國家圖書館臺灣記憶系統網站被植入惡意連結
2007 年 07 月 19 日 – 16:09:00國家圖書館臺灣記憶系統網站被植入惡意連結 (早上通知他們,到現在尚未處理),此惡意程式為 Infostealer.Gampass、PWS:Win32/Whoran.A 或 Trojan-Spy.Win32.Agent.qn 變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒 (此惡意程式應該會偷帳號與密碼)。(感謝網友通知)
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added process]
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft.com
C:\Documents and Settings\Administrator\Local Settings\Temp\Cike.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\WINDOWS\system32\winlokc.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\Cike.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft.com
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\svchost[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\z1[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ck[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\dns[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\zl[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ie[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\xl1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\xl[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\dns[1].ani
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\z2[1].jpg
C:\WINDOWS\system32\winlokc.dll
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Syetesn
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Microsoft.com
到目前為止 (2007/7/19 @ 09:27),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
Microsoft.com:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPX"
[ HBEDV ], "TR/Spy.Agent.QN.16″
Microsoft.vbs:
[ Symantec ], "Trojan Horse"
[ Kaspersky ], "Trojan.VBS.Runner.o"
[ HBEDV ], "VBS/Runner.O.3″
[ Ewido ], "Trojan.Runner.o"
svchost.exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPX"
[ HBEDV ], "TR/Spy.Agent.QN.16″
winlokc.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Whoran.A"
[ Kaspersky ], "Trojan-Spy.Win32.Agent.qn"
[ HBEDV ], "TR/Spy.Agent.QN.16″
xl1[1].htm:
[ Microsoft ], "Exploit:HTML/Expascii.gen"
[ McAfee ], "ObfuscatedHtml"
[ Fortinet ], "HTML/ASCII.gen!exploit"
[ Norman ], "Trojan AsciiExploit.gen"
xl[1].htm:
[ Nod32 ], "JS/TrojanDownloader.Agent.ID trojan"
[ HBEDV ], "JS/Dldr.Agent.25076″
[ Rising ], "Trojan.DL.JS.Agent.let"
[ Ewido ], "Downloader.Agent.id"
zl[1].htm:
[ Microsoft ], "Exploit:HTML/Expascii.gen"
[ McAfee ], "ObfuscatedHtml"
[ Fortinet ], "HTML/ASCII.gen!exploit"
[ Norman ], "Trojan AsciiExploit.gen"
06014[1].htm:
[ Microsoft ], "[->(SCRIPT0000)]:TrojanDownloader:JS/Agent.FT"
[ Kaspersky ], "Trojan-Downloader.JS.Psyme.fk"
[ McAfee ], "[000000bc.vbs]:Exploit-MS06-014.gen !!"
[ Fortinet ], "VBS/Psyme.DN!tr.dldr"
[ Rising ], "Trojan.DL.VBS.Agent.clx"
[ Ewido ], "Downloader.Psyme.hl"
Cike.exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPX"
[ HBEDV ], "TR/Spy.Agent.QN.16″
ck[1].htm:
[ Alpha_Gen ], "Possible_EncScr"
[ McAfee ], "[00000008.js]:Exploit-MS06-014″
[ HBEDV ], "VBS/Dldr.Psyme.BH.2″
ie[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1″
[ Fortinet ], "JS/Agent.HC!tr.dldr"
[ Rising ], "Trojan.DL.JS.Agent.lgm"
