MSN病毒(Photos1-2008.zip)祝您新年快樂
2008 年 01 月 04 日 – 15:31:00新一波的MSN病毒又開始到處流竄,最近各位的MSN可能會收到名為 Photos1-2008.zip、PrivatePhoto2008.zip 或 Dc6.zip 的檔案,壓縮檔中包含一個名為 photo151.JPEG_www.HappyNewYear.com 或 Image78145-2008.jpg_www.MsnMessenger.scr 的檔案,請各位千萬不要執行此檔案,否則,後果自行負責囉!
第一種行為:
C:\WINDOWS\happy2008.exe
C:\WINDOWS\svchost.exe
[DLL injection]
C:\WINDOWS\svchost.exe
[Added file]
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc6.zip
C:\setup.exe
C:\WINDOWS\happy2008.exe
C:\WINDOWS\Photos1-2008.zip
C:\WINDOWS\PrivatePhoto2008.zip
C:\WINDOWS\svchost.exe
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Windows svchost
Data=svchost.exe
第二種行為:
[Added process]
C:\WINDOWS\svchost.exe
[DLL injection]
C:\WINDOWS\svchost.exe
[Added file]
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc6.zip
C:\WINDOWS\PrivatePhoto2008.zip
C:\WINDOWS\svchost.exe
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Windows svchost
Data=svchost.exe
到目前為止 (2008/1/4 @ 15:03),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
Dc6.zip/photo151.JPEG_www.HappyNewYear.com:
[ Trend ], "WORM_IRCBOT.EL"
happy2008.exe:
[ Trend ], "WORM_IRCBOT.EL"
Photos1-2008.zip/photo151.JPEG_www.HappyNewYear.com:
[ Trend ], "WORM_IRCBOT.EL"
PrivatePhoto2008.zip/Image78145-2008.jpg_www.MsnMessenger.scr:
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ WebWasher ], "BlockReason.46 (suspicious)"
setup.exe:
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ WebWasher ], "BlockReason.46 (suspicious)"
svchost.exe:
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ WebWasher ], "BlockReason.46 (suspicious)"
