Sample1
信件標題: 考考你的智商
附件:考考你的智商.zip

VirusTotal result:
AhnLab-V3 2008.6.19.0 2008.06.18 -
AntiVir 7.8.0.55 2008.06.18 -
Authentium 5.1.0.4 2008.06.18 W32/Onlinegames.gen
Avast 4.8.1195.0 2008.06.17 -
AVG 7.5.0.516 2008.06.18 PSW.OnlineGames.BR
BitDefender 7.2 2008.06.18 -
CAT-QuickHeal 9.50 2008.06.18 -
ClamAV 0.93.1 2008.06.18 -
DrWeb 4.44.0.09170 2008.06.18 modification of Win32.Besso
eSafe 7.0.15.0 2008.06.18 Win32.Warezov.gen
eTrust-Vet 31.6.5884 2008.06.18 -
Ewido 4.0 2008.06.18 -
F-Prot 4.4.4.56 2008.06.18 W32/OnlineGames.AE.gen!Eldorado
F-Secure 6.70.13260.0 2008.06.18 -
Fortinet 3.14.0.0 2008.06.18 W32/OnLineGames.fam!tr.pws
GData 2.0.7306.1023 2008.06.18 -
Ikarus T3.1.1.26.0 2008.06.18 Trojan.Win32.Helpud.A
Kaspersky 7.0.0.125 2008.06.18 -
McAfee 5320 2008.06.18 PWS-OnlineGames.bd
Microsoft 1.3604 2008.06.18 PWS:Win32/OnLineGames.DL!dll
NOD32v2 3198 2008.06.18 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.18 Suspicious file
Prevx1 V2 2008.06.18 -
Rising 20.49.22.00 2008.06.18 Packer.Win32.Mian007.a
Sophos 4.30.0 2008.06.18 Mal/EncPk-CE
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.18 -
TheHacker 6.2.92.354 2008.06.18 -
TrendMicro 8.700.0.1004 2008.06.18 Mal_Onlineg
VBA32 3.12.6.7 2008.06.18 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.18 -

Sample2
信件標題: 超高水準的表白方式
附件:答案.zip

VirusTotal result:
AhnLab-V3 2008.6.19.0 2008.06.18 -
AntiVir 7.8.0.55 2008.06.18 HEUR/Malware
Authentium 5.1.0.4 2008.06.18 W32/Onlinegames.gen
Avast 4.8.1195.0 2008.06.17 -
AVG 7.5.0.516 2008.06.18 PSW.OnlineGames.BR
BitDefender 7.2 2008.06.18 -
CAT-QuickHeal 9.50 2008.06.18 -
ClamAV 0.93.1 2008.06.18 -
DrWeb 4.44.0.09170 2008.06.18 -
eSafe 7.0.15.0 2008.06.18 Win32.Warezov.gen
eTrust-Vet 31.6.5884 2008.06.18 -
Ewido 4.0 2008.06.18 -
F-Prot 4.4.4.56 2008.06.18 W32/OnlineGames.AE.gen!Eldorado
Fortinet 3.14.0.0 2008.06.18 W32/OnLineGames.fam!tr.pws
GData 2.0.7306.1023 2008.06.18 -
Ikarus T3.1.1.26.0 2008.06.18 Trojan.Win32.Helpud.A
Kaspersky 7.0.0.125 2008.06.18 -
McAfee 5320 2008.06.18 PWS-OnlineGames.bd
Microsoft 1.3604 2008.06.18 PWS:Win32/OnLineGames.DL!dll
NOD32v2 3198 2008.06.18 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.18 Suspicious file
Prevx1 V2 2008.06.18 -
Rising 20.49.22.00 2008.06.18 Packer.Win32.Mian007.a
Sophos 4.30.0 2008.06.18 Mal/EncPk-CE
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.18 -
TheHacker 6.2.92.354 2008.06.18 -
TrendMicro 8.700.0.1004 2008.06.18 Mal_Onlineg
VBA32 3.12.6.7 2008.06.18 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.18 -

贊助商連結

己回報avira

2只Panda 2009都抓住了。

特徵碼比對已經過時了，看看KIS 8使用HIPS自動防禦的能力吧！

5.EXE (events: 8)
2008/6/23 U 04:23:05 Placed in group High Restricted
2000/6/23 U 04:23:21 Process start c:\documents and settings\administrator\local settings\temp\rarsfx0\2.bat Allowed: KLPrivileges/KLPermissionAppAccess/KLPermissionProcManage/KLStartProc
2000/6/23 U 04:23:21 Create C:\WINDOWS\help\EB6C4499B05F.dll Denied: KLSystemData/KLSystemFiles/SystemDll
2000/6/23 U 04:23:21 Create C:\WINDOWS\help\EB6C4499B05F.exe Denied: KLSystemData/KLSystemFiles/SystemExe
2008/6/23 U 04:23:22 Process start c:\windows\1.bat Allowed: KLPrivileges/KLPermissionAppAccess/KLPermissionProcManage/KLStartProc


13.EXE (events: 7)
2008/6/23 U 04:26:50 Process start c:\documents and settings\administrator\local settings\temp\rarsfx0\5.exe Allowed: KLPrivileges/KLPermissionAppAccess/KLPermissionProcManage/KLStartProc
2000/6/23 U 04:27:05 Process start c:\windows\system32\conime.exe Allowed: KLPrivileges/KLPermissionAppAccess/KLPermissionProcManage/KLStartProc
2000/6/23 U 04:27:05 Create C:\WINDOWS\help\EB6C4499B05F.dll Denied: KLSystemData/KLSystemFiles/SystemDll
2000/6/23 U 04:27:05 Create C:\WINDOWS\help\EB6C4499B05F.dll Denied: KLSystemData/KLSystemFiles/SystemExe
2000/6/23 U 04:27:05 Create C:\WINDOWS\help\EB6C4499B05F.dll Denied: KLSystemData/KLSystemFiles/SystemExe
2000/6/23 U 04:27:05 Create C:\WINDOWS\help\EB6C4499B05F.dll Denied: KLSystemData/KLSystemFiles/SystemExe
2008/6/23 U 04:27:06 Process start KLAppRestrictedLow:2147483653 Allowed: KLPrivileges/KLPermissionAppAccess/KLPermissionProcManage/KLStartProc

一個包一個毒

f-secure 都有抓到
只是不能自動處理刪除...