高雄縣岡山地政事務所網站被植入惡意連結
2007 年 06 月 22 日 – 09:34:00高雄縣岡山地政事務所網站被植入惡意連結,此惡意程式為 HUPIGON 變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在虛擬機器上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。(Credit: Jimau)
惡意連結是放置在 NoticeHouse.asp (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added hidden process]
C:\Program Files\Internet Explorer\iexplore.exe (此程序會鎖住 C:\WINDOWS\68.exe)
[Added service]
NAME: svchost
DISPLAY: svchost
FILE: C:\WINDOWS\68.exe (hidden IE process locks this file)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\gz2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\sex[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gz1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\sexy[1].htm
C:\WINDOWS\68.exe
C:\WINDOWS\qq1.exe
到目前為止 (2007/6/21 @ 16:46),下面的防毒軟體可以偵測到這些惡意檔案 (僅供參考):
gz1[1].exe:
[ Trend ], "BKDR_HUPIGON.UH"
68.exe:
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
[ Rising ], "Backdoor.Gpigeon.GEN"
gz2[1].exe:
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
[ Rising ], "Backdoor.Gpigeon.GEN"
sex[1].htm:
[ Microsoft ], "[->(SCRIPT0000)]:TrojanDownloader:JS/Agent.FT"
[ McAfee ], "[000000b6.vbs]:Exploit-MS06-014″
[ Fortinet ], "VBS/Psyme.DN!tr.dldr"
[ Norman ], "Trojan VBS/Psyme.AK"
[ Rising ], "Trojan.VBS.Agent.z"
[ Ewido ], "Downloader.Psyme.hb"
sexy[1].htm:
[ Microsoft ], "[->(SCRIPT0000)]:TrojanDownloader:JS/Agent.FT"
[ McAfee ], "[000000b6.vbs]:Exploit-MS06-014″
[ Fortinet ], "VBS/Psyme.DN!tr.dldr"
[ Norman ], "Trojan VBS/Psyme.AK"
[ Rising ], "Trojan.VBS.Agent.z"
[ Ewido ], "Downloader.Psyme.hb"
svchost.vbs:
[ Symantec ], "Trojan Horse"
