即時通訊惡意程式 4

2007 年 02 月 21 日 – 13:48:00

昨天在微風論壇上,看見網友 (亞勾鏈) 張貼一則疑似即時通訊惡意程式的文章,如下圖所示:

messenger_virus_post_20070221.png

沒錯,這是惡意程式的連結,所以,還是老生常談的一句話不要亂執行來路不明的連結

惡意連結為:

messenger_virus_url_20070221.png

經過轉換後,真實網址為:

messenger_virus_url_translated_200702211.png

惡意程式碼的一部分為:

messenger_virus_code_20070221.png

執行之後,有下面的行為:

[Added process]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.Exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.Exe (注入 svchost.exe 的執行程序)
C:\WINDOWS\Debug\UserMode\ACC27FC0.dll (注入某些執行程序如檔案總管等)

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.Exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\tpp[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\syn[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\top[1].exe
C:\WINDOWS\Debug\UserMode\ACC27FC0.dll
C:\WINDOWS\Debug\UserMode\ACC27FC0.exe
C:\WINDOWS\system32\a.exe

[Added COM/BHO]
{04E1F9F4-5B00-410B-882D-6E2EF34A7EF3}-C:\WINDOWS\debug\userMode\ACC27FC0.dll

到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:

ACC27FC0.dll:
[ Kaspersky ], "PAK:NSPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "probably a variant of Win32/PSW.Lineage.DN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Ikarus ], "Backdoor.Win32.PcClient.GV"
ACC27FC0.exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
svchost.Exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
syn[1].htm:
[ Panda ], "Exploit/IESlice.A"
[ HBEDV ], "HTML/Dldr.Agen.AJ.8″
[ Ewido ], "Downloader.Agent.m"
[ Grisoft ], "Virus identified VBS/Psyme.N"
top[1].exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
tpp[1].exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
a.exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
index.html:
[ HBEDV ], "HTML/Dldr.Agen.AJ.8″
[ Ewido ], "Downloader.Agent.m"
[ Grisoft ], "Virus identified VBS/Psyme.N"

請在此留下您的意見

大砲開講 is proudly powered by WordPress Entries (RSS) and Comments (RSS).