國立臺灣師範大學教育政策與行政研究所網站被植入惡意連結
2008 年 08 月 07 日 – 20:20:46國立臺灣師範大學教育政策與行政研究所網站被植入惡意連結,此惡意程式為 Trojan-GameThief.Win32.OnLineGames.sncz,最近有瀏覽這個網頁的網友,請要盡速檢查自己的電腦是否有中毒的情形。
惡意連結/程式碼是放置在上述網址 (其他網頁,應該要仔細檢查) 中的:
Google Search 查詢結果(發現異狀),如下圖所示:
McAfee SiteAdvisor 查詢結果(未發現異狀),如下圖所示:
趨勢科技網頁信譽評等查詢結果(發現異狀),如下圖所示:
finjan網頁信譽評等查詢結果(未發現異狀),如下圖所示:
Dr.Web網頁信譽評等查詢結果(未發現異狀),如下圖所示:
Exploit Prevention Labs網頁信譽評等查詢結果(未發現異狀),如下圖所示:
執行之後,有下面的行為:
[Added process]
C:\0058E860\0058EC19
C:\WINDOWS\system32\sunesnk.exe
[DLL injection]
C:\WINDOWS\system32\360mon.dll
C:\WINDOWS\system32\ddserh.dll
C:\WINDOWS\system32\fsrgeb.dll
C:\WINDOWS\system32\hhrdxd.dll
C:\WINDOWS\system32\knx32.dll
C:\WINDOWS\system32\mttwfh.dll
C:\WINDOWS\system32\sgdewg.dll
C:\WINDOWS\system32\tdffdl.dll
C:\WINDOWS\system32\tdggrz.dll
C:\WINDOWS\system32\wklsdd.dll
C:\WINDOWS\system32\wrqszl.dll
C:\WINDOWS\system32\wzcfsw.dll
C:\WINDOWS\system32\zgtwfx.dll
[Added service]
NAME: msiffei
DISPLAY: msiffei
FILE: System32\Drivers\msiffei.sys
[Added file]
C:\0058E860\0058EC19
C:\0058EDBF\5828032
C:\Documents and Settings\Administrator\Local Settings\Temp\a.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1815555[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\c4[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\c4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\bak[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ms06014[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\old[1].htm
C:\WINDOWS\system32\360mon.dll
C:\WINDOWS\system32\autoppt.dll
C:\WINDOWS\system32\baccops.dll
C:\WINDOWS\system32\ckicps.dll
C:\WINDOWS\system32\cmonos.dll
C:\WINDOWS\system32\ddserh.dll
C:\WINDOWS\system32\dllcache\cdaudio.sys
C:\WINDOWS\system32\fsrgeb.dll
C:\WINDOWS\system32\hhrdxd.dll
C:\WINDOWS\system32\jolinos.dll
C:\WINDOWS\system32\knx32.dll
C:\WINDOWS\system32\knx32.exe
C:\WINDOWS\system32\mttwfh.dll
C:\WINDOWS\system32\rmbsony.dll
C:\WINDOWS\system32\sgdewg.dll
C:\WINDOWS\system32\sunesn.dll
C:\WINDOWS\system32\sunesnk.exe
C:\WINDOWS\system32\tdffdl.dll
C:\WINDOWS\system32\tdfhex.dll
C:\WINDOWS\system32\tdggrz.dll
C:\WINDOWS\system32\wklsdd.dll
C:\WINDOWS\system32\woswelc.dll
C:\WINDOWS\system32\wrqszl.dll
C:\WINDOWS\system32\wzcfsw.dll
C:\WINDOWS\system32\xpsbos.dll
C:\WINDOWS\system32\zgtwfx.dll
[ Added COM/BHO ]
{006CA8A1-61BC-4774-A54C-F49034270BAD}-C:\WINDOWS\system32\zgtwfx.dll
{021F087F-4378-545F-74FA-37D345AD7A8C}-C:\WINDOWS\system32\mttwfh.dll
{0B846B26-BFE6-4E8E-A948-1DB17B77B483}-C:\WINDOWS\system32\tdfhex.dll
{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}-C:\WINDOWS\system32\hhrdxd.dll
{28766E1C-74B0-4417-8C75-F12AE309EF35}-C:\WINDOWS\system32\wzcfsw.dll
{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}-C:\WINDOWS\system32\tdggrz.dll
{8C41B7F7-3168-400D-A702-0E7EFE0BA304}-C:\WINDOWS\system32\sgdewg.dll
{A9895933-6636-4281-BC58-EE6DE2AF96E3}-C:\WINDOWS\system32\ddserh.dll
{AEB6717E-7E19-21d2-97EE-00C04FD91972}-C:\WINDOWS\system32\360mon.dll
{C0595A7E-2E2F-4B34-A83A-019270A0A464}-C:\WINDOWS\system32\tdffdl.dll
{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}-C:\WINDOWS\system32\wklsdd.dll
{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}-C:\WINDOWS\system32\fsrgeb.dll
{F99DEFDD-200B-4410-B572-E90883D527D2}-C:\WINDOWS\system32\wrqszl.dll
到目前為止 (2008/8/7 @ 16:07),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
