元照網路書店網站被植入惡意連結
2007 年 11 月 30 日 – 10:49:00元照網路書店網站被植入惡意連結,此惡意程式為 TROJ_HARNIG.CW,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Jimau)
惡意連結/程式碼是放置在 index.asp (其他頁面可能要仔細檢查一下囉) 中的:
解碼後為:
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\system32\com\SMSS.EXE
C:\WINDOWS\system32\com\LSASS.EXE
C:\WINDOWS\system32\drivers\alg.exe
[DLL injection]
C:\WINDOWS\system32\Com\LSASS.EXE
C:\WINDOWS\system32\Com\netcfg.dll
C:\WINDOWS\system32\Com\SMSS.EXE
C:\WINDOWS\system32\dnsq.dll
[Added file]
C:\AUTORUN.INF
C:\Documents and Settings\Administrator\Local Settings\Temp\tzgl.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~s.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1378348[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\468[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\468[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\goto[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\HOOK[1].dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\100932[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1388306[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a9[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\dd[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\flash[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1492703[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\count[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\head[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\r[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\Stop[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a10[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a11[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a7[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\svchost[1].exe
C:\pagefile.pif
C:\WINDOWS\system32\000.cfg0
C:\WINDOWS\system32\Com\LSASS.EXE
C:\WINDOWS\system32\Com\netcfg.000
C:\WINDOWS\system32\Com\netcfg.dll
C:\WINDOWS\system32\Com\SMSS.EXE
C:\WINDOWS\system32\dnsq.dll
C:\WINDOWS\system32\dnsq.dll.log
C:\WINDOWS\system32\drivers\alg.exe
C:\WINDOWS\system32\drivers\alg.exe.log
C:\WINDOWS\system32\drivers\npf.sys.log
C:\WINDOWS\system32\ntfsus.exe
C:\WINDOWS\system32\ntfsus.exe.log
C:\WINDOWS\system32\packet.dll.log
C:\WINDOWS\system32\pthreadVC.dll.log
C:\WINDOWS\system32\wpcap.dll.log
[Added COM/BHO]
{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}-C:\WINDOWS\system32\com\netcfg.dll
{D9901239-34A2-448D-A000-3705544ECE9D}-C:\WINDOWS\system32\com\netcfg.dll
到目前為止 (2007/11/29 @ 12:27),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
a4[1].htm:
[ Trend ], "EXPL_EXECOD.A."
a1[1].htm:
[ Trend ], "VBS_PSYME.BCC"
SMSS.EXE:
[ Trend ], "TROJ_HARNIG.CW"
a10[1].htm:
[ Trend ], "HTML_SHELLCOD.AV"
a6[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
a5[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
a2[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
TINTSETP.EXE:
[ WebWasher ], "BlockReason.46 (suspicious)"
ImScInst.exe:
[ WebWasher ], "BlockReason.46 (suspicious)"
Stop[1].exe:
[ IntelliTrap ], "PAK_Generic.001″
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Trojan Harnig.gen1″
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
ntfsus.log:
[ IntelliTrap ], "PAK_Generic.001″
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Trojan Harnig.gen1″
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
ntfsus.exe:
[ IntelliTrap ], "PAK_Generic.001″
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Trojan Harnig.gen1″
[ eAladdin ], "Suspicious File [
100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
HOOK[1].dll:
[ WebWasher ], "BlockReason.46 (suspicious)"
dnsq.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
dnsq.dll:
[ WebWasher ], "BlockReason.46 (suspicious)"
wpcap.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
svchost[1].exe:
[ IntelliTrap ], "PAK_Generic.001″
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk Suspicious_F.gen"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
alg.exe.log:
[ IntelliTrap ], "PAK_Generic.001″
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk Suspicious_F.gen"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
alg.exe:
[ IntelliTrap ], "PAK_Generic.001″
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk Suspicious_F.gen"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
pthreadVC.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
packet.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
npf.sys.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
000.cfg0-pe
[ Sophos ], "[FILE:0001]:Mal/Packer"
[ Ikarus ], "Trojan.Win32.Agent.czg"
[ WebWasher ], "BlockReason.46 (suspicious)"
netcfg.dll:
[ Ikarus ], "Trojan.Win32.Agent.czh"
[ WebWasher ], "BlockReason.46 (suspicious)"
netcfg.000:
[ Ikarus ], "Trojan.Win32.Agent.czh"
[ WebWasher ], "BlockReason.46 (suspicious)"
r[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
tzgl.exe:
[ Sophos ], "[FILE:0001]:Mal/Packer"
[ Ikarus ], "Trojan.Win32.Agent.czg"
[ WebWasher ], "BlockReason.46 (suspicious)"
pagefile.pif:
[ Sophos ], "[FILE:0001]:Mal/Packer"
[ Ikarus ], "Trojan.Win32.Agent.czg"
[ WebWasher ], "BlockReason.46 (suspicious)"
LSASS.exe:
[ Sophos ], "[FILE:0001]:Mal/Packer"
[ Ikarus ], "Trojan.Win32.Agent.czg"
[ WebWasher ], "BlockReason.46 (suspicious)"
a11[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
a9[1].htm:
[ Alpha_Gen ], "Possible_Hifrm-3″
[ Microsoft ], "[->(SCRIPT0001)->(EmbeddedCode)]:Exploit:Win32/Senglot.A"
[ McAfee ], "JS/Exploit-BO.gen"
[ McAfee_Beta ], "JS/Exploit-BO.gen"
[ Sophos ], "Mal/JSShell-A"
[ HBEDV ], "HTML/Shellcode.Gen"
[ Norman ], "Trojan HTML/IFrameBof.A"
[ Ikarus ], "Exploit.HTML.IframeBof"
[ WebWasher ], "Script.Shellcode.Gen"
a7[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
