandbox name: AutoRun.WF.dropper
* Signature name: W32/Packed_FSG.D
* Compressed: YES
* TLS hooks: YES
* Executable type: Application
* Executable file structure: OK
* Filetype: PE_I386
[ General information ]
* File might be compressed.
* Decompressing Unk3!FSG?.
* File length: 32489 bytes.
* MD5 hash: e5dc743c8dff551ae85d271aa4f609
[ Changes to filesystem ]
* Deletes file C:\Program Files\Common Files\System\yyjnldu.exe.
* Deletes file C:\Program Files\Common Files\Microsoft Shared\xnxlufi.exe.
* Deletes directory C:\Program Files\Common Files\System\yyjnldu.exe.
* Deletes directory C:\Program Files\Common Files\Microsoft Shared\xnxlufi.exe.
* Creates file C:\Program Files\Common Files\System\yyjnldu.exe.
* Creates file C:\Program Files\Common Files\Microsoft Shared\xnxlufi.exe.
[ Changes to registry ]
* Accesses Registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options".
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "mhlclyg" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "nhbivui" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
[ Process/window information ]
* Attempts to access service "wscsvc".
* Attempts to access service "helpsvc".
* Attempts to access service "wuauserv".
* Attempts to access service "SharedAccess".
[ Signature Scanning ]
* C:\Program Files\Common Files\System\yyjnldu.exe (32489 bytes) : AutoRun.WF.
* C:\Program Files\Common Files\Microsoft Shared\xnxlufi.exe (32489 bytes) : AutoRun.WF.
(C) 2004-2006 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
留言列表