VIP生活網被植入惡意連結
2007 年 09 月 26 日 – 08:09:00VIP生活網被植入惡意連結,此惡意程式為 Trojan-PSW.Win32.OnLineGames
,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\system32\rarjbtl.exe
C:\WINDOWS\system32\kaqhdaz.exe
C:\WINDOWS\system32\avwlast.exe
C:\Program Files\Common Files\Microsoft Shared\addslta.exe
C:\WINDOWS\system32\kapjbaz.exe
C:\Program Files\Common Files\System\gaebwdw.exe
C:\WINDOWS\system32\WinFormA11.exe
[DLL injection]
C:\Program Files\Common Files\Microsoft Shared\addslta.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGwd2.dll
C:\Program Files\NetMeeting\ravmsmon.dat
C:\Program Files\NetMeeting\ravytmon.dat
C:\Program Files\NetMeeting\ravzxmon.dat
C:\WINDOWS\system32\avwlamn.dll
C:\WINDOWS\system32\DiskMan32.dll
C:\WINDOWS\system32\kapjbzy.dll
C:\WINDOWS\system32\kaqhdaz.exe
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\NVDispDrv.dll
C:\WINDOWS\system32\rarjbpi.dll
C:\WINDOWS\system32\WinFormA11.dll
[Added service]
NAME: WS2IFSL (正常)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\22[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\hx11aaa[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\svcos[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\webxl[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xpbd[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\16[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\20[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\Webxl[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\xp017[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\xp07[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\15[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\23[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\pps[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\qq98[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\xpkk[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\xpxl[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\17[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\21[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ah[1].c
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\by[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\xpby[1].htm
C:\microsofts.vbs
C:\NTDETECT.EXE
C:\Program Files\Common Files\Microsoft Shared\addslta.exe
C:\Program Files\Common Files\Microsoft Shared\lpttype.inf
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGwd2.dll
C:\Program Files\Common Files\System\gaebwdw.exe
C:\Program Files\Common Files\System\lpttype.inf
C:\Program Files\meex.exe
C:\Program Files\NetMeeting\ravmsmon.dat
C:\Program Files\NetMeeting\ravmsmon.exe
C:\Program Files\NetMeeting\ravytmon.dat
C:\Program Files\NetMeeting\ravytmon.exe
C:\Program Files\NetMeeting\ravzxmon.dat
C:\Program Files\NetMeeting\ravzxmon.exe
C:\WINDOWS\DiskMan32.exe
C:\WINDOWS\Fonts\chreaur.fon
C:\WINDOWS\Fonts\enhuafx.fon
C:\WINDOWS\Fonts\enpoafx.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\MsIMMs32.exe
C:\WINDOWS\NVDispDrv.exe
C:\WINDOWS\system32\avwlain.dll
C:\WINDOWS\system32\avwlamn.dll
C:\WINDOWS\system32\avwlast.exe
C:\WINDOWS\system32\DiskMan32.dll
C:\WINDOWS\system32\kapjacs.dll
C:\WINDOWS\system32\kapjbaz.exe
C:\WINDOWS\system32\kapjbzy.dll
C:\WINDOWS\system32\kaqhacs.dll
C:\WINDOWS\system32\kaqhdaz.exe
C:\WINDOWS\system32\kaqhdzy.dll
C:\WINDOWS\system32\mscomm.dll
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\NVDispDrv.dll
C:\WINDOWS\system32\rarjani.dll
C:\WINDOWS\system32\rarjbpi.dll
C:\WINDOWS\system32\rarjbtl.exe
C:\WINDOWS\system32\ravgjmon.dll
C:\WINDOWS\system32\WinFormA11.dll
C:\WINDOWS\system32\WinFormA11.exe
