HONDA 汽車台灣網站被植入惡意連結
2007 年 08 月 03 日 – 17:08:00HONDA 汽車台灣網站被植入惡意連結,此惡意程式為 Onlineage 變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒 (此惡意程式應該會偷帳號與密碼)。
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\system32\drivers\scvhost.exe
[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\npptools.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\Packet.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\qjso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\rxso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\tlso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WanPacket.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\wdso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\wlso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ztso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\zxso0.dll
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll
C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys
C:\WINDOWS\system32\5E9F0D5.DLL
C:\WINDOWS\system32\drivers\scvhost.exe
C:\WINDOWS\system32\TIMHost.dll
C:\WINDOWS\system32\xyhpri.dll
C:\WINDOWS\winow.dll
[Added service]
NAME: 2FED61CD
DISPLAY: 2FED61CD
FILE: C:\WINDOWS\system32\AE9C6AE4.EXE -d
[Deleted service]
NAME: ERSvc
DISPLAY: Error Reporting Service
FILE: C:\WINDOWS\System32\svchost.exe-1 -k netsvcs
ile —–]
[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Local Settings\Temp\microsofts.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\microsofts.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\npf.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\npptools.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\Packet.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\qjso.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\qjso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\rxso.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\rxso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\sys11.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\sys14.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\sys18.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\sysphong.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\tlso.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\tlso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WanPacket.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\wdso.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wdso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\wgso.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wgso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\wlso.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wlso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ztso.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ztso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\zxso.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\zxso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\c104[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\sys614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\vip[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\wm[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\sys07[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\vip[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\haha[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\sysdown[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\update[1].txt
C:\NTDETECT.EXE
C:\PegeFile.pif
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.bak
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.bkk
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll
C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Jmp
C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys
C:\WINDOWS\rising469.exe
C:\WINDOWS\system32\5E9F0D5.DLL
C:\WINDOWS\system32\AE9C6AE4.EXE
C:\WINDOWS\system32\ctfnom.exe
C:\WINDOWS\system32\drivers\scvhost.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\TIMHost.dll
C:\WINDOWS\system32\xyfini.dll
C:\WINDOWS\system32\xyhpri.dll
C:\WINDOWS\TIMHost.exe
C:\WINDOWS\winow.dll
C:\WINDOWS\winow.exe
[Added COM/BHO]
{0EA66AD2-CF26-2E23-532B-B292E22F3266}=C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll
{40117B96-998D-4D80-8F89-5E9DBD9F3460}-C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys
{913AF41A-21B1-131B-1BFC-D2A90DF4A2B9}-C:\WINDOWS\system32\xyhpri.dll
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=ztsa
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ztso.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=rxsa
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=wlsa
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wlso.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=wgsa
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgso.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=TIMHost
Data=C:\WINDOWS\TIMHost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=tlsa
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlso.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=wdsa
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdso.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=zxsa
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zxso.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=qjsa
Data=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qjso.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=KVP
Data=C:\WINDOWS\system32\drivers\svchost.exe
到目前為止 (2007/8/3 @ 16:44),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
"font-weight: bold;">
wgso0.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.abh"
[ Panda ], "Trj/Lineage.EPL"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NDV trojan"
[ Fortinet ], "W32/OnLineG.ABH!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.OnlineGames.del"
[ Ewido ], "Trojan.OnLineGames.abh"
wlso0.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.qo"
[ Panda ], "Trj/Lineage.EOU"
[ Nod32 ], "Win32/PSW.OnLineGames.NDB trojan"
[ Fortinet ], "W32/Gampass.A!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.OnlineGames.dfr"
[ Ewido ], "Trojan.OnLineGames.qo"
ztso0.dll:
[ Symantec ], "Infostealer"
[ Kaspersky ], "Trojan-PSW.Win32.Nilage.bjp"
[ McAfee ], "PWS-LegMir.dll"
[ Panda ], "Trj/Lineage.EOT"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ Fortinet ], "W32/OnLineG.BJP!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.OnlineGames.dfh"
[ Ewido ], "Trojan.Nilage.bjp"
zxso0.dll:
[ Symantec ], "Infostealer.Perfwo"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.qo"
[ Panda ], "Trj/Lineage.EOU"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NDV trojan"
[ Fortinet ], "W32/Gampass.A!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.WorldOnline.ja"
[ Ewido ], "Trojan.OnLineGames.qo"
zxso.exe:
[ Microsoft ], "PWS:Win32/Lmir.gen!J"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.qo"
[ Panda ], "Trj/Lineage.EOU"
[ Nod32 ], "probably a variant of Win32/PSW.Agent.NDP trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnLineGames.QO.28″
[ Norman ], "Trojan W32/OnLineGames.IGA"
[ Ewido ], "Trojan.Small.cf"
5E9F0D5.dll:
[ Microsoft ], "Backdoor:Win32/Popwin.gen!A"
[ Kaspersky ], "Backdoor.Win32.Agent.ahj"
[ McAfee ], "BackDoor-DKA"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ Fortinet ], "BDoor.DKA!tr.bdr"
[ HBEDV ], "BDS/Exaal.45056″
[ Rising ], "Trojan.IMMSG.Win32.TBMSG.jg"
autorun.inf:
[ McAfee ], "Generic!atr"
haha[1].js:
[ Alpha_Gen ], "Possible_EncScr"
[ Kaspersky ], "PAK:JSPack, PAK:JSPack, unknown format."
