這個樣本，大多數AV都報告是Viking.Y等類似的worm。
Panda之前報告是撥號器……:|||:我回報之後，分析結果如下：
Dear customer:
After checking in our laboratory the message you submit, we inform you it contains no virus. The detection was caused due to a string coincidence.
The incidence is already solved in a Beta version of our Signature File (PAV.SIG), that you can download from the following URL:
http://www.pandasoftware.com/virus_info/disclaimer.htm

Best regards,
PandaLabs

贊助商連結

已經回報給kavlab分析了:jump:

使用防毒軟體為 Norton AntiVirus 2005 、NOD32 2.51.26 、Avast! Professional 4.7.892 。




詳細檢查的結果！




Norton AntiVirus 2005 查的結果 ！ 病毒碼 2006.10.10



檔案 g0ld.com 位於 C:\WINDOWS\Desktop\檔案下載掃毒區\g0ld.rar 感染了 W32.Looked.O 病毒。





NOD32 2.51.26 查的結果 ！ 病毒碼 2006.10.10



這物件包含一些有害的代碼。







Avast! Professional 4.7.892 查的結果 ！ 病毒碼 2006.10.10



C:\WINDOWS\Desktop\檔案下載掃毒區\g0ld.rar\g0ld.com\[Upack] 病毒/網蟲





已經確定這個檔案有病毒！

已經再次將文檔回報給Panda lab，看看這次是什麼結果:|||:

AntiVir PersonalEdition Premium V7.02.00.45 找到"WORM/Viking.Y"病毒~:D

Scaned by NORMAN Sandbox

[ DetectionInfo ]
* Sandbox name: W32/Suspicious_U.gen.dropper

[ General information ]
* Decompressing Upack?.
* **Locates window "RavMon.exe [class RavMonClass]" on desktop.
* File length: 32174 bytes.
* MD5 hash: a037c5946ef70ce826096d295e494f78.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\rundl132.exe.
* Deletes file c:\sample.exe.exe.
* Creates file C:\sample.exe.exe.
* Creates file C:\WINDOWS\Logo1_.exe.
* Deletes file C:\WINDOWS\TEMP\$$ab0091.bat.
* Creates file C:\WINDOWS\TEMP\$$ab0091.bat.

[ Process/window information ]
* Enumerates running processes.
* Enumerates running processes several parses....

[ Signature Scanning ]
* C:\WINDOWS\rundl132.exe (32174 bytes) : W32/Suspicious_U.gen.
* C:\WINDOWS\Logo1_.exe (1024 bytes) : no signature detection.
* C:\WINDOWS\TEMP\$$ab0091.bat (202 bytes) : no signature detection.

肯定有問題的 :|||:

Dear customer:
We are enclosing a link to the updated signature file.
http://www.pandasoftware.com/virus_info/disclaimer.htm
This file has been created in order to detect and disinfect your malware. We will shortly make available to all our customers the new certified signature file, which will be accessible through the automatic updates.
Once the virus signature file is downloaded, please follow the procedure below:
1.- Decompress the PAV.ZIP file in the directory in which your antivirus is installed. If the signature file cannot be replaced, use the tool with such object, that can be downloaded from the following URL: http://www.pandasoftware.com/virus_info/disclaimer_update.htm
2.- Restart your computer and use your antivirus normally.
Should you have any question about this process, you may contact our technical support department ([email protected]), where you will be given the appropriate indications.
The files mm2.exe, g0ld.com belong to the worm W32/Viking.AC.worm, due to the nature of the files, they can only be deleted.
The following advice will help you to eliminate the W32/Viking.AC.worm and protect yourself against it in future.
Visit our web page with information about the malware:
http://www.pandasoftware.com/virus_info/enc/overview.aspx?idvirus=128527
Follow the instructions on how to eliminate the malware:
http://www.pandasoftware.com/virus_info/enc/solution.aspx?idvirus=128527






:|||:樣本發了2次，第一次解決誤報的問題，第二次才分析對－－－

上次也有個檔
panda分析沒問題
後來我又丟了一次
還寫其他防毒的判定後
第二次才認定成有問題

防毒公司也是會搞錯的.....

嗯，可能最近樣本量太大了，堅持給Panda會報病毒3個多月了，剛剛開始會報，病毒代碼數大約11萬多一點，現在157502，每天基本在600-1000的更新量