東風電視台網站又被植入惡意連結

2007 年 04 月 25 日 – 12:30:00

東風電視台網站又被植入惡意連結,此惡意程式為 Lineage 的變種,另外,也利用了 ANI 的安全漏洞,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:

惡意程式碼的一部份為:

執行之後,有下面的行為:

[Added process]
C:\WINDOWS\avp.exe

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\test[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\update[1].exe
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1014
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

ID: 1015
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/4/25 @ 03:02),下面的防毒軟體可以偵測到這些惡意檔案:

avp.exe:
[ Alpha_Gen ], "Possible_MLWR-5″
[ Beta_Gen ], "Possible_MLWR-1″
[ Microsoft ], "Virus:Win32/Detnat.F"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.kw"
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Norman ], "Trojan W32/OnLineGames.EAT"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
od2media.dll:
[ Alpha_Gen ], "Possible_MLWR-5″
[ Beta_Gen ], "Possible_MLWR-1″
[ Microsoft ], "Virus:Win32/Detnat.F"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.kw"
[ Sophos ], "Mal/EncPk-F"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ Fortinet ], "W32/OnLineGames.KW!tr.pws"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Norman ], "Trojan Suspicious_N.gen"
[ Ewido ], "Trojan.OnLineGames.kw"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
test[1].js:
[ HBEDV ], "JS/Dldr.Ani.A"
update[1].exe:
[ Alpha_Gen ], "Possible_MLWR-5″
[ Beta_Gen ], "TROJ_NSANTI.CE"
[ Microsoft ], "Virus:Win32/Detnat.F"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.kw"
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ Fortinet ], "W32/OnLineGames.KW!tr.pws"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Norman ], "Trojan Suspicious_N.gen"
[ Ewido ], "Trojan.OnLineGames.kw"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
update[1].htm:
[ Beta_Gen ], "HTML_AGENT.AACU"
[ Kaspersky ], "Exploit.HTML.Ascii.f"
[ McAfee ], "ObfuscatedHtml !!"
[ HBEDV ], "VBS/Dldr.Psyme.FZ"
[ Ikarus ], "Exploit.HTML.Ascii.f"

  1. “東風電視台網站又被植入惡意連結” 目前有 3 迴響

  2. 故宮藝術史討論區也是掛馬
    hxxp://arthf.npm.gov.tw/art/dc/s_type2.asp

    By on 2007 年 04 月 25 日 - 17:49:00

  3. http://www.pala88.com/node/1603

    這應該也是一個共享書籤可能會遇到的安全問題

    By Anonymous on 2007 年 04 月 28 日 - 21:54:00

  4. 是安全漏洞嗎?還是任何網站都會發生呢?

    By Roger on 2007 年 04 月 28 日 - 22:59:00

請在此留下您的意見

大砲開講 is proudly powered by WordPress Entries (RSS) and Comments (RSS).