bak.css:
[ IntelliTrap ], "PAK_Generic.001″
[ Alpha_Gen ], "AP_Bits"
[ Symantec ], "Downloader"
[ Kaspersky ], "PAK:FSG, Trojan-Downloader.Win32.Small.zie"
[ McAfee ], "Generic.dx"
[ McAfee_Beta ], "Generic.dx"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/TrojanDownloader.Agent.OBQ trojan"
[ Fortinet ], "W32/Small.ZIE!tr.dldr"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Trojan Suspicious_F.gen"
[ Rising ], "[>>fsg2.0]:Trojan.Win32.Undef.kff"
[ Ikarus ], "Trojan-Downloader.Win32.Small.zie"
[ Grisoft ], "Trojan horse SHeur.BZEP"
[ Fprot ], "W32/Warezov.B.gen!Eldorado (generic, not disinfectable)"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanDownloader.Small.zie"
[ Sunbelt ], "Trojan-Downloader.JKIZ"
[ WebWasher ], "Trojan.Crypt.XPACK.Gen"
[ bitdefender ], "Trojan.Downloader.JKIZ"
[ drweb ], "Trojan.MulDrop.18184″
jolinos.dll:
[ TrendChina ], "TROJ_XAGENT.C-CN"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.sncz"
[ McAfee ], "PWS-OnlineGames.bp"
[ McAfee_Beta ], "PWS-OnlineGames.bp"
[ Alwil ], "Win32:Agent-ZRP [Trj]"
[ CAV ], "Win32/Treemz!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NXI trojan"
[ Rising ], "Trojan.PSW.Win32.GameOL.pcs"
[ Ikarus ], "Trojan-GameThief.Win32.OnLineGames.sncz"
[ Grisoft ], "Trojan horse PSW.Generic6.VJN"
[ quickheal ], "TrojanGameThief.OnLineGames.s"
[ virusbuster ], "Trojan.OnlineGames.Gen.99″
[ WebWasher ], "Trojan.PSW.OnlineGames.ZKH.74″
[ bitdefender ], "Trojan.PWS.OnlineGames.ZKH"
[ drweb ], "Trojan.PWS.Wsgame.6827″
cmonos.dll:
[ TrendChina ], "TROJ_XAGENT.C-CN"
[ Symantec ], "Infostealer.Gampass"
[ McAfee ], "PWS-OnlineGames.bj"
[ McAfee_Beta ], "PWS-OnlineGames.bj"
[ Alwil ], "Win32:Agent-ZRP [Trj]"
[ CAV ], "Win32/Treemz!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NXN trojan"
[ Ikarus ], "Virus.Win32.Agent.ZRP"
[ virusbuster ], "Trojan.OnlineGames.Gen.99″
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.OnLineGames.SIJX"
[ drweb ], "Trojan.PWS.Wsgame.origin"
ckicps.dll:
[ TrendChina ], "TROJ_XAGENT.C-CN"
[ McAfee ], "PWS-OnlineGames.bj"
[ McAfee_Beta ], "PWS-OnlineGames.bj"
[ Alwil ], "Win32:Agent-ZRP [Trj]"
[ CAV ], "Win32/Treemz!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NXI trojan"
[ Ikarus ], "Virus.Win32.Agent.ZRP"
[ virusbuster ], "Trojan.OnlineGames.Gen.99″
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.PWS.OnlineGames.ZKH"
fsrgeb.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.sokm"
[ McAfee ], "PWS-OnlineGames.br"
[ McAfee_Beta ], "PWS-OnlineGames.br"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NOA trojan"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan OnLineGames.BHOR"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.alrf"
[ Grisoft ], "Trojan horse PSW.Generic6.WHW"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
zgtwfx.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.soha"
[ McAfee ], "PWS-OnlineGames.br"
[ McAfee_Beta ], "PWS-OnlineGames.br"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun.NA"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NOA trojan"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan W32/OnLineGames.BOIP"
[ Rising ], "Trojan.PSW.Win32.GameOL.pco"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.alfp"