C:\WINDOWS\system32\WinFormA7.ini
[Added LSP]
ID: 1012
NAME: MSAPI Tcpip [UDP/IP]
ID: 1013
NAME: MSAPI Tcpip [TCP/IP]
[Added COM/BHO]
{1960356A-458E-DE24-BD50-268F589A56A1}-C:\WINDOWS\system32\avwlamn.dll
{2598FF45-DA60-F48A-BC43-10AC47853D52}-C:\WINDOWS\system32\rarjbpi.dll
{2A321487-4977-D98A-C8D5-6488257545A2}-C:\WINDOWS\system32\kapjbzy.dll
{47D81718-1314-5200-2597-587901018074}-C:\WINDOWS\system32\kaqhdzy.dll
{91B1E846-2BEF-4345-8848-7699C7C9935F}-C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll
{F12BC423-3713-224D-3F55-32B35C62B11F}-C:\WINDOWS\system32\WinFormA11.dll
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lpttype
Data=C:\Program Files\Common Files\System\gaebwdw.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=ravmsmon
Data=C:\Prog
ram Files\NetMeeting\ravmsmon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=ravytmon
Data=C:\Program Files\NetMeeting\ravytmon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=ravzxmon
Data=C:\Program Files\NetMeeting\ravzxmon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsIMMs32
Data=C:\WINDOWS\MsIMMs32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lvpwmgh
Data=C:\Program Files\Common Files\Microsoft Shared\addslta.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=DiskMan32
Data=C:\WINDOWS\DiskMan32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=NVDispDrv
Data=C:\WINDOWS\NVDispDrv.exe
到目前為止 (2007/9/24 @ 17:06),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
ravmsmon.exe:
[ Trend ], "TSPY_ONLINEG.HTG"
SysWFGQQ2.dll:
[ Trend ], "Possible_Infostl"
SysWFGwd2.dll:
[ Trend ], "Possible_Infostl"
addslta.exe:
[ Trend ], "Possible_MLWR-5″
DiskMan32.dll:
[ Trend ], "Possible_OLGM-4″
DiskMan32.exe:
[ Trend ], "TSPY_ONLINEG.HSY"
gaebwdw.exe:
[ Trend ], "Possible_MLWR-5″
kaqhdaz.exe:
[ Trend ], "TROJ_SYSTEMHI.JE"
meex.exe:
[ Trend ], "Possible_MLWR-5″
rarjbtl.exe:
[ Trend ], "TROJ_SYSTEMHI.JG"
ravmsmon.dat:
[ Trend ], "TSPY_ONLINEG.HOA"
ravytmon.dat:
[ Kaspersky ], "PAK:UPack"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnLineG.TF.1″
[ Norman ], "Security Risk W32/Suspicious_U.gen"
ravytmon.exe:
[ Symantec ], "Infostealer"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!E"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.dky"
[ McAfee ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NEP trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnLineG.TF.1″
[ Norman ], "Security Risk W32/Suspicious_U.gen"
ravzxmon.dat:
[ Symantec ], "Infostealer"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!E.dll"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.dkf"
[ McAfee ], "PWS-OnlineGames.d.dll"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NCU trojan"
[ Fortinet ], "W32/OnlineGames.PE!tr.dldr"
[ HBEDV ], "TR/PSW.OnLineG.TF.1″
[ Norman ], "Security Risk W32/Suspicious_U.gen"
ravzxmon.exe:
[ Symantec ], "Infostealer"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!E"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.dkf"
[ McAfee ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NEP trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnLineG.TF.1″
[ Norman ], "Security Risk W32/Suspicious_U.gen"
WinFormA11.dll:
[ Microsoft ], "Trojan:Win32/Delf.AT!dll"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.dgq"
[ McAfee ], "PWS-Gamania.dll"
[ Sophos ], "Mal/Behav-136″
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NEN trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.TLOnline.be"
WinFormA11.exe:
[ Microsoft ], "[->(Upack)]:Trojan:Win32/Delf.AT!dll"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.dgq"