microsofts.vbs:
[ HBEDV ], "VBS/Nowed.1″
NTDETECT.EXE:
[ HBEDV ], "VBS/Nowed.1″
qjso0.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.bs"
[ Panda ], "Trj/Lineage.EOU"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NAZ trojan"
[ Fortinet ], "W32/OnLineG.BS!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.OnlineGames.del"
[ Ewido ], "Trojan.OnLineGames.bs"
qjso.exe:
[ Symantec ], "Infostealer"
[ Microsoft ], "PWS:Win32/Lmir.gen!J"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.bs"
[ Panda ], "Trj/Lineage.EOU"
[ Nod32 ], "probably a variant of Win32/PSW.Agent.NDP trojan"
[ Fortinet ], "W32/OnLineGames.BS!tr.pws"
[ HBEDV ], "TR/PSW.OnLineGames.BS.277″
[ Norman ], "Trojan W32/OnLineGames.IGC"
[ Ewido ], "Trojan.OnLineGames.bs"
rxso0.dll:
[ Symantec ], "Infostealer.JiangHu"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.abv"
[ Panda ], "Trj/Lineage.EOU"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NBD trojan"
[ Fortinet ], "W32/OnLineGames.ABV!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.OnlineGames.djd"
sys07[1].htm:
[ Alpha_Gen ], "Possible_EncScr"
[ HBEDV ], "HEUR/Exploit.HTML"
[ Rising ], "Hack.Exploit.HTML.Vml.q"
sys11.exe:
[ Microsoft ], "[->(FSG-v2.0)]:TrojanDropper:Win32/Dowque.A"
[ Kaspersky ], "PAK:FSG, Trojan-PSW.Win32.Agent.mi"
[ McAfee ], "[0000b200.EXE]:PWS-QQGame"
[ Panda ], "Trj/QQpass.AIV"
[ Nod32 ], "probably a variant of Win32/PSW.QQPass.VD trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Steal.46695″
[ Norman ], "Security Risk Suspicious_F.gen"
[ Ewido ], "Dropper.Small"
sys614[1].js:
[ Alpha_Gen ], "Possible_EncScr"
sysphong.exe:
[ Kaspersky ], "Packed.Win32.NSAnti.r"
[ Panda ], "Bck/Hupigon.AZG"
[ Nod32 ], "Win32/Pacex.Gen virus"
[ Fortinet ], "W32/NSAnti.R"
[ HBEDV ], "TR/PCK.NSAnti.R.114″
[ Norman ], "Security Risk W32/NSAnti.WK"
SysWin64.Jmp:
[ Microsoft ], "[->(FSG-v2.0)]:TrojanDropper:Win32/Dowque.A"
[ Kaspersky ], "PAK:FSG, Trojan-PSW.Win32.Agent.mi"
[ McAfee ], "[0000b200.EXE]:PWS-QQGame"
[ Panda ], "Trj/QQpass.AIV"
[ Nod32 ], "probably a variant of Win32/PSW.QQPass.VD trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Steal.46695″
[ Norman ], "Security Risk Suspicious_F.gen"
[ Ewido ], "Dropper.Small"
SysWin64.Sys:
[ Microsoft ], "PWS:Win32/Qqhook.gen!A"
[ Kaspersky ], "Trojan-PSW.Win32.Agent.mi"
[ McAfee ], "PWS-QQGame"
[ HBEDV ], "TR/PSW.Steal.46695″
[ Rising ], "Trojan.PSW.Win32.QQPass.qop"
TIMHost.dll:
[ Symantec ], "Infostealer.Multigame"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.adm"
[ McAfee ], "PWS-Zhengtu.dll"
[ Panda ], "Trj/Lineage.ERY"
[ Fortinet ], "W32/OnLine.ADM!tr.pws"
[ HBEDV ], "TR/PSW.OnLineGames.adm.4″
[ Rising ], "Trojan.PSW.Win32.RocOnline.ay"
TIMHost.exe:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.adm"
[ McAfee ], "[00001a60.EXE]:PWS-Zhengtu.dll"
[ Panda ], "Trj/Lineage.ERY"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.YA trojan"
[ Fortinet ], "W32/OnLine.ADM!tr.pws"
[ HBEDV ], "TR/PSW.OnLineGame.YF"
[ Norman ], "Trojan W32/OnLineGames.JBD"
[ Rising ], "Trojan.PSW.Win32.RocOnline.ay"
[ Ewido ], "Trojan.Small"
tlso0.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.bs"
[ Panda ], "Trj/Lineage.EOU"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NDV trojan"
[ Fortinet ], "W32/OnLineG.BS!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.Agent.pn"
[ Ewido ], "Trojan.OnLineGames.bs"
wdso0.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.bs"
[ Panda ], "Trj/Lineage.EOU"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NDV trojan"
[ Fortinet ], "W32/OnLineG.BS!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.OnlineGames.dqn"
[ Ewido ], "Trojan.OnLineGames.bs"
wdso.exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Lmir.gen!J"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.bs"
[ Panda ], "Trj/Lineage.EOU"
[ Nod32 ], "probably a variant of Win32/PSW.Agent.NDP trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnLineGames.BS.276″
[ Norman ], "Trojan W32/OnLineGames.IGP"
[ Ewido ], "Trojan.Small.cf"
“HONDA 汽車台灣網站被植入惡意連結” 目前有 3 迴響
可否提供Alpha_Gen病毒碼下載位置
By Anonymous on 2007 年 08 月 3 日 - 19:42:00
請問一下您這邊所提到的防毒軟體怎麼都沒有SOPHOS的資料呢?…
我們家是用SOPHOS在防毒,所以很擔心因為您這邊都沒列出來,怕是它都擋不住。
By Little Tiger Site on 2007 年 08 月 7 日 - 17:44:00
應該是偵測不到。
By Roger on 2007 年 08 月 15 日 - 11:08:00