大砲開講

台灣光電與半導體設備產業協會交流論壇網站被植入惡意連結

2008 年 07 月 17 日 – 17:31:58

台灣光電與半導體設備產業協會交流論壇網站被植入惡意連結，此惡意程式為 TROJ_AGENT.AEUM，最近有瀏覽這個網頁的網友，請要盡速檢查自己的電腦是否有中毒的情形 (Credit: Google)。

惡意連結/程式碼是放置在上述網址 (其他頁面，可能要仔細檢查一下囉) 中的：

Google Search 查詢結果(發現異狀)，如下圖所示：

McAfee SiteAdvisor 查詢結果(未發現異狀)，如下圖所示：

趨勢科技網頁信譽評等查詢結果(未發現異狀)，如下圖所示：

執行之後，有下面的行為：

[Added file]
C:\Documents and Settings\Administrator\delself.bat
C:\Documents and Settings\Administrator\Desktop\delself.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\in[1].php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\in[2].htm
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cgtj.exe
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\univrs32.dat

[Added registry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=braviax
Data=C:\WINDOWS\system32\braviax.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=braviax
Data=braviax.exe|瘰|?

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=braviax
Data=C:\WINDOWS\system32\braviax.exe

到目前為止 (2008/7/17 @ 15:36)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

cru629.dat:
[ Trend ], "TROJ_AGENT.AEUM"
in[1].php:
[ Alpha_Gen ], "[NONAMEFL]:Possible_EncScr"
[ Beta_Gen ], "[NONAMEFL]:Possible_EncScr"
[ Kaspersky ], "ARC:GZIP"
[ WebWasher ], "BlockReason.46 (suspicious)"
in[2].htm:
[ Alpha_Gen ], "Possible_EncScr"
[ Beta_Gen ], "Possible_EncScr"
[ WebWasher ], "BlockReason.46 (suspicious)"
univrs32.dat:
[ IntelliTrap ], "PAK_Generic.005″
[ Symantec ], "Trojan.Adclicker"
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX"
[ McAfee ], "FakeAlert-AP"
[ McAfee_Beta ], "[GenUnp]:FakeAlert-AP"
[ Sophos ], "Troj/Agent-GPD"
[ Panda ], "Adware/PurityScan"
[ Panda_Beta ], "Adware/PurityScan"
[ Alwil ], "Win32:Trojan-gen {Other}"
[ CAV ], "Win32/Eldycow.Q"
[ Nod32 ], "Win32/TrojanDownloader.Small.NZN trojan"
[ Fortinet ], "W32/Agent.ZAK!tr.dldr"
[ HBEDV ], "ADSPY/Sert.A"
[ Norman ], "Aggressive commersial W32/Agent.DYJS"
[ Rising ], "Trojan.Win32.Undef.gsr"
[ Ikarus ], "AdWare.Win32.Agent.zo"
[ Ewido ], "Not-A-Virus.Adware.Agent"
[ Grisoft ], "Adware Generic3.ABS"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "AdWare.Agent.zo "
[ virusbuster ], "Trojan.Zlob.ITV"
[ Sunbelt ], "Trojan-Downloader.Agent.ZAK"
[ WebWasher ], "Ad-Spyware.Sert.A"
[ bitdefender ], "Trojan.Downloader.Agent.ZAK"
[ drweb ], "Trojan.Click.5043″
braviax.exe:
[ Symantec ], "XPSecurityCenter"
[ Kaspersky ], "Trojan-Downloader.Win32.FraudLoad.vahc"
[ Panda ], "Adware/Xpantivirus2008″
[ Panda_Beta ], "Adware/Xpantivirus2008″
[ Alwil ], "Win32:Zbot-ABC [Trj]"
[ Fortinet ], "PossibleThreat"
[ Norman ], "Trojan Tibs.CICV"
[ Clamav ], "Trojan.Crypted-23″
[ Ikarus ], "Virus.Win32.Zbot.ABC"
[ Grisoft ], "Trojan horse Downloader.Small.CXX"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanDownloader.FraudLoad.va"
[ virusbuster ], "Trojan.Renos.Gen!Pac.10″
[ WebWasher ], "Trojan.Crypt.XPACK.Gen"
[ bitdefender ], "Trojan.Crypt.EQ"