惡意程式偽裝成趨勢科技iClean解毒快手(展示影片)

2008 年 07 月 25 日 – 13:08:50

更新資訊:趨勢科技5.429.00病毒碼偵測此工具為「TROJ_FAKECLEAN.A」。

今天早上收到朋友寄來一個檔案,是惡意程式,但偽裝成「趨勢科技iClean解毒快手」,如果各位網友有使用此工具,千萬要小心,以免中獎。

趨勢科技iClean解毒快手主要功能,如下所示:

  • 清除常見病毒與Rootkit程式
  • 清理IE快取資料夾
  • 清理系統Temp資料夾
  • 收集趨勢防毒軟體病毒記錄檔
  • 收集惡意程式相關診斷資訊
  • 特殊防範功能

假的趨勢科技iClean解毒快手擷取畫面,如下所示:

此假的程式執行展示影片,如下所示:

執行之後,有下面的行為 (有些檔案是正常,由趨勢科技iClean產生的):

[Added process]
C:\Temp\iClean20Vir\winswf~.exe

[DLL injection]
C:\WINDOWS\system32\c3dx.dll
C:\WINDOWS\system32\ras\rasapi.dll

[Added file]
C:\Documents and Settings\Administrator\Desktop\Upload.zip
C:\Documents and Settings\Administrator\Desktop\VCT_Backup.zip
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\k2erun.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\RootkitBuster.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\setdirerr.log
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\setdirout.log
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\SIC.CONF
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\Sic3.3 Readme.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\SICBASE.DAT
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\SICWin.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\subinacl.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\tmcomm.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\TmEngDrv.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\tmufeng.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\VCT.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\VCTHJT_v2.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\WKIX32.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\ZAP.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\zip.exe
C:\Program Files\Adobe\tmp\200231.jpg
C:\Program Files\Adobe\tmp\Loader.exe
C:\Program Files\Adobe\tmp\Rundll32.exe
C:\Program Files\Adobe\tmp\svchos.exe
C:\Program Files\Adobe\tmp\Temp\Temp.rar
C:\Temp\iClean20Vir\iClean20Vir.exe
C:\Temp\iClean20Vir\null
C:\Temp\iClean20Vir\winswf~.exe
C:\WINDOWS\system32\c3dx.dll
C:\WINDOWS\system32\drivers\tmcomm.sys
C:\WINDOWS\system32\mwbackup.exe
C:\WINDOWS\system32\ras\rasapi.dll
C:\WINDOWS\VCT.LOG
C:\WINDOWS\WindowsBackUp.log
C:\WINDOWS\~f2008724.tmp
C:\_@A9.tmp
C:\_@AA.tmp
C:\_@AB.tmp

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WindowsBackUp
Data=C:\WINDOWS\system32\mwbackup.exe

到目前為止 (2008/7/25 @ ),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

稍後更新…

  1. “惡意程式偽裝成趨勢科技iClean解毒快手(展示影片)” 目前有 3 迴響

  2. SIC 和 KiXtart 等等檔案應該是 iCleaner本來就有的
    不能算是惡意程式的component

    By GD on 2008 年 07 月 25 日 - 14:05:53

  3. 我知道啊!

    以下是正常檔案:
    C:\Documents and Settings\Administrator\Desktop\Upload.zip
    C:\Documents and Settings\Administrator\Desktop\VCT_Backup.zip
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\k2erun.dat
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\RootkitBuster.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\setdirerr.log
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\setdirout.log
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\SIC.CONF
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\Sic3.3 Readme.txt
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\SICBASE.DAT
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\SICWin.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\subinacl.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\tmcomm.sys
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\TmEngDrv.dll
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\tmufeng.dll
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\VCT.ini
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\VCTHJT_v2.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\WKIX32.EXE
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\ZAP.EXE
    C:\Documents and Settings\Administrator\Local Settings\Temp\k2e~218491\zip.exe
    C:\WINDOWS\VCT.LOG
    C:\WINDOWS\WindowsBackUp.log
    C:\WINDOWS\~f2008724.tmp
    C:\_@A9.tmp
    C:\_@AA.tmp
    C:\_@AB.tmp

    如果有寫錯的話,請多多指教。

    By Roger on 2008 年 07 月 25 日 - 14:20:13

  4. 最近趨勢新聞太多了
    又發布很多產品

    駭客連這樣也能利用…XD

    By Crane on 2008 年 07 月 25 日 - 14:49:18

請在此留下您的意見

大砲開講 is proudly powered by WordPress Entries (RSS) and Comments (RSS).