台北市雜誌商業同業公會網站被植入惡意連結
2008 年 07 月 18 日 – 21:39:21台北市雜誌商業同業公會網站被植入惡意連結,此惡意程式為 Mal_Infostl,最近有瀏覽這個網頁的網友,請要盡速檢查自己的電腦是否有中毒的情形 (Credit: Google)。
惡意連結/程式碼是放置在上述網址 (其他頁面,可能要仔細檢查一下囉) 中的:
Google Search 查詢結果(發現異狀),如下圖所示:
McAfee SiteAdvisor 查詢結果(未發現異狀),如下圖所示:
趨勢科技網頁信譽評等查詢結果(未發現異狀),如下圖所示:
執行之後,有下面的行為:
[DLL injection]
C:\Program Files\Common Files\Microsoft Shared\MSInfo\atmQQ2.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\server[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ms06014[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\new[1].swf
C:\Program Files\Common Files\Microsoft Shared\MSInfo\atmQQ2.dll
[Added COM/BHO]
{D544C22D-1F70-4B1E-873D-D8DABEB26695}-C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll
到目前為止 (2008/7/17 @ 21:40),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
atmQQ2.dll:
[ Trend ], "Mal_Infostl"
ms06014[2].htm:
[ Kaspersky ], "Trojan-Downloader.JS.Agent.afg"
[ McAfee ], "[00000060.js]:Obfuscated Script.d !!"
[ McAfee_Beta ], "[00000060.js]:Obfuscated Script.d !!"
[ Sophos ], "Mal/ObfJS-L"
[ HBEDV ], "JS/Dldr.Agent.afg"
[ Rising ], "Trojan.DL.Script.JS.Agent.lrx"
[ Clamav ], "HTML.Downloader-7″
[ Ikarus ], "VirTool.JS.Obfuscator.B"
[ Grisoft ], "Virus found Downloader.Small"
[ Fprot ], "JS/IFrameBoF.H (exact)"
[ Authentium ], "JS/IFrameBoF.H"
[ WebWasher ], "Script.Dldr.Agent.afg"
server[1].exe:
[ TrendChina ], "TROJ_XAGENT.A-CN"
[ IntelliTrap ], "PAK_Generic.005″
[ Alpha_Gen ], "AP_Bits"
[ Beta_Gen ], "AP_Bits"
[ Symantec ], "Packed.Generic.93″
[ Kaspersky ], "PAK:NSPack, PAK:UPack, PAK:ASPack, PAK:PE_Patch.MaskPE, Trojan-PSW.Win32.QQPass.cmk"
[ McAfee ], "Generic.dx"
[ McAfee_Beta ], "Generic.dx"
[ Sophos ], "Mal/EncPk-BW"
[ Alwil ], "Win32:Trojan-gen {Other}"
[ Nod32 ], "probably a variant of Win32/PSW.QQPass.NDF trojan"
[ Fortinet ], "PossibleThreat"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Trojan W32/Suspicious_N.gen"
[ Rising ], "Trojan.DL.Win32.Agent.bds"
[ Ikarus ], "PWS.Win32.QQpass.CZ"
[ Grisoft ], "Trojan horse BackDoor.Bifrose.AOV"
[ Fprot ], "W32/Downloader.gen10″
[ eAladdin ], "Win32.Virut.b"
[ quickheal ], "TrojanPSW.QQPass.cmk"
[ Authentium ], "W32/Downloader.gen10″
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Trojan.Packed.12261″
[ drweb ], "Win32.HLLW.Autoruner.1891″