[ Grisoft ], "Trojan horse PSW.Generic6.WDW"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
hhrdxd.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.soba"
[ McAfee ], "PWS-OnlineGames.br"
[ McAfee_Beta ], "PWS-OnlineGames.br"
[ Sophos ], "Mal/Generic-A"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NOA trojan"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Trojan OnLineGames.BHOR"
[ Rising ], "Trojan.PSW.Win32.GameOL.pco"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Backdoor.Win32.NetCrack.13.b"
[ Grisoft ], "Trojan horse PSW.Generic6.WEP"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.origin"
wrqszl.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "ARC:EmbeddedEXE, [data0000]:Trojan-GameThief.Win32.OnLineGames.soiu, [data0001]:Trojan-GameThief.Win32.OnLineGames.soiu, [data0002]:Trojan-GameThief.Win32.OnLineGames.soiu, [data0003]:Trojan-GameThief.Win32.OnLineGames.soiu, [data0004]:Trojan-GameThief.Win32.OnLineGames.soiu, [data0005]:Trojan-GameThief.Win32.OnLineGames.soiu"
[ McAfee ], "PWS-OnlineGames.br"
[ McAfee_Beta ], "PWS-OnlineGames.br"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NOA trojan"
[ HBEDV ], "HEUR/Malware"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.alfp"
[ Grisoft ], "Trojan horse PSW.Generic6.WHF"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
baccops.dll:
[ TrendChina ], "TROJ_XAGENT.C-CN"
[ Kaspersky ], "Trojan.Win32.Agent.xui"
[ McAfee ], "PWS-OnlineGames.bp"
[ McAfee_Beta ], "PWS-OnlineGames.bp"
[ Alwil ], "Win32:Agent-ZRP [Trj]"
[ CAV ], "Win32/Treemz!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NXN trojan"
[ Grisoft ], "Trojan horse PSW.Generic6.WGZ"
[ virusbuster ], "Trojan.OnlineGames.Gen.99″
[ WebWasher ], "Trojan.Onlinegames.SIJX.25″
[ bitdefender ], "Trojan.OnLineGames.SIJX"
[ drweb ], "Trojan.PWS.Wsgame.origin"
ddserh.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.smma"
[ McAfee ], "PWS-OnlineGames.br"
[ McAfee_Beta ], "PWS-OnlineGames.br"
[ Panda ], "Trj/Lineage.ISL"
[ Panda_Beta ], "Trj/Lineage.ISL"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun.NV"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NOA trojan"
[ Fortinet ], "PossibleThreat"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan W32/OnLineGames.BNVA"
[ Rising ], "Trojan.PSW.Win32.GameOL.pco"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Backdoor.Win32.NetCrack.13.b"
[ Grisoft ], "Trojan horse PSW.Generic6.VEU"
[ quickheal ], "TrojanGameThief.OnLineGames.s"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ Sunbelt ], "Trojan-GameThief.Win32.OnLineGames.smma"
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
wzcfsw.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "ARC:EmbeddedEXE, [data0000]:Trojan-GameThief.Win32.OnLineGames.sosy, [data0001]:Trojan-GameThief.Win32.OnLineGames.sosy, [data0002]:Trojan-GameThief.Win32.OnLineGames.sosy, [data0003]:Trojan-GameThief.Win32.OnLineGames.sosy, [data0004]:Trojan-GameThief.Win32.OnLineGames.sosy, [data0005]:Trojan-GameThief.Win32.OnLineGames.sosy"
[ McAfee ], "PWS-OnlineGames.br"
[ McAfee_Beta ], "PWS-OnlineGames.br"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NOA trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOL.pcn"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Trojan.Win32.Tilcun.B"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
