台中縣清水鎮公所被轉址與被入惡意連結
2008 年 02 月 25 日 – 15:38:00注意:都已經N天了,目前惡意連結還在(2008/2/25@15:40),無言…
台中縣清水鎮公所被轉址與被入惡意連結,此惡意程式為 TSPY_QQPASS.CH,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: 匿名網友)
該網頁原始碼,如下所示:
展示影片,請看這裡。
Google Search查詢的結果,沒發現任何異狀,如下所示:
執行之後,有下面的行為:
[Added process]
C:\Program Files\Common Files\svchost.exe
[DLL injection]
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\OnlO0r.dll
C:\WINDOWS\system32\fhdoor0.dll
C:\WINDOWS\system32\mndoor0.dll
C:\WINDOWS\system32\qhdoor0.dll
C:\WINDOWS\system32\qzdoor0.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\M1.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ss[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\addr[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\main[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\s[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\add_54738542[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ms[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\%46%41%51%2E%6A%73[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1542776[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\FAQ[1].htm
C:\Program Files\Common Files\fjOs0r.dll
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\OnlO0r.bak
C:\Program Files\Internet Explorer\OnlO0r.dll
C:\Program Files\Internet Explorer\OnlO0r.obk
C:\temp.exe
C:\WINDOWS\system32\fhdoor0.dll
C:\WINDOWS\system32\mndoor0.dll
C:\WINDOWS\system32\qhdoor0.dll
C:\WINDOWS\system32\qqdoor0.dll
C:\WINDOWS\system32\qsdoor0.dll
C:\WINDOWS\system32\qzdoor0.dll
C:\WINDOWS\~Temp358.tmp
[Added COM/BHO]
{49C496E9-732D-4F5D-BEE9-EC113FAA1C97}-C:\WINDOWS\system32\qzdoor0.dll
{61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28}-C:\WINDOWS\system32\mndoor0.dll
{6C7596CB-31CC-BBA3-BE51-2EEA62F9C51D}-C:\Program Files\Common Files\fjOs0r.dll
{80F15C30-5E9D-4CB9-BE85-F3D5564C6F83}-C:\WINDOWS\system32\fhdoor0.dll
{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}-C:\WINDOWS\system32\qhdoor0.dll
{C2626E66-D21B-E628-C1DF-1DACCFA36ED2}-C:\Program Files\Common Files\fjOs0r.dll
{C26A8AB5-B935-400C-A152-0488714725B1}-C:\WINDOWS\system32\qsdoor0.dll
{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}-C:\Program Files\Internet Explorer\OnlO0r.dll
{D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF}-C:\WINDOWS\system32\qqdoor0.dll
到目前為止 (2008/2/19 @ 01:31),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
qqdoor0.dll:
[ Trend ], "Possible_Strat-6″
qhdoor0.dll:
[ Trend ], "TSPY_QQPASS.CH"
mndoor0.dll:
[ Trend ], "Possible_Strat-6″
fhdoor0.dll:
[ Trend ], "TSPY_FRETHOG.WF"
svchost.exe:
[ Trend ], "TSPY_ONLINEG.BOM"
OnlO0r.bak:
[ Trend ], "TROJ_Generic.A"
s[1].exe:
[ Trend ], "TROJ_Generic.A"
~Temp358.tmp:
[ Trend ], "TROJ_Generic.A"
qzdoor0.dll:
[ Trend ], "TSPY_FRETHOG.WF"
qsdoor0.dll:
[ Trend ], "TSPY_FRETHOG.WF"
OnlO0r.obk:
[ Symantec ], "W32.Drom"
[ Microsoft ], "Worm:Win32/Rodvir.gen"
[ Kaspersky ], "Trojan-PSW.Win32.Delf.apc"
[ McAfee ], "PWS-QQPass"
[ McAfee_Beta ], "PWS-QQPass"
[ Sophos ], "Mal/PWS-K"
[ Alwil ], "Win32:AutoRun-U"
[ CAV ], "Win32/Rodvir.AJ"
