Trojan. win32.ecode. ee/Trojan-Dropper.Win32.Flystud.ko for changing folders
Original endurer
1st
Recently, a friend's computer was very slow and experienced a strange phenomenon: all folders in the USB flash drive were changed to files. Please take a look.
Download the pe_xscan scan log and analyze it. The following suspicious items are found (Process Module omitted ):
Pe_xscan 09-04-28 by Purple endurer
Windows XP Service Pack 2 (5.1.2600)
MSIE: 7.0.5730.11
Administrator user group
Normal Mode
O4-HKLM/../run: [eb1b66] C:/Windows/system32/3d98fc/eb1b66. exe
O4-startup: eb1b66. lnk-> C:/Windows/system32/3d98fc/eb1b66. exe
Log ratio:
What is the tail of a new .exe? Originally, ms-dos.com,fonts.exe,default.exe, helphost.com, etc.
Http://blog.csdn.net/Purpleendurer/archive/2009/02/23/3929716.aspx
Maybe the USB flash drive immune function of Kaka Security Assistant is working.
Download bat_do and fileinfo to the http://purpleendurer.ys168.com.
Use fileinfo to extract the file information, and use bat_do to package the backup before deleting it.
Use icesword to terminate the eb1b66. EXE process and forcibly delete the file.
Use the Kaka Security Assistant to clear the virus startup items.
Use WinRAR to browse the USB flash drive and find that the original folder still exists, but it is hidden. Use the attrib command to remove the hidden and system attributes of these folders.
Attachment: Virus File Information:
File Description: C:/Windows/system32/3d98fc/eb1b66. exe
Property:-SHR
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 10:35:16
Modification time: 10:35:16
Size: 1403113 bytes 1.346 MB
MD5: 0c7cc2b1b82cae03e9a25f14faf9e4ea
Sha1: 20171469d96de77ea526350ca9fe4d61ef2708e2a
CRC32: f33b77ec
File eb1b66. EXE received at 05:19:26 (CET)
Anti-Virus engine |
Version |
Last update |
Scan results |
A-squared |
4.0.0.101 |
2009.04.29 |
Trojan. peed! Ik |
AhnLab-V3 |
5.0.0.2 |
2009.04.28 |
- |
AntiVir |
7.9.0.156 |
2009.04.28 |
TR/dropper. gen |
Antiy-AVL |
2.0.3.1 |
2009.04.28 |
- |
Authentium |
5.1.2.4 |
2009.04.27 |
W32/NUJ. A. Gen! Eldorado |
Avast |
4.8.1335.0 |
2009.04.28 |
- |
AVG |
8.5.0.287 |
2009.04.28 |
- |
BitDefender |
7.2 |
2009.04.29 |
Dropped: Trojan. peed. gen |
Cat-quickheal |
10.00 |
2009.04.28 |
Win32.trojan-dropper. flystud. ko.5.pack |
ClamAV |
0.94.1 |
2009.04.28 |
- |
Comodo |
1140 |
2009.04.28 |
- |
Drweb |
4.44.0.09170 |
2009.04.29 |
- |
Esafe |
7.0.20. |
2009.04.27 |
- |
ETrust-vet |
31.6.6480 |
2009.04.28 |
- |
F-Prot |
4.4.4.56 |
2009.04.27 |
W32/NUJ. A. Gen! Eldorado |
F-Secure |
8.0.14470.0 |
2009.04.29 |
Trojan-Dropper.Win32.Flystud.ko |
Fortinet |
3.117.0.0 |
2009.04.29 |
- |
Gdata |
19 |
2009.04.29 |
Dropped: Trojan. peed. gen |
Ikarus |
T3.1.1.49.0 |
2009.04.29 |
Trojan. peed |
K7antivirus |
7.10.717 |
2009.04.27 |
