[2006-04-15]明修栈道、暗渡陈仓的灰鸽子BackDoor.Gpigeon.5.dq(第3版)

endurer　原创

2006-04-15　第3版　补充瑞星的回复：manage为Backdoor.Gpigeon.ynj，G_Server.exe为Backdoor.Gpigeon.ykh
2006-04-12　第2版　补充Kaspersky的回复：manage 、G_Server.exe均为Backdoor.Win32.GrayBird.id
2006-04-12　第1版

昨晚帮同事弄使用Win XP SP1的电脑，瑞星开机自动扫描报告：

IEXPLORE.EXE>>c:/Program Files/Internet Explorer/IEXPLORE.EXE感染BackDoor.Gpigeon.5.dq，清除成功。

用HijackThis扫描log，发现可疑服务启动项：

---

O23 - Service: Media Server - Unknown owner - C:/Program.exe (file missing)

---

重启到安全模式，设置系统显示所有文件和文件夹，不隐藏已知类型文件扩展名

没有发现文件C:/Program.exe。

到控制面板--》系统工具--》服务中，检查服务Media Server，发现该服务实际对应的文件是：C:/Program Files/Common Files/manage

文件manage的创建时间是：2006-04-11 18:07，文件大小是242 KB (247,808 字节)。

发现文件C:/Program Files/Common Files/1.22.exe，创建时间是：2006-04-11 18:08，经比较，此文件与manage完全相同。

发现文件c:/windows/G_Server.exe，创建时间为：2006-03-22 14:54，文件大小是594 KB (608,335 字节)，使用JPG格式的图标，相当有迷惑性。

Server response

---

Results of a file scan

This is a report processed by VirusTotal on 04/11/2006 at 17:10:19 (CET) after scanning the file "unknown---G_Server.exe.rar" file.

Antivirus	Version	Update	Result
AntiVir	6.34.0.24	04.11.2006	Heuristic/Crypted.Layered
Avast	4.6.695.0	04.03.2006	no virus found
AVG	386	04.11.2006	no virus found
Avira	6.34.0.56	04.11.2006	no virus found
BitDefender	7.2	04.11.2006	no virus found
CAT-QuickHeal	8.00	04.11.2006	no virus found
ClamAV	devel-20060202	04.11.2006	no virus found
DrWeb	4.33	04.11.2006	no virus found
eTrust-InoculateIT	23.71.126	04.11.2006	no virus found
eTrust-Vet	12.4.2158	04.11.2006	no virus found
Ewido	3.5	04.11.2006	no virus found
Fortinet	2.71.0.0	04.11.2006	no virus found
F-Prot	3.16c	04.11.2006	no virus found
Ikarus	0.2.59.0	04.11.2006	no virus found
Kaspersky	4.0.2.24	04.11.2006	no virus found
McAfee	4737	04.10.2006	no virus found
NOD32v2	1.1482	04.11.2006	no virus found
Norman	5.90.15	04.11.2006	no virus found
Panda	9.0.0.4	04.11.2006	Suspicious file
Sophos	4.04.0	04.11.2006	no virus found
Symantec	8.0	04.11.2006	no virus found
TheHacker	5.9.7.128	04.11.2006	no virus found
UNA	1.83	04.07.2006	no virus found
VBA32	3.10.5	04.11.2006	no virus found

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Do not reply to this message. It has been generated by an automatic address that will not handle any reply. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.