Trojan. win32.ecode. ee/Trojan-Dropper.Win32.Flystud.ko for changing folders

Source: Internet
Author: User
Tags sha1

Trojan. win32.ecode. ee/Trojan-Dropper.Win32.Flystud.ko for changing folders

 

Original endurer
1st

 

Recently, a friend's computer was very slow and experienced a strange phenomenon: all folders in the USB flash drive were changed to files. Please take a look.
 

Download the pe_xscan scan log and analyze it. The following suspicious items are found (Process Module omitted ):

Pe_xscan 09-04-28 by Purple endurer

Windows XP Service Pack 2 (5.1.2600)
MSIE: 7.0.5730.11
Administrator user group
Normal Mode

O4-HKLM/../run: [eb1b66] C:/Windows/system32/3d98fc/eb1b66. exe
O4-startup: eb1b66. lnk-> C:/Windows/system32/3d98fc/eb1b66. exe

Log ratio:

 

What is the tail of a new .exe? Originally, ms-dos.com,fonts.exe,default.exe, helphost.com, etc.
Http://blog.csdn.net/Purpleendurer/archive/2009/02/23/3929716.aspx

 

Maybe the USB flash drive immune function of Kaka Security Assistant is working.

 

Download bat_do and fileinfo to the http://purpleendurer.ys168.com.

Use fileinfo to extract the file information, and use bat_do to package the backup before deleting it.

 
Use icesword to terminate the eb1b66. EXE process and forcibly delete the file.

 

Use the Kaka Security Assistant to clear the virus startup items.

 

Use WinRAR to browse the USB flash drive and find that the original folder still exists, but it is hidden. Use the attrib command to remove the hidden and system attributes of these folders.

 

 

Attachment: Virus File Information:

File Description: C:/Windows/system32/3d98fc/eb1b66. exe
Property:-SHR
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 10:35:16
Modification time: 10:35:16
Size: 1403113 bytes 1.346 MB
MD5: 0c7cc2b1b82cae03e9a25f14faf9e4ea
Sha1: 20171469d96de77ea526350ca9fe4d61ef2708e2a
CRC32: f33b77ec