Trojan-Dropper.Win32.Flystud.ko |
Kaspersky |
7.0.0.125 |
2009.04.29 |
Trojan-Dropper.Win32.Flystud.ko |
McAfee |
5599 |
2009.04.28 |
W32/Autorun. worm. Ev |
McAfee + Artemis |
5599 |
2009.04.28 |
W32/Autorun. worm. Ev |
McAfee-GW-Edition |
6.7.6 |
2009.04.29 |
Trojan. dropper. gen |
Microsoft |
1.4602 |
2009.04.28 |
BACKDOOR: Win32/flyagent. f |
NOD32 |
4041 |
2009.04.28 |
- |
Norman |
6.00.06 |
2009.04.28 |
- |
Nprotect |
2009.1.8.0 |
2009.04.28 |
Trojan-dropper/w32.flystudio. 1403113. |
Panda |
10.0.0.14 |
2009.04.28 |
- |
Pctools |
4.4.2.0 |
2009.04.28 |
- |
Prevx1 |
3.0 |
2009.04.29 |
- |
Rising |
21.27.000000 |
2009.04.29 |
Trojan. win32.ecode. ee |
Sophos |
4.41.0 |
2009.04.29 |
Mal/encpk-GF |
Sunbelt |
3.2.1858.2 |
2009.04.28 |
- |
Symantec |
1.4.4.12 |
2009.04.29 |
- |
Thehacker |
6.3.4.1.315 |
2009.04.28 |
Trojan/dropper. flystud. Ko |
TrendMicro |
8.700.0.1004 |
2009.04.28 |
- |
Vba32 |
3.12.10.3 |
2009.04.29 |
Trojan-Dropper.Win32.Flystud.ko |
ViRobot |
2009.4.29.1713 |
2009.04.29 |
- |
Virusbuster |
4.6.5.0 |
2009.04.28 |
- |
Additional information |
File Size: 1403113 bytes |
Md5...: 0c7cc2b1b82cae03e9a25f14faf9e4ea |
Sha1..: 20171469d96de77ea526350ca9fe4d61ef2708e2a |
Sha256: sha256 |
Sha512: sha512 E3772b2a89fe58267eda1d73d46d229b83731d5ea861716f18561fc940472606 |
Ssdeep: 24576: lrylsjdvwrhuw9ly4s6dhqmjiwy0beaq6j1ku + tpdfpgph/6 cxmsabhaje Jpruys: bylszvwlldlam2wy0qajb + TQ/rxshaq + |
Peid ..:- |
TRID...: file type identification Win32 executable ms visual c ++ (generic) (62.9%) Win32 executable generic (14.2%) Win32 dynamic link library (generic) (0, 12.6%) Clipper dos executable (3.3%) Generic win/DOS executable (3.3%) |
Peinfo: PE Structure Information (Base data) Entrypointaddress.: 0x1196 Timedatestamp .....: 0x59bffa3 (Mon Dec 25 05:33:23 1972) Machinetype ......: 0x14c (i386) (5 sections) Name viradd virsiz rawdsiz ntrpy MD5 . Text 0x1000 0x51ec 0x6000 7.00 670e499c5b780a8681954f88d5fd72b6 . RDATA 0x7000 0xa4a 0x1000 3.58 running b7ce38d0c4c17f01e370dc697df5b . DATA 0x8000 0x1f58 0x2000 4.61 3c091462b8b46c0a497bde20c727eec4 . Data 0xa000 0x22000 0x22000 7.82 61731cd337d924e0b4c229312caf0aae . Rsrc 0x2c000 0x45b0 0x5000 4.33 2848a5a5ec1e2ae2bba1498f6767692d (2 imports) > Metadata: delimiter, loadlibrarya, closehandle, writefile, createdirectorya, gettemppatha, readfile, setfilepointer, createfilea, delimiter, heapalloc, heapfree, delimiter, delimiter, getcommandlinea, getversion, exitprocess, commit, heapcreate, virtualfree, virtualalloc, heaprealloc, terminateprocess, getcurrentprocess, partial, sethandlecount, getstdhandle, getfiletype, rtlunwind, getcpinfo, getacp, getoemcp, multibytetowidechar, getstringtypew > User32.dll: messageboxa, wsprintfa (0 exports) |
Upload ID .:- |
RDS...: NSL reference data set - |
Packers (Kaspersky): PE-Crypt.CF |