引用:

2008-06-12 16:11:49        应用程序保护(远程调用COM对象)     操作:阻止
进程路径:C:\Windows\wkssvr.exe
{F81CD990-910B-4BBF-9CB3-6A77F3D697B3}

Kaspersky Internet Security 7.0.1.325版
miss

AntiVir Premium 7 (AVE 7.8.0.55, VDF 7.0.4.183), 已經送樣本給Avira
C:\Documents and Settings\C9\桌面\new.rar
  [0] Archive type: RAR
  --> new.exe
      [DETECTION] Contains suspicious code HEUR/Crypted

---

VirusTotal Results: 14/32 (43.75%)



[ 本帖最後由 mlcnxewlkia 於 2008-6-12 16:43 編輯 ]

AntiVir Premium 7 (AVE 7.8.0.55, VDF 7.0.4.185), 已經送樣本給Avira

如果開高啟發
C:\Documents and Settings\C9\桌面\new.rar
  [0] Archive type: RAR
  --> new.exe
      [DETECTION] Contains suspicious code HEUR/Crypted

如果開中啟發
C:\Documents and Settings\C9\桌面\new.rar
  [0] Archive type: RAR
  --> new.exe
      [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/Themida). Please verify the origin of the file

avira reply

new.exe          MALWARE

The file 'new.exe' has been determined to be 'MALWARE'. Our analysts discovered that the file is a Worm. Detection will be added to our virus definition file (VDF) with one of the next updates. Please note that Avira's proactive heuristic detection module AHeAD detected this threat up front without the latest VDF update as: HEUR/Crypted.

Comodo AntiVirus沒抓到已經上報

Avira AntiVir Premium 7 (AVE 7.8.0.55, VDF 7.0.4.186)
C:\Documents and Settings\C9\桌面\new.rar
  [0] Archive type: RAR
  --> new.exe
      [DETECTION] Contains detection pattern of the worm WORM/IrcBot.480256
      自 VDF 6.36.00.205 (This VDF file was published on Thu, 02 Nov 2006 15:58 (GMT+1))

---
VirusTotal
received on 06.12.2008 18:36:17 (CET), Result: 15/32 (46.88%)

奇怪了...ESET MISS
VT用的ESET是什麼版啊

jotti的nod32也found nothing, VirusTotal的nod32應該是開進階啟發(windows version?)
比較特殊的是我之前post的AntiVir, 怎麼最後變成是VDF 6.36.00.205 (Nov.2006的!) 裡面的病毒名稱, 這代表回去修正舊版病毒庫??