中華民國銀行公會網頁被植入惡意程式碼 !
2006 年 12 月 29 日 – 19:53:00昨天中華民國銀行公會網頁被植入惡意程式碼,但他們修復的很快,但今天又被植入相同的惡意程式碼 (真是糟糕,只是移除網頁的惡意程式部份,而不是找出怎麼進來的,然後,把漏洞補起來),目前還在,請各位小心囉 (放假了,不曉得有多少人會中獎)。
惡意程式碼是被放置在 top.asp 檔案中:
而程式碼為:
執行之後,有下列行為:
[DLL Injection]
C:\WINDOWS\Help\A8644260.dll (注入某些執行程序如檔案總管等)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I69Q72L4\gmsex[1].exe
C:\WINDOWS\Help\A8644260.dll
C:\WINDOWS\Help\A8644260.exe
[Added BHO]
{DD8BC00C-4CB1-43C3-BC48-4FBBB53A2618}-C:\WINDOWS\help\A8644260.dll
注意:大部分防毒軟體都偵測不到,除了下列:
A8644260.dll:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ Nod32 ], "probably a variant of Win32/PSW.Lineage.DN trojan"
[ HBEDV ], "HEUR/Malware"
A8644260.exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ HBEDV ], "HEUR/Malware"
gmsex[1].exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ HBEDV ], "HEUR/Malware"
update.exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ HBEDV ], "HEUR/Malware"
