臺灣文學年鑑資料庫網站被植入惡意連結
2007 年 09 月 25 日 – 16:51:00臺灣文學年鑑資料庫網站被植入惡意連結,此惡意程式為 TROJ_DELF.HYF 或 Trojan-PSW.Win32.Maran.kf,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
解碼之後為:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\system32\od3mdi.dll
[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe
NAME: WS2IFSL (正常)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\css[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\real[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\764994885[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\down1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\main[1].js
C:\WINDOWS\rising283.exe
C:\WINDOWS\system32\drivers\KrnDigger.SYS
C:\WINDOWS\system32\lo.dll
C:\WINDOWS\system32\od3mdi.dll
C:\WINDOWS\system32\ss.exe
[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP]
ID: 1013
NAME: MSAFD Tcpip [TCP/IP]
到目前為止 (2007/9/24 @ 14:37),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
down1[1].exe:
[ Trend ], "TSPY_MARAN.AFU"
real[1].exe:
[ Trend ], "TROJ_DELF.HYF"
rising283.exe:
[ Trend ], "TROJ_DELF.HYF"
yahoo.js:
[ Trend ], "JS_DLOADER.PYD"
css[1].js:
[ Alpha_Gen ], "Possible_EncScr"
[ Kaspersky ], "Trojan-Downloader.JS.Psyme.mr"
[ HBEDV ], "JS/Dldr.MarcoMedia"
KrnDigger.SYS:
[ Panda ], "Trj/Agent.GII"
[ Nod32 ], "Win32/RiskWare.PsUtils.18 application"
[ Fortinet ], "HackerTool/PsUtils"
[ HBEDV ], "SPR/Tool.PsUtils.18″
[ Rising ], "RootKit.Win32.Agent.ngr"
od3mdi.dll:
[ Alpha_Gen ], "Possible_Lineage"
[ Symantec ], "Infostealer.Phax"
[ Microsoft ], "TrojanSpy:Win32/Maran.AT"
[ Kaspersky ], "Trojan-PSW.Win32.Maran.kf"
[ McAfee ], "PWS-Maran.dll"
[ Panda ], "Trj/Maran.CG"
[ Nod32 ], "Win32/PSW.Maran.KF trojan"
[ Fortinet ], "W32/Maran.A!tr.pws"
[ HBEDV ], "TR/Drop.Ag.115200.D"
[ Rising ], "Trojan.PSW.Win32.OnlineGames.xyq"
ss.exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "Win32/RiskWare.PsUtils.18 application"
[ Fortinet ], "HackerTool/PsUtils"
[ HBEDV ], "SPR/HideProcess.B.2″
[ Norman ], "Security Risk W32/Suspicious_U.gen"
“臺灣文學年鑑資料庫網站被植入惡意連結” 目前有 1 迴響
難得找到這麼好的網站
沒想到找到兩天後竟然被…
可惡的網路駭客
被我找到的話一定要殺死你!!!
歡迎參觀我的部落格
http://www.wretch.cc/blog/euo650
By Anonymous on 2007 年 09 月 25 日 - 19:01:00