創意先進有限公司(HOT)網站被植入惡意連結
2007 年 10 月 04 日 – 16:55:00創意先進有限公司(HOT)網站被植入惡意連結,此惡意程式為 PWS-Lineage,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒 (此惡意程式會竊取帳號與密碼)。
惡意連結是放置在某些頁面首頁中 (可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\Web\printers\images\rinter.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\gfdgj45.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\614001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\717001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\2003[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ah[1].c
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\laog[1].htm
C:\WINDOWS\Web\printers\images\rinter.dll
C:\WINDOWS\Web\printers\images\rinter.exe
[Added COM/BHO]
{7152C68A-D93C-49BF-AFEF-6B4576849A7E}-C:\WINDOWS\Web\printers\images\rinter.dll
到目前為止 (2007/10/4 @ 14:24),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
614001[1].htm:
[ Trend ], "VBS_PSYME.AWI"
717001[1].htm:
[ Trend ], "JS_AGENT.AAJP"
ah[1].c:
[ Trend ], "EXPL_ANICMOO.GEN"
rinter.dll:
[ Trend ], "Possible_Infostl"
2003[1].exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ McAfee ], "PWS-Lineage"
[ Fortinet ], "Lineage!tr.pws"
[ HBEDV ], "TR/PSW.Lineage.UZH.65″
gfdgj45.com:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ McAfee ], "PWS-Lineage"
[ Fortinet ], "Lineage!tr.pws"
[ HBEDV ], "TR/PSW.Lineage.UZH.65″
laog[1].htm:
[ McAfee ], "ObfuscatedHtml"
rinter.exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ McAfee ], "PWS-Lineage"
[ Fortinet ], "Lineage!tr.pws"
[ HBEDV ], "TR/PSW.Lineage.UZH.65″
