大砲開講

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

展示影片，請看這裡。

Google Search查詢的結果，如下所示：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\system32\lssass.exe
C:\WINDOWS\system32\12.exe
C:\WINDOWS\system32\4.exe

[DLL injection]
C:\WINDOWS\system32\HDDGuard.dll

[Added service]
NAME: ATI2HDDSRV
DISPLAY: ATI2HDDSRV
FILE: \??\C:\WINDOWS\system32\drivers\ati32srv.sys

NAME: DeepFree Update
DISPLAY: DeepFree Update
FILE: \??\C:\WINDOWS\system32\drivers\pcihdd2.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\MicroSofts.pif
C:\Documents and Settings\Administrator\Local Settings\Temp\MicroSofts.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\11[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\985195[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\jh[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\tw[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\down[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\rl[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\vccd[1].htm
C:\WINDOWS\system32\HDDGuard.dll
C:\WINDOWS\system32\lssass.exe
C:\WINDOWS\system32\WIN.INI
C:\WINDOWS\system32\drivers\pcihdd2.sys
C:\WINDOWS\system32\drivers\ati32srv.sys
C:\WINDOWS\system32\12.exe
C:\WINDOWS\system32\4.exe
C:\WINDOWS\system32\73120.dat

到目前為止 (2008/2/12 @ 14:41)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

11[1].js:
[ HBEDV ], "HEUR/Exploit.HTML"
12.exe:
[ IntelliTrap ], "PAK_Generic.006″
[ Alpha_Gen ], "AP_MALPK-2″
[ Beta_Gen ], "AP_MALPK-2″
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NML trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ eAladdin ], "Suspicious File [104]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
73120.dat:
[ IntelliTrap ], "PAK_Generic.005″
[ Kaspersky ], "PAK:NSPack"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan W32/Hupigon.gen67″
[ Ikarus ], "Backdoor.Win32.Agent.ahj"
[ eAladdin ], "Suspicious File [101]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Win32.NewMalware.MH!49939″
[ bitdefender ], "Trojan.PWS.OnlineGames.OQN"
jh[2].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
ppp.js:
[ HBEDV ], "HTML/Shellcode.Gen"
[ Norman ], "Trojan HTML/IFrameBof.A"
[ Ewido ], "Not-A-Virus.Exploit.HTML.IframeBof.d"
[ Authentium ], "HTML/IFrameBoF"
[ WebWasher ], "Script.Shellcode.Gen"
rl[1].js:
[ Sophos ], "Troj/Rexplo-A"
[ HBEDV ], "JS/Agent.ES"
[ Ikarus ], "Trojan-Downloader.JS.Agent.ol"
[ Grisoft ], "Virus found Exploit"
[ WebWasher ], "Script.Agent.ES"
[ bitdefender ], "Dropped:Trojan.Downloader.JS.Agent.OL"
tw[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1″
[ HBEDV ], "HEUR/Exploit.HTML"
[ Norman ], "Trojan HTML/Exploit!IFrame.G"
[ WebWasher ], "BlockReason.46 (suspicious)"
vccd[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2″
[ Kaspersky ], "Trojan-Downloader.HTML.IFrame.ee"
[ Sophos ], "Mal/Iframe-A"
[ HBEDV ], "JS/Dldr.Age.GGG.167″
[ Norman ], "Trojan HTML/Exploit!IFrame.G"
[ WebWasher ], "Script.Dldr.Age.GGG.167″
xx[1].htm:
[ HBEDV ], "HTML/Dldr.aaa.330″
[ WebWasher ], "Script.Dldr.aaa.330″
down[1].exe:
[ Trend ], "TROJ_DLOADER.DXI"
HDDGuard.dll:
[ Trend ], "TROJ_AGENT.GES"
lssass.exe:
[ Trend ], "BKDR_HUPIGON.OHB"
lz.js:
[ Trend ], "JS_IFRAMEBO.AL"
MicroSofts.pif:
[ Trend ], "TROJ_DLOADER.DXI"
4.exe:
[ Trend ], "TROJ_SMALL.CAL"