Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

[Résolu] Virus w32/patched.uc

catetmic

Par catetmic
dans Analyses et éradication malwares

 Partager

Messages recommandés

catetmic Power Member

catetmic

Posté(e)
  • Auteur
Posté(e)

VirusTotal

SHA256: 63541e3432fce953f266ae553e7a394978d6ee3db52388d885f668cf42c5e7e2

SHA1: a5b16a7d28d2ba79a9ccfc16ed480ad75a757166

MD5: 24acb7e5be595468e3b9aa488b9b4fcb

File size: 321.0 KB ( 328704 bytes )

File name: services.exe

File type: unknown

Detection ratio: 0 / 39

Analysis date: 2012-12-31 13:32:20 UTC ( 1 minute ago )

18

11

Less details

 

Analysis

Comments

Votes

Additional information

 

ssdeep

6144:ajUy3rjJE4qxzgv7/WMNS4j7fwLQTha06H0NhsZevKa/2LI+hBm:ajUyhE4q5gD7N56H0A4oI+h

TrID

Win64 Executable Generic (95.5%)

Generic Win/DOS Executable (2.2%)

DOS Executable Generic (2.2%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

ExifTool

 

SubsystemVersion.........: 6.1

InitializedDataSize......: 77824

ImageVersion.............: 6.1

ProductName..............: Microsoft Windows Operating System

FileVersionNumber........: 6.1.7600.16385

UninitializedDataSize....: 0

LanguageCode.............: English (U.S.)

FileFlagsMask............: 0x003f

CharacterSet.............: Unicode

LinkerVersion............: 9.0

FileOS...................: Windows NT 32-bit

MIMEType.................: application/octet-stream

Subsystem................: Windows GUI

FileVersion..............: 6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp................: 2009:07:14 00:19:42+01:00

FileType.................: Win64 EXE

PEType...................: PE32+

InternalName.............: services.exe

ProductVersion...........: 6.1.7600.16385

FileDescription..........: Services and Controller app

OSVersion................: 6.1

OriginalFilename.........: services.exe

LegalCopyright...........: Microsoft Corporation. All rights reserved.

MachineType..............: AMD AMD64

CompanyName..............: Microsoft Corporation

CodeSize.................: 248832

FileSubtype..............: 0

ProductVersionNumber.....: 6.1.7600.16385

EntryPoint...............: 0x13310

ObjectFileType...........: Executable application

 

Sigcheck

 

publisher................: Microsoft Corporation

product..................: Microsoft_ Windows_ Operating System

internal name............: services.exe

copyright................: © Microsoft Corporation. All rights reserved.

original name............: services.exe

signing date.............: 4:17 AM 7/14/2009

signers..................: Microsoft Windows; Microsoft Windows Verification PCA; Microsoft Root Certificate Authority

file version.............: 6.1.7600.16385 (win7_rtm.090713-1255)

description..............: Services and Controller app

 

Portable Executable structural information

 

Compilation timedatestamp.....: 2009-07-13 23:19:42

Target machine................: 0x8664 (x64)

Entry point address...........: 0x00013310

 

PE Sections...................:

 

Name Virtual Address Virtual Size Raw Size Entropy MD5

.text 4096 248509 248832 6.38 7fc9c9d160d7c505c3cf202d1fa7a655

.rdata 253952 39440 39936 4.89 05adbd77b1dc4198a8dc69e5b909dca7

.data 294912 5976 6144 1.09 ee199ecce9c7ffa983c0ec034c034627

.pdata 303104 11148 11264 5.60 923588ae2a9953cfbbcc199f09c005d4

.rsrc 315392 19112 19456 3.82 eea5eddea7de3b1ce12b792ea947e2bd

.reloc 335872 544 1024 3.41 dcec1f82237fe07b2e56bf71193670b9

 

PE Imports....................:

 

[[API-MS-Win-Security-LSALookup-L1-1-0.dll]]

LsaLookupOpenLocalPolicy, LsaLookupClose, LsaLookupGetDomainInfo, LsaLookupTranslateSids, LsaLookupFreeMemory, LsaLookupManageSidNameMapping, LsaLookupTranslateNames

 

[[API-MS-Win-Core-ProcessThreads-L1-1-0.dll]]

GetProcessId, OpenThreadToken, DeleteProcThreadAttributeList, GetCurrentProcess, TerminateProcess, ResumeThread, OpenProcessToken, CreateThread, SetThreadPriority, GetCurrentProcessId, CreateProcessW, UpdateProcThreadAttribute, InitializeProcThreadAttributeList, GetProcessTimes, SetProcessShutdownParameters, ExitThread, GetCurrentThreadId, CreateProcessAsUserW, GetCurrentThread

 

[[msvcrt.dll]]

