正宗萬巒林家豬腳網站又被植入惡意連結
2007 年 06 月 05 日 – 13:26:00正宗萬巒林家豬腳網站又被植入惡意連結,此惡意程式為 Lineage 變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在虛擬機器上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added process]
C:\Program Files\Common Files\System\commond.pif
[DLL injection]
C:\WINDOWS\system32\dlyy.dll
C:\WINDOWS\system32\ShellDown.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\01[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ccs[1].js
C:\Program Files\Common Files\System\commond.pif
C:\Program Files\Internet Explorer\ie2.exe
C:\WINDOWS\rundl132.exe
C:\WINDOWS\system32\dlyy.dll
C:\WINDOWS\system32\ShellDown.dll
C:\WINDOWS\system32\ShellDown.exe
[Added registry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=ShellDown.exe
Data=C:\WINDOWS\system32\ShellDown.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=ryy
Data=C:\WINDOWS\rundl132.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=ShellDown.exe
Data=C:\WINDOWS\system32\ShellDown.exe
到目前為止 (2007/6/5 @ 12:06),下面的防毒軟體可以偵測到這些惡意檔案:
ShellDown.dll:
[ Trend ], "TSPY_LINEAGE.FRT"
ShellDown.exe:
[ Trend ], "TROJ_ULPM.CI"
update[1].exe:
[ Trend ], "TROJ_ULPM.CI"
ccs[1].js:
[ Rising ], "Trojan.DL.JS.Small.jf"
commond.pif:
[ Beta_Gen ], "Possible_MLWR-5″
[ Symantec ], "Trojan.Packed.NsAnti"
[ Kaspersky ], "Packed.Win32.NSAnti.p"
[ McAfee ], "New Malware.cn !!"
[ Sophos ], "Mal/EncPk-F"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Virus W32/Viking.gen5″
[ Ewido ], "Trojan.NSAnti.p"
dlyy.dll:
[ Beta_Gen ], "Possible_MLWR-5″
[ Symantec ], "Trojan.Packed.NsAnti"
[ Microsoft ], "PWS:Win32/Lineage.gen!dll"
[ McAfee ], "PWS-Lineage.dll"
[ Sophos ], "Mal/EncPk-F"
[ Fortinet ], "Lineage!tr.pws"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Virus W32/Viking.gen5″
ie2.exe:
[ Beta_Gen ], "Possible_MLWR-5″
[ Microsoft ], "Trojan:Win32/Meredrop"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.fq"
[ McAfee ], "PWS-Mmorpg.gen"
[ Sophos ], "[FILE:0000]:Mal/EncPk-F"
[ Fortinet ], "PossibleThreat"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnLineGames.GIR"
[ Rising ], "Backdoor.Bifrose.hkp"
[ Ewido ], "Trojan.OnLineGames.es"
rundl132.exe:
[ Beta_Gen ], "Possible_MLWR-5″
[ Symantec ], "Trojan.Packed.NsAnti"
[ Kaspersky ], "Packed.Win32.NSAnti.p"
[ McAfee ], "New Malware.cn !!"
[ Sophos ], "Mal/EncPk-F"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Virus W32/Viking.gen5″
[ Ewido ], "Trojan.NSAnti.p"