[ McAfee ], "New Malware.n !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ Fortinet ], "W32/OnLineGames.DGQ!tr.pws"
[ HBEDV ], "TR/PSW.OnLineGames.dgq"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
avwlamn.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "Trojan:Win32/Delf.AT!dll"
[ Kaspersky ], "Trojan-Spy.Win32.Delf.aji"
[ McAfee ], "PWS-OnlineGames.a.dll"
[ Sophos ], "Mal/Gampass-A"
[ Fortinet ], "W32/OnLineGames.GC!tr.pws"
[ HBEDV ], "TR/Spy.Delf.aji"
[ Norman ], "Trojan W32/Malware.ATVI"
[ Rising ], "Trojan.PSW.Win32.WorldOnline.kz"
avwlast.exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:Trojan:Win32/SystemHijack.gen"
[ Kaspersky ], "PAK:UPack, Trojan-Dropper.Win32.Agent.bxi"
[ McAfee ], "New Malware.n !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ Fortinet ], "W32/Agent.DRP!tr"
[ HBEDV ], "TR/Drop.Agent.bxi"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ewido ], "Trojan.OnLineGames.cew"
kapjbaz.exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:Trojan:Win32/SystemHijack.gen"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.dki"
[ McAfee ], "New Malware.n !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
kapjbzy.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "Trojan:Win32/Delf.AT!dll"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NEN trojan"
[ Fortinet ], "W32/OnLineGames.GC!tr.pws"
[ HBEDV ], "HEUR/Malware"
kaqhdzy.dll:
[ Microsoft ], "Trojan:Win32/Delf.AT!dll"
[ Kaspersky ], "Trojan-PSW.Win32.QQPass.afj"
[ Sophos ], "Mal/Behav-136″
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NEN trojan"
[ HBEDV ], "HEUR/Malware"
lpttype.inf:
[ McAfee ], "Generic!atr"
microsofts.vbs:
[ Microsoft ], "[->(UTF-16LE)]:Virus:VBS/VBSWGbased.gen"
mscomm.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.din"
MsIMMs32.dll:
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.dkt"
[ Sophos ], "Mal/Gampass-A"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.Sh
anda.z"
MsIMMs32.exe:
[ Microsoft ], "[->(UPX)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX, Trojan-PSW.Win32.OnLineGames.dku"
[ Sophos ], "[FILE:0000]:Mal/Gampass-A, Mal/Dropper-P"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.YA trojan"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
NTDETECT.EXE:
[ Microsoft ], "[->(UTF-16LE)]:Virus:VBS/VBSWGbased.gen"
NVDispDrv.dll:
[ Symantec ], "Trojan.PWS.QQPass"
[ Microsoft ], "PWS:Win32/OnLineGames.COK"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.dgi"
[ Panda ], "Trj/Lineage.FMS"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.OnlineGames.yul"
NVDispDrv.exe:
[ Symantec ], "Trojan.PWS.QQPass"
[ Microsoft ], "[->(UPX)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX, Trojan-PSW.Win32.OnLineGames.dgi"
[ Sophos ], "Mal/Dropper-P"
[ Panda ], "Trj/Lineage.FMS"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.YA trojan"
[ Fortinet ], "W32/Dropper.DGI!tr.pws"
[ HBEDV ], "TR/Dropper.Gen"
rarjbpi.dll:
[ Microsoft ], "Trojan:Win32/Delf.AT!dll"
[ Panda ], "Suspicious file"
[ Fortinet ], "W32/OnLineGames.GC!tr.pws"
[ HBEDV ], "HEUR/Malware"
ravgjmon.dll:
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.dkz"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
xp07.htm:
[ Sophos ], "Mal/Iframe-A"
xpxl.htm:
[ Sophos ], "Mal/Iframe-A"
by.htm:
[ Sophos ], "Mal/Iframe-A"
pps.htm:
[ Sophos ], "Mal/Iframe-A"
“VIP生活網被植入惡意連結” 目前有 2 迴響
想請問邱大哥,這些被植入惡意連結的資訊從何得知?謝謝
ps.學長好
By 日落 on 2007 年 09 月 28 日 - 15:18:00
從幾個地方得知:
1. StopBadware (http://www.stopbadware.org/)
2. 網友通知
3. 資安論壇
4. 程式找到的
By Roger on 2007 年 09 月 28 日 - 18:30:00