主題酷網站被植入惡意連結
2007 年 09 月 26 日 – 07:44:00主題酷網站被植入惡意連結,此惡意程式為 Possible_Infostl,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Wayne)
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\Help\E4D4CA973D22.dll
[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Desktop\2.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\m[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\gmsex[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\h[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\main[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\stat[1].htm
C:\Shell.exe
C:\WINDOWS\Help\E4D4CA973D22.dll
C:\WINDOWS\Help\E4D4CA973D22.exe
[ Added COM/BHO ]
{0EDE18B7-247D-40D2-906C-D918323BEB40}-C:\WINDOWS\Help\E4D4CA973D22.dll
到目前為止 (2007/9/24 @ 17:03),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
E4D4CA973D22.dll:
[ Trend ], "Possible_Infostl"
E4D4CA973D22.exe:
[ Trend ], "Possible_Infostl"
gmsex[1].exe:
[ Trend ], "Possible_Infostl"
Shell.exe:
[ Trend ], "Possible_Infostl"
h[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1″
[ Sophos ], "Mal/Iframe-A"
m[1].htm:
[ HBEDV ], "HEUR/Exploit.HTML"
[ Rising ], "Trojan.DL.VBS.Small.eh"
