大砲開講

惡意連結是放置在 home.asp (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\avp.exe

[DLL injection]
C:\WINDOWS\system32\od3mdi.dll

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ani[1].css
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od3mdi.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (C:\WINDOWS\system32\od3mdi.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (C:\WINDOWS\system32\od3mdi.dll)

到目前為止 (2007/7/20 @ 13:18)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

1[1].htm:
[ Symantec ], "Downloader"
[ Microsoft ], "[->(SCRIPT0000)]:TrojanDownloader:VBS/Agent.EF"
[ Kaspersky ], "Trojan-Downloader.VBS.Small.eh"
[ McAfee ], "[0000001d.vbs]:Exploit-MS06-014 !!"
[ Nod32 ], "VBS/TrojanDownloader.Small.BO trojan"
[ Fortinet ], "VBS/Psyme.DP!tr.dldr"
[ HBEDV ], "VBS/Dldr.Psyme.FY"
[ Rising ], "Trojan.DL.VBS.Agent.cii"
[ Ewido ], "Downloader.Small.cu"
avp.exe:
[ Kaspersky ], "Trojan-PSW.Win32.Maran.jg"
[ McAfee ], "PWS-Maran"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ HBEDV ], "TR/PSW.Maran.JG.3″