File eb1b66. EXE received at 05:19:26 (CET)
Anti-Virus engine Version Last update Scan results
A-squared 4.0.0.101 2009.04.29 Trojan. peed! Ik
AhnLab-V3 5.0.0.2 2009.04.28 -
AntiVir 7.9.0.156 2009.04.28 TR/dropper. gen
Antiy-AVL 2.0.3.1 2009.04.28 -
Authentium 5.1.2.4 2009.04.27 W32/NUJ. A. Gen! Eldorado
Avast 4.8.1335.0 2009.04.28 -
AVG 8.5.0.287 2009.04.28 -
BitDefender 7.2 2009.04.29 Dropped: Trojan. peed. gen
Cat-quickheal 10.00 2009.04.28 Win32.trojan-dropper. flystud. ko.5.pack
ClamAV 0.94.1 2009.04.28 -
Comodo 1140 2009.04.28 -
Drweb 4.44.0.09170 2009.04.29 -
Esafe 7.0.20. 2009.04.27 -
ETrust-vet 31.6.6480 2009.04.28 -
F-Prot 4.4.4.56 2009.04.27 W32/NUJ. A. Gen! Eldorado
F-Secure 8.0.14470.0 2009.04.29 Trojan-Dropper.Win32.Flystud.ko
Fortinet 3.117.0.0 2009.04.29 -
Gdata 19 2009.04.29 Dropped: Trojan. peed. gen
Ikarus T3.1.1.49.0 2009.04.29 Trojan. peed
K7antivirus 7.10.717 2009.04.27 Trojan-Dropper.Win32.Flystud.ko
Kaspersky 7.0.0.125 2009.04.29 Trojan-Dropper.Win32.Flystud.ko
McAfee 5599 2009.04.28 W32/Autorun. worm. Ev
McAfee + Artemis 5599 2009.04.28 W32/Autorun. worm. Ev
McAfee-GW-Edition 6.7.6 2009.04.29 Trojan. dropper. gen
Microsoft 1.4602 2009.04.28 BACKDOOR: Win32/flyagent. f
NOD32 4041 2009.04.28 -
Norman 6.00.06 2009.04.28 -
Nprotect 2009.1.8.0 2009.04.28 Trojan-dropper/w32.flystudio. 1403113.
Panda 10.0.0.14 2009.04.28 -
Pctools 4.4.2.0 2009.04.28 -
Prevx1 3.0 2009.04.29 -
Rising 21.27.000000 2009.04.29 Trojan. win32.ecode. ee
Sophos 4.41.0 2009.04.29 Mal/encpk-GF
Sunbelt 3.2.1858.2 2009.04.28 -
Symantec 1.4.4.12 2009.04.29 -
Thehacker 6.3.4.1.315 2009.04.28 Trojan/dropper. flystud. Ko
TrendMicro 8.700.0.1004 2009.04.28 -
Vba32 3.12.10.3 2009.04.29 Trojan-Dropper.Win32.Flystud.ko
ViRobot 2009.4.29.1713 2009.04.29 -
Virusbuster 4.6.5.0 2009.04.28 -
Additional information
File Size: 1403113 bytes
Md5...: 0c7cc2b1b82cae03e9a25f14faf9e4ea
Sha1..: 20171469d96de77ea526350ca9fe4d61ef2708e2a
Sha256: sha256
Sha512: sha512
E3772b2a89fe58267eda1d73d46d229b83731d5ea861716f18561fc940472606
Ssdeep: 24576: lrylsjdvwrhuw9ly4s6dhqmjiwy0beaq6j1ku + tpdfpgph/6 cxmsabhaje
Jpruys: bylszvwlldlam2wy0qajb + TQ/rxshaq +
Peid ..:-
TRID...: file type identification
Win32 executable ms visual c ++ (generic) (62.9%)
Win32 executable generic (14.2%)
Win32 dynamic link library (generic) (0, 12.6%)
Clipper dos executable (3.3%)
Generic win/DOS executable (3.3%)
Peinfo: PE Structure Information

(Base data)
Entrypointaddress.: 0x1196
Timedatestamp .....: 0x59bffa3 (Mon Dec 25 05:33:23 1972)
Machinetype ......: 0x14c (i386)

(5 sections)
Name viradd virsiz rawdsiz ntrpy MD5
. Text 0x1000 0x51ec 0x6000 7.00 670e499c5b780a8681954f88d5fd72b6
. RDATA 0x7000 0xa4a 0x1000 3.58 running b7ce38d0c4c17f01e370dc697df5b
. DATA 0x8000 0x1f58 0x2000 4.61 3c091462b8b46c0a497bde20c727eec4
. Data 0xa000 0x22000 0x22000 7.82 61731cd337d924e0b4c229312caf0aae
. Rsrc 0x2c000 0x45b0 0x5000 4.33 2848a5a5ec1e2ae2bba1498f6767692d

(2 imports)
> Metadata: delimiter, loadlibrarya, closehandle, writefile, createdirectorya, gettemppatha, readfile, setfilepointer, createfilea, delimiter, heapalloc, heapfree, delimiter, delimiter, getcommandlinea, getversion, exitprocess, commit, heapcreate, virtualfree, virtualalloc, heaprealloc, terminateprocess, getcurrentprocess, partial, sethandlecount, getstdhandle, getfiletype, rtlunwind, getcpinfo, getacp, getoemcp, multibytetowidechar, getstringtypew
> User32.dll: messageboxa, wsprintfa

(0 exports)

Upload ID .:-
RDS...: NSL reference data set
-
Packers (Kaspersky): PE-Crypt.CF

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.