AlStar Posted March 27, 2011 Report Share Posted March 27, 2011 In dimineata asta, umblam pe ici colo pe net, si primesc un mesaj pe messenger. Am dat click pe link, mi-a aparut sa salvez, da' idiotu' de mine m-am grabit si-am dat si save si run. Si brusc mi-am dat seama ca-i virus, pentru ca linkul primit pe messenger era: Foto li8...L-am scanat pe VT si initial era detectat de vreo 7 AV-uri, dar nu si de Kaspersky sau Avast (pe care-l folosesc). Vreo juma' de ora mai tarziu, vad acolo, pe VT up-to-date report, si de data asta era detectat doar de 6 AV-uri. Acum am scanat fisieru' iar si e detectat doar de 5. Cum ma-sa? Ca e acelasi fisier. Quote Link to comment Share on other sites More sharing options...
Usr6 Posted March 27, 2011 Report Share Posted March 27, 2011 da-l incoace Quote Link to comment Share on other sites More sharing options...
LLegoLLaS Posted March 27, 2011 Report Share Posted March 27, 2011 lol....ai verificat MD5-ul exe-ului cand l-ai scanat a doua si a 3a oara?Tind sa cred ca '''nu mai e acelasi" Quote Link to comment Share on other sites More sharing options...
AlStar Posted March 27, 2011 Author Report Share Posted March 27, 2011 (edited) http://www.palz-live.com/palzlive/community/imagesne.php?=ujyhyuytdfdfdfdfgdg678678778777Da, e acelasi fisier. Pentru ca VT imi spunea ca este un report mai actualizat al fisierului.LE: Am dat o scanare cu MBAM, mi-a gasit vreo 2 fisere cu TrojanDownloader. Si cred c-am scapat de el.LE2.: Deci, din ce observ, cred la fiecare descarcare, fisieru' e diferit , iar la scanare pe VT, dupa cum am spus, devine nedetectat, desi initial e detectat. Edited March 27, 2011 by AlStar Quote Link to comment Share on other sites More sharing options...
pr00f Posted March 27, 2011 Report Share Posted March 27, 2011 O fi criptat acelasi server cu mai multe cryptere, iar in php descarca random unul dintre ele. Posibil ca tie sa iti para aceleasi, doar ca checksum-ul lor sa fie diferit. Quote Link to comment Share on other sites More sharing options...
Usr6 Posted March 27, 2011 Report Share Posted March 27, 2011 uitete te dupa: "jusched.exe" (are setate atributele hidden+system) in "C:\WINDOWS\"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse: "C:\WINDOWS\jusched.exe"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse: "C:\WINDOWS\jusched.exe" Quote Link to comment Share on other sites More sharing options...
AlStar Posted March 27, 2011 Author Report Share Posted March 27, 2011 uitete te dupa: "jusched.exe" (are setate atributele hidden+system) in "C:\WINDOWS\"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse: "C:\WINDOWS\jusched.exe"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse: "C:\WINDOWS\jusched.exe"MBAM a gasit ce zici tu si a sters. Singurul jusched.exe care-l mai am e in Program Files, in directorul Java. Cica ar fi updater-u. Quote Link to comment Share on other sites More sharing options...
