大砲開講

展示影片，請看這裡。

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\Taskmanager.exe
C:\WINDOWS\Wintask.exe

[DLL injection]
C:\WINDOWS\system32\JDukeNative.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\index[10
C:\Documents and Settings\Administrator\Local Settings\Temp\JVM83.tmp
C:\WINDOWS\Function.zip
C:\WINDOWS\system32\JDukeNative.dll
C:\WINDOWS\system32\User_Info.exe
C:\WINDOWS\TaskManager.exe
C:\WINDOWS\Wintask.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Taskmanager
Data=C:\WINDOWS\TaskManager.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Wintask
Data=C:\WINDOWS\WinTask.exe

到目前為止 (2008/1/23 @ 23:41)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

[ Trend ], "BKDR_JAVAKBD.A"
Wintask.exe:
[ Trend ], "BKDR_JAVAKBD.A"
index[10:
[ Alpha_Gen ], "Heur_Infrm-1″
[ HBEDV ], "HTML/Infected.WebPage.Gen"
[ WebWasher ], "Script.Infected.WebPage.Gen"
User_Info.exe:
[ TMAS ], "CrackingApps_MPass"
[ Symantec ], "Hacktool.PassReminder"
[ Kaspersky ], "PAK:UPX"
[ McAfee ], "PWCrack-MPass"
[ McAfee_Beta ], "PWCrack-MPass"
[ Panda ], "HackTool/MSNpass.G"
[ Panda_Beta ], "HackTool/MSNpass.G"
[ Fortinet ], "HackerTool/MessenPass"
[ HBEDV ], "SPR/PSW.Messen.103.4″
[ Ewido ], "Not-A-Virus.PSWTool.Win32.Messen.102″
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "Trojan.Horst.pp"
[ WebWasher ], "Riskware.PSW.Messen.103.4″
[ bitdefender ], "Application.Messenpass.B"
Function.zip/xynx.hex:
[ Ikarus ], "PSWTool.Win32.Messen.102″
[ Ewido ], "Not-A-Virus.PSWTool.Win32.Messen.102″
Function.zip/TaskManager.exe:
[ Alwil ], "JS:BackDoor-KBD-12″
[ Ikarus ], "Virus.JS.Backdoor.KBD.12″
Function.zip/Wintask.exe:
[ Alwil ], "JS:BackDoor-KBD-11″
[ Ikarus ], "Backdoor.Java.KBD"