_ultow_s, wcstoul, memset, wcschr, _wcslwr, _ultow, _fmode, _vsnwprintf, _cexit, ?terminate@@YAXXZ, __C_specific_handler, _ltow_s, _wtol, exit, _XcptFilter, _commode, __setusermatherr, wcsrchr, _amsg_exit, _wcsicmp, _exit, wcscspn, wcsncmp, __getmainargs, memcpy, _wcsnicmp, time, wcsstr, _initterm, _ltow, __set_app_type

 

[[CRYPTBASE.dll]]

SystemFunction005, SystemFunction029

 

[[RPCRT4.dll]]

UuidFromStringW, RpcRevertToSelf, RpcServerSubscribeForNotification, RpcStringBindingParseW, RpcBindingToStringBindingW, RpcImpersonateClient, RpcServerRegisterAuthInfoW, RpcAsyncAbortCall, RpcEpRegisterW, I_RpcMapWin32Status, RpcBindingFree, RpcServerInqBindings, I_RpcSessionStrictContextHandle, UuidEqual, RpcStringFreeW, RpcServerUnsubscribeForNotification, NdrServerCall2, I_RpcBindingIsClientLocal, RpcServerInqBindingHandle, RpcServerUseProtseqEpW, UuidCreateNil, RpcServerInqDefaultPrincNameW, RpcServerUseProtseqW, RpcAsyncCompleteCall, RpcServerInqCallAttributesW, RpcServerRegisterIfEx, NdrAsyncServerCall, RpcServerInqCallAttributesA, I_RpcBindingInqLocalClientPID, UuidCreate, RpcBindingVectorFree

 

[[ntdll.dll]]

RtlConvertSharedToExclusive, DbgPrintEx, RtlUnicodeStringToInteger, RtlAppendUnicodeStringToString, NtUnloadDriver, RtlCreateSecurityDescriptor, NtQuerySymbolicLinkObject, RtlSetGroupSecurityDescriptor, NtOpenThreadToken, NtInitializeRegistry, RtlInitializeCriticalSection, RtlValidSecurityDescriptor, NtOpenSymbolicLinkObject, RtlLengthRequiredSid, RtlConvertExclusiveToShared, RtlQuerySecurityObject, RtlAllocateHeap, NtDeleteValueKey, NtSetInformationProcess, RtlNtStatusToDosError, NtWaitForSingleObject, NtLoadDriver, RtlFreeUnicodeString, EtwRegisterTraceGuidsW, RtlAppendUnicodeToString, RtlInitializeSid, NtDuplicateToken, RtlLengthSecurityDescriptor, RtlAcquireSRWLockExclusive, RtlSetControlSecurityDescriptor, RtlAreAllAccessesGranted, EtwTraceMessage, NtSetEvent, NtQueryDirectoryObject, RtlAcquireResourceExclusive, EtwGetTraceEnableFlags, NtQueryValueKey, RtlCreateServiceSid, RtlEqualUnicodeString, NtFlushKey, NtSetSystemEnvironmentValue, RtlUnicodeStringToAnsiString, RtlDeregisterWait, RtlVirtualUnwind, RtlCopySid, RtlInitializeSRWLock, NtQuerySystemInformation, NtSetValueKey, RtlRegisterWait, RtlCreateAcl, EtwEventRegister, RtlSubAuthorityCountSid, NtQueryInformationFile, RtlSetDaclSecurityDescriptor, NtOpenThread, NtEnumerateKey, NtFilterToken, RtlAddAce, RtlInitUnicodeString, RtlSubAuthoritySid, NtSetInformationFile, NtCreateKey, EtwGetTraceEnableLevel, RtlAcquireResourceShared, RtlSetEnvironmentVariable, RtlSetProcessIsCritical, NtQueryKey, NtQueueApcThread, RtlUnhandledExceptionFilter, NtDeleteFile, RtlAnsiStringToUnicodeString, NtPrivilegeCheck, RtlNtStatusToDosErrorNoTeb, RtlExpandEnvironmentStrings_U, RtlReleaseSRWLockExclusive, NtTraceControl, RtlQueueApcWow64Thread, RtlDosPathNameToNtPathName_U, RtlLengthSid, RtlGetNtProductType, RtlInitAnsiString, NtOpenProcessToken, WinSqmAddToStream, RtlCopyLuid, RtlDeleteSecurityObject, RtlNewSecurityObject, NtShutdownSystem, RtlInitializeResource, NtAccessCheck, RtlValidRelativeSecurityDescriptor, NtClose, NtQueryInformationToken, RtlCopyUnicodeString, NtSetInformationThread, NtPrivilegeObjectAuditAlarm, NtOpenDirectoryObject, NtAccessCheckAndAuditAlarm, RtlSetSecurityObject, RtlSetSaclSecurityDescriptor, EvtIntReportEventAndSourceAsync, NtDeleteObjectAuditAlarm, RtlQueueWorkItem, RtlAcquireSRWLockShared, NtCloseObjectAuditAlarm, RtlAdjustPrivilege, NtOpenFile, EtwGetTraceLoggerHandle, RtlMapGenericMask, NtQueryDirectoryFile, NtDeleteKey, RtlCaptureContext, RtlFreeHeap, RtlSetLastWin32Error, EtwEventWrite, RtlCompareUnicodeString, RtlReleaseSRWLockShared, NtOpenKey, RtlLookupFunctionEntry, RtlReleaseResource, NtAdjustPrivilegesToken, RtlSetOwnerSecurityDescriptor

