大砲開講

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\Web\printers\images\ndmai.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\717[1].c
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\h[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\614003[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\614woai[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\717003[1].htm
C:\microsofts.vbs
C:\NTDETECT.EXE
C:\WINDOWS\Web\printers\images\ndmai.dll
C:\WINDOWS\Web\printers\images\ndmai.exe

[Added COM/BHO]
{7152C68A-D93C-49BF-AFEF-6B4576849A7E}-C:\WINDOWS\Web\printers\images\ndmai.dll

到目前為止 (2007/12/12 @ 12:38)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

717[1].c:
[ Trend ], "EXPL_ANICMOO.GEN"
ndmai.dll:
[ Trend ], "Possible_Infostl"
ndmai.dll:
[ Trend ], "Possible_Infostl"
614woai[1].exe:
[ IntelliTrap ], "PAK_Generic.001″
[ Alpha_Gen ], "Possible_Mlwr-13″
[ Symantec ], "Infostealer.Lineage"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE"
[ Sophos ], "[FILE:0000]:Mal/LineDLL-B, Mal/EncPk-AP"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ HBEDV ], "TR/PSW.Lineage.UZH"
[ Norman ], "Trojan W32/Lineage.AYTD"
[ Grisoft ], "Trojan horse PSW.Lineage.AFS"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.Lineage.UZH"
614003[1].htm:
[ McAfee ], "Exploit-ObscuredHtml"
[ McAfee_Beta ], "Exploit-ObscuredHtml"
[ HBEDV ], "HEUR/Exploit.HTML"
[ Grisoft ], "Virus found JS/Downloader.Agent"
h[1].htm:
[ McAfee ], "ObfuscatedHtml"
[ McAfee_Beta ], "ObfuscatedHtml"
[ WebWasher ], "BlockReason.46 (suspicious)"
microsofts.vbs:
[ Microsoft ], "[->(UTF-16LE)]:Virus:VBS/VBSWGbased.gen"
ndmai.exe:
[ IntelliTrap ], "PAK_Generic.001″
[ Alpha_Gen ], "Possible_Mlwr-13″
[ Symantec ], "Infostealer.Lineage"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE"
[ Sophos ], "[FILE:0000]:Mal/LineDLL-B, Mal/EncPk-AP"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ HBEDV ], "TR/PSW.Lineage.UZH"
[ Norman ], "Trojan W32/Lineage.AYTD"
[ Grisoft ], "Trojan horse PSW.Lineage.AFS"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.Lineage.UZH"
NTDETECT.EXE:
[ Microsoft ], "[->(UTF-16LE)]:Virus:VBS/VBSWGbased.gen"