國家圖書館臺灣記憶系統網站被植入惡意連結
2007 年 07 月 19 日 – 16:09:00國家圖書館臺灣記憶系統網站被植入惡意連結 (早上通知他們,到現在尚未處理),此惡意程式為 Infostealer.Gampass、PWS:Win32/Whoran.A 或 Trojan-Spy.Win32.Agent.qn 變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒 (此惡意程式應該會偷帳號與密碼)。(感謝網友通知)
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added process]
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft.com
C:\Documents and Settings\Administrator\Local Settings\Temp\Cike.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\WINDOWS\system32\winlokc.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\Cike.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft.com
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\svchost[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\z1[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ck[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\dns[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\zl[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ie[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\xl1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\xl[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\dns[1].ani
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\z2[1].jpg
C:\WINDOWS\system32\winlokc.dll
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Syetesn
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Microsoft.com
到目前為止 (2007/7/19 @ 09:27),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
Microsoft.com:
[ Kaspersky ], 『PAK:PE_Patch, PAK:UPX』
[ HBEDV ], 『TR/Spy.Agent.QN.16″
Microsoft.vbs:
[ Symantec ], 『Trojan Horse』
[ Kaspersky ], 『Trojan.VBS.Runner.o』
[ HBEDV ], 『VBS/Runner.O.3″
[ Ewido ], 『Trojan.Runner.o』
svchost.exe:
[ Kaspersky ], 『PAK:PE_Patch, PAK:UPX』
[ HBEDV ], 『TR/Spy.Agent.QN.16″
winlokc.dll:
[ Symantec ], 『Infostealer.Gampass』
[ Microsoft ], 『PWS:Win32/Whoran.A』
[ Kaspersky ], 『Trojan-Spy.Win32.Agent.qn』
[ HBEDV ], 『TR/Spy.Agent.QN.16″
xl1[1].htm:
[ Microsoft ], 『Exploit:HTML/Expascii.gen』
[ McAfee ], 『ObfuscatedHtml』
[ Fortinet ], 『HTML/ASCII.gen!exploit』
[ Norman ], 『Trojan AsciiExploit.gen』
xl[1].htm:
[ Nod32 ], 『JS/TrojanDownloader.Agent.ID trojan』
[ HBEDV ], 『JS/Dldr.Agent.25076″
[ Rising ], 『Trojan.DL.JS.Agent.let』
[ Ewido ], 『Downloader.Agent.id』
zl[1].htm:
[ Microsoft ], 『Exploit:HTML/Expascii.gen』
[ McAfee ], 『ObfuscatedHtml』
[ Fortinet ], 『HTML/ASCII.gen!exploit』
[ Norman ], 『Trojan AsciiExploit.gen』
06014[1].htm:
[ Microsoft ], 『[->(SCRIPT0000)]:TrojanDownloader:JS/Agent.FT』
[ Kaspersky ], 『Trojan-Downloader.JS.Psyme.fk』
[ McAfee ], 『[000000bc.vbs]:Exploit-MS06-014.gen !!』
[ Fortinet ], 『VBS/Psyme.DN!tr.dldr』
[ Rising ], 『Trojan.DL.VBS.Agent.clx』
[ Ewido ], 『Downloader.Psyme.hl』
Cike.exe:
[ Kaspersky ], 『PAK:PE_Patch, PAK:UPX』
[ HBEDV ], 『TR/Spy.Agent.QN.16″
ck[1].htm:
[ Alpha_Gen ], 『Possible_EncScr』
[ McAfee ], 『[00000008.js]:Exploit-MS06-014″
[ HBEDV ], 『VBS/Dldr.Psyme.BH.2″
ie[1].htm:
[ Alpha_Gen ], 『Heur_Infrm-1″
[ Fortinet ], 『JS/Agent.HC!tr.dldr』
[ Rising ], 『Trojan.DL.JS.Agent.lgm』
