新竹市文化局網站被植入惡意連結
2007 年 11 月 30 日 – 11:06:00新竹市文化局網站被植入惡意連結,此惡意程式為 Backdoor:Win32/PcClient,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: 匿名網友)
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\system32\ncepjn.dll
[Added service]
NAME: ymutexfy
DISPLAY: ymutexfy
FILE: \??\C:\WINDOWS\system32\drivers\ncepjn.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\g913995[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\mainpic02[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\cpro8[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ma[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\tengrui8[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1449166[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\14[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\8[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\hcccb.gov[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\huohu[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1026[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cpro1[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\g913995[1].htm
C:\WINDOWS\system32\000462c8.inf
C:\WINDOWS\system32\drivers\ncepjn.sys
C:\WINDOWS\system32\ncepjn.dll
C:\wwwcuteqqcn.pif
到目前為止 (2007/11/29 @ 16:01),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
14[1].htm:
[ McAfee ], "[00000060.js]:Obfuscated Script.d !!"
[ McAfee_Beta ], "[00000060.js]:Obfuscated Script.d !!"
[ HBEDV ], "JS/Dldr.Agent.afg"
[ Rising ], "Trojan.DL.Script.JS.Agent.lrx"
[ Grisoft ], "Virus found Downloader.Small"
[ Authentium ], "JS/IFrameBoF.H"
[ WebWasher ], "Script.Dldr.Agent.afg"
ncepjn.sys:
[ HBEDV ], "HEUR/Damaged"
[ Grisoft ], "Virus identified Obfustat.VXS"
[ WebWasher ], "BlockReason.46 (suspicious)"
ncepjn.dll:
[ Microsoft ], "Backdoor:Win32/PcClient"
[ Alwil ], "Win32:Agent-MDR [Trj]"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Ikarus ], "Backdoor.Win32.PcClient.LH"
[ WebWasher ], "BlockReason.46 (suspicious)"
wwwcuteqqcn.pif:
[ Alwil ], "Win32:Agent-EPC [Trj]"
[ Ikarus ], "Backdoor.Win32.PcClient.yw"
[ Grisoft ], "Virus found BackDoor.PcClient"
[ WebWasher ], "BlockReason.46 (suspicious)"
g913995[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
8[1].htm:
[ eAladdin ], "JS.Small.au (Non-Removable)"
[ WebWasher ], "BlockReason.46 (suspicious)"
1026[1].exe:
[ Alwil ], "Win32:Agent-EPC [Trj]"
[ Ikarus ], "Backdoor.Win32.PcClient.yw"
[ Grisoft ], "Virus found BackDoor.PcClient"
[ WebWasher ], "BlockReason.46 (suspicious)"
tengrui8[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1″
[ Norman ], "Security Risk HTML/Exploit!IFrame.A"
[ WebWasher ], "BlockReason.46 (suspicious)"
ma[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2″
[ HBEDV ], "HEUR/Exploit.HTML"
[ Norman ], "Security Risk HTML/Exploit!IFrame.A"
[ WebWasher ], "BlockReason.46 (suspicious)"
“新竹市文化局網站被植入惡意連結” 目前有 1 迴響
剛才查看已找不到惡意連結.
By elllery on 2007 年 12 月 14 日 - 22:12:00