 

[[API-MS-Win-Core-IO-L1-1-0.dll]]

DeviceIoControl

 

[[API-MS-Win-Core-Handle-L1-1-0.dll]]

DuplicateHandle, CloseHandle

 

[[API-MS-Win-Security-Base-L1-1-0.dll]]

SetSecurityDescriptorOwner, GetTokenInformation, RevertToSelf, SetTokenInformation, GetKernelObjectSecurity, FreeSid, CopySid, SetSecurityDescriptorDacl, GetSecurityDescriptorDacl, AddAccessAllowedAce, AllocateAndInitializeSid, InitializeSecurityDescriptor, AdjustTokenPrivileges, InitializeAcl, EqualSid, GetLengthSid, ImpersonateLoggedOnUser, CheckTokenMembership, AddAce, AllocateLocallyUniqueId, SetKernelObjectSecurity

 

[[API-MS-Win-Core-LocalRegistry-L1-1-0.dll]]

RegGetKeySecurity, RegLoadMUIStringW, RegCloseKey, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, RegSetKeySecurity, RegNotifyChangeKeyValue, RegQueryValueExW

 

[[sspiCli.dll]]

LogonUserExExW

 

[[API-MS-Win-Core-SysInfo-L1-1-0.dll]]

GetSystemTime, GetSystemTimeAsFileTime, GetSystemDirectoryW, GetVersionExW, GetTickCount, GetComputerNameExW

 

[[API-MS-Win-Security-SDDL-L1-1-0.dll]]

ConvertSecurityDescriptorToStringSecurityDescriptorW, ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW

 

[[API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll]]

ExpandEnvironmentStringsW, GetEnvironmentVariableW

 

[[API-MS-Win-Core-Synch-L1-1-0.dll]]

WaitForMultipleObjectsEx, EnterCriticalSection, CreateEventW, InitializeCriticalSection, OpenProcess, OpenEventW, WaitForSingleObject, SetEvent, ResetEvent, LeaveCriticalSection

 

[[API-MS-Win-Core-Misc-L1-1-0.dll]]

IsWow64Process, LocalAlloc, Sleep, LocalFree, lstrlenW

 

[[profapi.dll]]

Ord(101), Ord(106), Ord(105), Ord(102)

 

[[API-MS-Win-Core-Heap-L1-1-0.dll]]

HeapFree, HeapSetInformation, HeapAlloc, HeapCreate

 

[[API-MS-Win-Core-ErrorHandling-L1-1-0.dll]]

SetUnhandledExceptionFilter, GetLastError, SetErrorMode, UnhandledExceptionFilter, SetLastError

 

[[API-MS-Win-Core-String-L1-1-0.dll]]

CompareStringW

 

[[API-MS-Win-Core-File-L1-1-0.dll]]

FindNextFileW, FindFirstFileW, FindClose, CreateFileW, CreateDirectoryW, SetFileInformationByHandle

 

[[API-MS-Win-Core-Profile-L1-1-0.dll]]

QueryPerformanceCounter

 

[[API-MS-Win-Core-LibraryLoader-L1-1-0.dll]]

FreeLibrary, LoadStringW, GetProcAddress, LoadLibraryExW, GetModuleHandleW

 

PE Resources..................:

 

Resource type Number of resources

RT_MANIFEST 1

WEVT_TEMPLATE 1

MUI 1

RT_VERSION 1

 

Resource language Number of resources

ENGLISH US 4

 

Symantec Reputation

Suspicious.Insight

First seen by VirusTotal

2009-08-25 18:58:09 UTC ( 3 ans, 4 mois ago )

Last seen by VirusTotal

2012-12-31 13:32:20 UTC ( 2 minutes ago )

File names (max. 25)

 

services.exe

services.exe

services.exe

smona_63541e3432fce953f266ae553e7a394978d6ee3db52388d885f668cf42c5e7e2.bin

services.exe.536EACEA0DCDC4BD

services.ppp

services.exe

services.exe

services.exe

services.exe

services.exe

smona131867892300592302304

services.exe

services.exe

services.exe

vol3-D..Windows.System32.services.exe

services.exe

vol3-D..Windows.winsxs.amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1.services.exe

services.exe

services.exe.C476CFB12C99B0B3

services.exe

services.exe.69392835565CCA1A

services.exe

services.exe

services.exe

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...