美商元太國際基金管理網站被植入惡意連結
2007 年 06 月 20 日 – 14:30:00美商元太國際基金管理網站被植入惡意連結,此惡意程式為 Frethog 和 OnlineGames 變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在虛擬機器上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\win[2].htm
C:\WINDOWS\~tmp2298.exe
C:\WINDOWS\~tmp2595.exe
C:\WINDOWS\~tmp3634.exe
C:\WINDOWS\~tmp3817.exe
C:\WINDOWS\~tmp4673.exe
C:\WINDOWS\~tmp5390.exe
C:\WINDOWS\~tmp54.exe
C:\WINDOWS\~tmp6941.exe
C:\WINDOWS\~tmp7532.exe
C:\WINDOWS\~tmp7544.exe
C:\WINDOWS\~tmp946.exe
到目前為止 (2007/6/20 @ 11:07),下面的防毒軟體可以偵測到這些惡意檔案:
~tmp2298.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
~tmp2595.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
~tmp3634.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
~tmp3817.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
~tmp4673.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
~tmp5390.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
~tmp6941.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
~tmp7532.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
~tmp7544.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
update[1].exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
win[2].htm:
[ McAfee ], "ObfuscatedHtml"
[ Fortinet ], "HTML/ASCII.gen!exploit"
[ Norman ], "Trojan AsciiExploit.gen"
~tmp54.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
~tmp946.exe:
[ Alpha_Gen ], "Possible_ULPM"
[ Microsoft ], "PWS:Win32/Frethog.C"
[ Nod32 ], "probably a variant of Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/OnlineGames.gen21″
“美商元太國際基金管理網站被植入惡意連結” 目前有 1 迴響
trace win.html
< b o d y >…< / b o d y >中的內容像是一堆亂碼
不過 charset指定為US-ASCII, 所以內容相當於7 bit加上最高BIT當作偽裝
所以把每個BYTE的最高BIT遮罩掉 就會看到內容
語法大概是:
建立物件, 去抓update.exe, 複製到tmpXXXX.exe, 然後shell指令執行.
By 咪咪波波 on 2007 年 06 月 21 日 - 02:52:00