而且可能不是每一次執行都會感染系統,有時可能不會感染就自己終結了!
在KIS 8上執行樣本,可以發現KIS 8似乎阻止了進程創建或修改
也阻止了惡意行為,但是實際上病毒已經感染了系統上所有*.exe執行檔
過斷時間後系統上舊址剩下KIS 8沒有被感染,其它的執行檔全部遭到病毒感染!
KIS 8 Report:
2008/6/9 U 10:12:22 Placed in group Low Restricted
2008/6/9 U 10:13:52 C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\AVP.EXE Detected: Trojan.generic
2008/6/9 U 10:13:52 C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\AVP.EXE Detected: Trojan.generic
2008/6/9 U 10:13:52 C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\AVP.EXE Detected: Trojan.generic
2008/6/9 U 10:13:53 C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\AVP.EXE Not completed: Trojan.generic
2008/6/9 U 10:13:53 C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\AVP.EXE Cannot be quarantined: Trojan.generic
2008/6/9 U 10:13:53 C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\AVP.EXE Detected: Worm.P2P.generic
2008/6/9 U 10:13:53 C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\AVP.EXE Not completed: Worm.P2P.generic
2008/6/9 U 10:13:53 C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\AVP.EXE Cannot be quarantined: Worm.P2P.generic
2008/6/9 U 10:13:37 Create C:\WINDOWS\CCTV.exe Denied: KLSystemData/KLSystemFiles/SystemExe
2008/6/9 U 10:14:58 Create C:\WINDOWS\CCTV.exe Denied: KLSystemData/KLSystemFiles/SystemExe
2008/6/9 U 10:16:17 Create C:\WINDOWS\CCTV.exe Denied: KLSystemData/KLSystemFiles/SystemExe
2008/6/9 U 10:17:46 Create C:\WINDOWS\CCTV.exe Denied: KLSystemData/KLSystemFiles/SystemExe
基於以往所累積的測試經驗,我不認為KIS 8防不住這個樣本,因為行為經分析沒有什麼特別過人的地方!
所以我拿出了KIS 7來運行這個樣本,最初的幾個步驟跟KIS 8表現沒有差別,AD確實有行為被過
KIS 7 Report:
2008/6/9 ¤U¤È 11:20:28 C:\WINDOWS\CCTV.exe Process seems to be a P2P worm.
2008/6/9 ¤U¤È 11:20:28 C:\WINDOWS\CCTV.exe Attempt to terminate process
2008/6/9 ¤U¤È 11:20:42 C:\WINDOWS\CCTV.exe Attempt to terminate process: successfully
2008/6/9 ¤U¤È 11:20:28 C:\WINDOWS\CCTV.exe Error placing C:\WINDOWS\CCTV.exe in quarantine (access denied or object not found)
2008/6/9 ¤U¤È 11:20:59 C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe Rollback
2008/6/9 ¤U¤È 11:20:59 C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe Rollback
2008/6/9 ¤U¤È 11:20:59 C:\Program Files\Common Files\InstallShield\Professional\RunTime701\Intel32\DotNetInstaller.exe Rollback
2008/6/9 ¤U¤È 11:20:59 C:\Documents and Settings\Administrator\®à±\·P®¦£².exe Rollback
2008/6/9 ¤U¤È 11:20:59 C:\Documents and Settings\Administrator\®à±\©¯ºÖ³á.exe Rollback
2008/6/9 ¤U¤È 11:20:59 C:\Documents and Settings\Administrator\®à±\avp.exe Rollback: error code 20000050
2008/6/9 ¤U¤È 11:20:59 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFCB95.tmp Rollback
2008/6/9 ¤U¤È 11:20:28 C:\WINDOWS\CCTV.exe Rollback completed
2008/6/9 ¤U¤È 11:21:08 C:\Documents and Settings\Administrator\®à±\avp.exe Process seems to be a P2P worm.
2008/6/9 ¤U¤È 11:21:08 C:\Documents and Settings\Administrator\®à±\avp.exe Attempt to terminate process
2008/6/9 ¤U¤È 11:21:12 C:\Documents and Settings\Administrator\®à±\avp.exe Attempt to terminate process: successfully
2008/6/9 ¤U¤È 11:21:08 C:\Documents and Settings\Administrator\®à±\avp.exe C:\Documents and Settings\Administrator\®à±\avp.exe quarantined.
2008/6/9 ¤U¤È 11:21:14 C:\Program Files\Common Files\InstallShield\Professional\RunTime701\Intel32\DotNetInstaller.exe Rollback
2008/6/9 ¤U¤È 11:21:14 C:\Documents and Settings\Administrator\®à±\·P®¦£².exe Rollback
2008/6/9 ¤U¤È 11:21:14 C:\Documents and Settings\Administrator\®à±\©¯ºÖ³á.exe Rollback
2008/6/9 ¤U¤È 11:21:14 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFEAE7.tmp Rollback
2008/6/9 ¤U¤È 11:21:08 C:\Documents and Settings\Administrator\®à±\avp.exe Rollback completed
並感染了系統上"一些"*.exe執行檔,但感染的行為後來還是被阻止了,我清了SandBox後,所有遭到感染的*.exe執行檔
全部恢復到被感染前的狀態,很遺憾KIS 8由於策略問題,似乎有某些地方遭到犧牲
雖然如此,但我到現在還無法判斷這是否為一個Bug,因為Kaspersky人員認為KIS 7的恢復方法並不是一個相當好的手段
沒有留言:
張貼留言