[ Nod32 ], "Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/PSW.Delf.ifd.11″
[ Norman ], "Trojan W32/QQPass.HSC"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.lpg"
[ Grisoft ], "Trojan horse PSW.Generic5.AJLF"
[ quickheal ], "TrojanPSW.Delf.apc"
[ vba32 ], "Trojan-PSW.Win32.Delf.apc"
[ Authentium ], "W32/InfoStealer!Generic"
[ Sunbelt ], "Trojan-PWS.Delf.IFD"
[ WebWasher ], "Trojan.PSW.Delf.ifd.11″
[ bitdefender ], "Trojan.PWS.Delf.IFD"
temp.exe:
[ IntelliTrap ], "PAK_Generic.001″
[ Symantec ], "W32.Drom"
[ Microsoft ], "[->(UPX)]:Worm:Win32/Rodvir.gen"
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX"
[ McAfee ], "[0000d0f0.EXE]:PWS-QQPass"
[ McAfee_Beta ], "[GenUnp\0000d0f0.EXE]:PWS-QQPass"
[ Sophos ], "[FILE:0000]:Mal/PWS-K"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/Autorun.BK"
[ Ikarus ], "Trojan-PWS.Win32.Delf.aky"
[ Grisoft ], "Trojan horse PSW.OnlineGames.AEIB"
[ eAladdin ], "Suspicious File [101]"
[ WebWasher ], "Trojan.Autorun.BK"
[ bitdefender ], "Dropped:Trojan.PWS.Delf.IFD"
ss[1].exe:
[ IntelliTrap ], "PAK_Generic.001″
[ Symantec ], "W32.Drom"
[ Microsoft ], "[->(UPX)]:Worm:Win32/Rodvir.gen"
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX"
[ McAfee ], "[0000d0f0.EXE]:PWS-QQPass"
[ McAfee_Beta ], "[GenUnp\0000d0f0.EXE]:PWS-QQPass"
[ Sophos ], "[FILE:0000]:Mal/PWS-K"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/Autorun.BK"
[ Ikarus ], "Trojan-PWS.Win32.Delf.aky"
[ Grisoft ], "Trojan horse PSW.OnlineGames.AEIB"
[ eAladdin ], "Suspicious File [101]"
[ WebWasher ], "Trojan.Autorun.BK"
[ bitdefender ], "Dropped:Trojan.PWS.Delf.IFD"
OnlO0r.dll:
[ Symantec ], "W32.Drom"
[ Microsoft ], "Worm:Win32/Rodvir.gen"
[ Kaspersky ], "Trojan-PSW.Win32.Delf.apx"
[ McAfee ], "PWS-QQPass"
[ McAfee_Beta ], "PWS-QQPass"
[ Sophos ], "Mal/PWS-K"
[ Alwil ], "Win32:AutoRun-U"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/PSW.Delf.ifd.12″
[ Ikarus ], "Trojan-PWS.Delf.IFD"
[ Grisoft ], "Trojan horse PSW.Generic5.AKDY"
[ Authentium ], "W32/InfoStealer!Generic"
[ WebWasher ], "Trojan.PSW.Delf.ifd.12″
[ bitdefender ], "Trojan.PWS.Delf.IFD"
fjOs0r.dll:
[ Symantec ], "W32.Drom"
[ Microsoft ], "Worm:Win32/Rodvir.gen"
[ Kaspersky ], "Trojan-PSW.Win32.Delf.apx"
[ McAfee ], "PWS-QQPass"
[ McAfee_Beta ], "PWS-QQPass"
[ Sophos ], "Mal/PWS-K"
[ Alwil ], "Win32:AutoRun-U"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/PSW.Delf.ifd.12″
[ Ikarus ], "Trojan-PWS.Delf.IFD"
[ Grisoft ], "Trojan horse PSW.Generic5.AKDY"
[ Authentium ], "W32/InfoStealer!Generic"
[ WebWasher ], "Trojan.PSW.Delf.ifd.12″
[ bitdefender ], "Trojan.PWS.Delf.IFD"
ms[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
FAQ[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
click[1].htm:
[ Sophos ], "Mal/Iframe-A"
addr[1].js:
[ Kaspersky ], "PAK:JSPack, Trojan-Downloader.JS.Small.kq"
[ Ikarus ], "Trojan-Downloader.JS.Small.kq"
add_54738542[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
%46%41%51%2E%6A%73[1]:
[ Sophos ], "Mal/Iframe-C"
[ Grisoft ], "Virus found HTML/Framer"
main[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
