台灣小冠鸚鵡俱樂部被植入惡意連結
2007 年 11 月 26 日 – 12:46:00台灣小冠鸚鵡俱樂部被植入惡意連結,此惡意程式為 TSPY_LINEAGE.GLP,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\WINDOWS\Web\printers\images\ndmai.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\614001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\g[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\2004[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\717001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ah[1].c
C:\WINDOWS\Web\printers\images\ndmai.dll
C:\WINDOWS\Web\printers\images\ndmai.exe
[Added COM/BHO]
{7152C68A-D93C-49BF-AFEF-6B4576849A7E}-C:\WINDOWS\Web\printers\images\ndmai.dll
到目前為止 (2007/11/23 @ 17:30),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
717001[1].htm:
[ Trend ]: "JS_AGENT.AAJP"
ah[1].c:
[ Trend ]: "EXPL_ANICMOO.GEN"
ndmai.dll:
[ Trend ]: "Possible_Infostl"
ndmai.exe:
[ Trend ]: "TSPY_LINEAGE.GLP"
svchost.exe:
[ Trend ]: "TSPY_LINEAGE.GLP"
2004[1].exe:
[ Trend ]: "SPY_LINEAGE.GLP"
614001[1].htm:
[ Kaspersky ], "Trojan-Downloader.JS.Psyme.ub"
[ McAfee ], "VBS/Psyme"
[ McAfee_Beta ], "VBS/Psyme"
[ Sophos ], "Mal/Psyme-A"
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ Rising ], "Trojan.DL.Script.VBS.Agent.xiz"
[ WebWasher ], "Script.ADODB.Exploit.Gen"
[ bitdefender ], "Generic.XPL.ADODB.8324063C"
g[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2″
[ WebWasher ], "BlockReason.46 (suspicious)"
g[1].htm:
[ McAfee ], "ObfuscatedHtml"
[ McAfee_Beta ], "ObfuscatedHtml"
[ WebWasher ], "BlockReason.46 (suspicious)"
11181239.rar:
[ Alpha_Gen ], "Possible_Hifrm"
[ Beta_Gen ], "Possible_Hifrm"
[ Sophos ], "Mal/Iframe-C"
