GSN 政府網際服務網被植入惡意連結
2008 年 01 月 16 日 – 10:40:00更新資訊:目前已修復
GSN 政府網際服務網被植入惡意連結,此惡意程式為 Backdoor.Win32.Agent.ana,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結/程式碼是放置在 04-03.html,但是指到 202(dot)39(dot)47(dot)197,這台主機應該被駭客完全控制了 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\drum[1].ani
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\update[1].exe
C:\Documents and Settings\All Users\Application Data\Microsoft\back1.reg
C:\Documents and Settings\All Users\Application Data\Microsoft\back2.reg
C:\Documents and Settings\All Users\Application Data\Microsoft\Comon\ctfmon.exe
到目前為止 (2008/1/15 @ 15:19),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
04-03[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
ctfmon.exe-:
[ Alpha_Gen ], "Possible_HUPIGON"
[ Kaspersky ], "Backdoor.Win32.Agent.ana"
[ Sophos ], "Mal/Dropper-G"
[ CAV ], "Win32/Lidoor.B"
[ Nod32 ], "Win32/Agent.ANA trojan"
[ HBEDV ], "BDS/Agent.bze"
[ Grisoft ], "Trojan horse BackDoor.Agent.GIX"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14″
[ Authentium ], "W32/Backdoor.ARVK"
[ WebWasher ], "Trojan.Backdoor.Agent.bze"
[ bitdefender ], "BehavesLike:Win32.ExplorerHijack"
drum[1].ani:
[ Symantec ], "Downloader"
[ Microsoft ], "Exploit:Win32/Anicmoo.A"
[ Kaspersky ], "Exploit.Win32.IMG-ANI.gen"
[ McAfee ], "Exploit-ANIfile.c"
[ McAfee_Beta ], "Exploit-ANIfile.c"
[ Alwil ], "CVE-2007-0038″
[ Nod32 ], "a variant of Win32/TrojanDownloader.Ani.Gen trojan"
[ Fortinet ], "W32/MalFormed_ANI.C"
[ HBEDV ], "EXP/Ani.Gen"
[ Rising ], "Hack.SuspiciousAni"
[ Grisoft ], "Virus found Exploit"
[ WebWasher ], "Exploit.Ani.Gen"
[ bitdefender ], "Exploit.Win32.MS05-002.Gen"
server_time[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
update[1].exe:
[ IntelliTrap ], "PAK_Generic.001″
[ Alpha_Gen ], "Possible_HUPIGON"
[ Symantec ], "Backdoor.Trojan"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ Sophos ], "[FILE:0000]:Mal/Dropper-G, Mal/Dropper-G"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ Nod32 ], "a variant of Win32/Agent.BZE trojan"
[ HBEDV ], "BDS/Agent.bze"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14″
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Backdoor.Agent.bze"
[ bitdefender ], "BehavesLike:Win32.ExplorerHijack"
“GSN 政府網際服務網被植入惡意連結” 目前有 2 迴響
目前已無上述情況 可否請協助加註說明
By Stuart on 2008 年 01 月 17 日 - 09:39:00
Trendmicro 已可偵測此病毒
By Anonymous on 2008 年 01 月 31 日 - 21:24:00