僑光應用華語文系網站被植入惡意連結
2007 年 11 月 20 日 – 09:11:00僑光應用華語文系網站被植入惡意連結,此惡意程式為 Trojan-PSW.Win32.OnLineGames
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\upxdnd.dll
[Added service]
NAME: PciHardDisk
DISPLAY: PciHardDisk
FILE: \??\C:\WINDOWS\system32\drivers\pcidisk.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\e19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ee1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ee2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\sa[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xm22[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\eeecom[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\mianeeecom[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\psasnbf[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1364595[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ac[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\bb[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cj[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\e2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\e[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\login[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1358616[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\7[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\bf[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\common[1].htm
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\system32\Com\comrepl32.exe
C:\WINDOWS\system32\CRYPSERV.EXE
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\drivers\pcibus.sys
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\~tmp9493.exe
C:\WINDOWS\~tmp9591.exe
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=upxdnd
Data=C:\WINDOWS\upxdnd.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=DbgHlp32
Data=C:\WINDOWS\DbgHlp32.exe
到目前為止 (2007/11/19 @ 13:50),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
e[1].js:
[ Kaspersky ], "Trojan-Downloader.JS.Small.ie"
ee1[1].htm:
[ McAfee ], "VBS/Psyme"
[ McAfee_Beta ], "VBS/Psyme"
[ Sophos ], "Mal/Psyme-A"
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.XPL.ADODB.D6239DC6″
ee2[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
Microsoft.vbs:
[ Kaspersky ], "Trojan.VBS.Runner.o"
[ HBEDV ], "VBS/Runner.O.3″
[ Ewido ], "Trojan.Runner.o"
[ vba32 ], "Trojan.VBS.Runner.o"
[ Authentium ], "VBS/WSRunner.I"
[ WebWasher ], "Script.Runner.O.3″
pcibus.sys:
[ Symantec ], "W32.Fujacks.L"
[ Microsoft ], "Exploit:Win32/Siveras.E"
[ Kaspersky ], "Worm.Win32.Downloader.ay"
[ Sophos ], "[FILE:0000\FILE:0000]:Mal/Behav-160″
[ Nod32 ], "a variant of Win32/Jalous worm"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dldr.Agent.45056″
[ Rising ], "Trojan.Win32.Mnless.zjf"
[ Ikarus ], "Worm.Win32.Downloader.ay"
[ WebWasher ], "BlockReason.46 (suspicious)"
upxdnd.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.idg"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "TR/Spy.Gen"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.ibz"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12″
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Frethog!generic"
upxdnd.exe:
[ IntelliTrap ], "PAK_Generic.006″
[ Alpha_Gen ], "AP_MALPK-2″
[ Beta_Gen ], "AP_MALPK-2″
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, PAK:PE_Patch, Trojan-PSW.Win32.OnLineGames.idg"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3″
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.D673289C"
[ CAV Beta ], "Win32/Frethog!generic"
xm22[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1″
[ WebWasher ], "BlockReason.46 (suspicious)"
5[1].htm:
[ Ewido ], "Trojan.Concon.b"
[ WebWasher ], "BlockReason.46 (suspicious)"
7[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
1358616[1].js:
[ HBEDV ], "JS/Iframe.B"
ac[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2″
[ Beta_Gen ], "Possible_Hifrm"
[ WebWasher ], "BlockReason.46 (suspicious)"
bb[1].js:
[ HBEDV ], "JS/Iframe.894″
bf[1].htm:
[ Kaspersky ], "Trojan-Downloader.JS.Agent.aec"
[ WebWasher ], "BlockReason.46 (suspicious)"
click[1].htm:
[ Sophos ], "Mal/Iframe-A"
common[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1″
[ Sophos ], "Mal/Iframe-A"
[ HBEDV ], "HEUR/Exploit.HTML"
comrepl32.exe:
[ Kaspersky ], "Worm.Win32.Downloader.ay"
[ Nod32 ], "a variant of Win32/Jalous worm"
[ Rising ], "Trojan.Win32.Mnless.zjg"
[ WebWasher ], "BlockReason.46 (suspicious)"
DbgHlp32.dll:
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnlineGames.SUM!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1″
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.9F7D5E5E"
[ CAV Beta ], "Win32/Frethog!generic"
DbgHlp32.exe:
[ IntelliTrap ], "PAK_Generic.006″
[ Alpha_Gen ], "AP_MALPK-2″
[ Beta_Gen ], "AP_MALPK-2″
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Behav-156″
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3″
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.7B745937″
[ CAV Beta ], "Win32/Frethog!generic"
e2[1].exe:
[ IntelliTrap ], "PAK_Generic.006″
[ Alpha_Gen ], "AP_MALPK-2″
[ Beta_Gen ], "AP_MALPK-2″
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, PAK:PE_Patch, Trojan-PSW.Win32.OnLineGames.idg"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3″
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.D673289C"
[ CAV Beta ], "Win32/Frethog!generic"
e19[1].exe:
[ IntelliTrap ], "PAK_Generic.006″
[ Alpha_Gen ], "AP_MALPK-2″
[ Beta_Gen ], "AP_MALPK-2″
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Behav-156″
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3″
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.7B745937″
[ CAV Beta ], "Win32/Frethog!generic"
eeecom[1].exe:
[ Trend ], "WORM_DLOADER.QFD"
mianeeecom[1].exe:
[ Trend ], "WORM_DLOADER.QFD"
svchost.exe:
[ Trend ], "WORM_DLOADER.QFD"
~tmp9493.exe:
[ Trend ], "WORM_DLOADER.QFD"
~tmp9591.exe:
[ Trend ], "WORM_DLOADER.QFD"
1[1].htm:
[ Trend ], "HTML_DLOADER.RUD"
2[1].htm:
[ Trend ], "JS_PSYME.BBA"
4[1].htm:
[ Trend ], "HTML_DLOADER.QZC"
6[1].htm:
[ Trend ], "VBS_PSYME.BAZ"
cj[1].exe:
[ Trend ], "Possible_Mlwr-15″
CRYPSERV.EXE:
[ Trend ], "ossible_Mlwr-15″
