國民中學基本學力測驗資訊網被植入惡意連結
2008 年 08 月 12 日 – 21:56:08國民中學基本學力測驗資訊網被植入惡意連結,此惡意程式為 TSPY_ONLINEG.XFO,最近有瀏覽這個網頁的網友,請要盡速檢查自己的電腦是否有中毒的情形。
惡意連結/程式碼是放置在上述網址 (其他網頁,應該要仔細檢查) 中的:
Google Search 查詢結果(發現異狀),如下圖所示:
McAfee SiteAdvisor 查詢結果(未發現異狀),如下圖所示:
趨勢科技網頁信譽評等查詢結果(未發現異狀),如下圖所示:
finjan 網頁信譽評等查詢結果(未發現異狀),如下圖所示:
Dr.Web 網頁信譽評等查詢結果(未發現異狀),如下圖所示:
Exploit Prevention Labs 網頁信譽評等查詢結果(發現異狀),如下圖所示:
賽門鐵克 Safe Web 查詢結果(未發現異狀),如下圖所示:
執行之後,有下面的行為:
[Added process]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Gameeeeeee.pif
C:\WINDOWS\system32\escepsk.exe
[DLL injection]
C:\WINDOWS\Fonts\mnmhisrv.dll
C:\WINDOWS\system32\cliconfgzx.dll
C:\WINDOWS\system32\ddserh.dll
C:\WINDOWS\system32\dispexcb.dll
C:\WINDOWS\system32\dntggf.dll
C:\WINDOWS\system32\glpvlrux.dll
C:\WINDOWS\system32\hhrdxd.dll
C:\WINDOWS\system32\jfdses.dll
C:\WINDOWS\system32\jfrwdh.dll
C:\WINDOWS\system32\jhfrxz.dll
C:\WINDOWS\system32\mttwfh.dll
C:\WINDOWS\system32\sgdewg.dll
C:\WINDOWS\system32\tdffdl.dll
C:\WINDOWS\system32\tdfhex.dll
C:\WINDOWS\system32\wklsdd.dll
C:\WINDOWS\system32\wrqszl.dll
C:\WINDOWS\system32\wyhesm.dll
C:\WINDOWS\system32\zycdex.dll
[Added file]
C:\0060B4A7\6338376
C:\Documents and Settings\Administrator\Local Settings\Temp\DB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\DB.tmp.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\E6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\E6.tmp.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\F0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\F0.tmp.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\Gameeeeeee.pif
C:\Documents and Settings\Administrator\Local Settings\Temp\Gameeeeeee.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\b3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\Real[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1936348[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\fx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ms06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\fxx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ilink[1].htm
C:\WINDOWS\Fonts\mnmhisrv.dll
C:\WINDOWS\system32\cliconfgzx.dll
C:\WINDOWS\system32\cliconfgzx.nls
C:\WINDOWS\system32\ddserh.dll
C:\WINDOWS\system32\dispexcb.dll
C:\WINDOWS\system32\dispexcb.nls
C:\WINDOWS\system32\dntggf.dll
C:\WINDOWS\system32\esceps.dll
C:\WINDOWS\system32\escepsk.exe
C:\WINDOWS\system32\glpvlrux.dll
C:\WINDOWS\system32\glpvlrux.nls
C:\WINDOWS\system32\hhrdxd.dll
C:\WINDOWS\system32\jfdses.dll
C:\WINDOWS\system32\jfrwdh.dll
C:\WINDOWS\system32\jhfrxz.dll
C:\WINDOWS\system32\keyiftp.dll
C:\WINDOWS\system32\mttwfh.dll
C:\WINDOWS\system32\sgdewg.dll
C:\WINDOWS\system32\tdffdl.dll
C:\WINDOWS\system32\tdfhex.dll
C:\WINDOWS\system32\wklsdd.dll
C:\WINDOWS\system32\woswelc.dll
C:\WINDOWS\system32\wrqszl.dll
C:\WINDOWS\system32\wyhesm.dll
C:\WINDOWS\system32\xpsbos.dll
C:\WINDOWS\system32\zycdex.dll
[Added COM/BHO]
{021F087F-4378-545F-74FA-37D345AD7A8C}-C:\WINDOWS\system32\mttwfh.dll
{0B846B26-BFE6-4E8E-A948-1DB17B77B483}-C:\WINDOWS\system32\tdfhex.dll
{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}-C:\WINDOWS\system32\hhrdxd.dll
{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}-C:\WINDOWS\system32\glpvlrux.dll
{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}-C:\WINDOWS\system32\dntggf.dll
{45AADFAA-DD36-42AB-83AD-0521BBF58C24}-C:\WINDOWS\system32\zycdex.dll
{76D44356-B494-443a-BEDC-AA68DE4255E6}-C:\WINDOWS\system32\dispexcb.dll
{7914E0AA-ECCB-4311-B584-C49538227824}-C:\WINDOWS\system32\jhfrxz.dll
{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}-C:\WINDOWS\system32\cliconfgzx.dll
{81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B}-C:\WINDOWS\system32\jfdses.dll
{841529CB-7F77-4B99-A895-B5441E0D302F}-C:\WINDOWS\system32\jfrwdh.dll
{8C41B7F7-3168-400D-A702-0E7EFE0BA304}-C:\WINDOWS\system32\sgdewg.dll
{9C8D1401-A58D-A81C-CD24-A5915C4517C9}-C:\WINDOWS\Fonts\mnmhisrv.dll
{A9895933-6636-4281-BC58-EE6DE2AF96E3}-C:\WINDOWS\system32\ddserh.dll
{C0595A7E-2E2F-4B34-A83A-019270A0A464}-C:\WINDOWS\system32\tdffdl.dll
{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}-C:\WINDOWS\system32\wklsdd.dll
{EB71E0B3-E97D-4D30-8733-E28266467617}-C:\WINDOWS\system32\wyhesm.dll
{F99DEFDD-200B-4410-B572-E90883D527D2}-C:\WINDOWS\system32\wrqszl.dll
到目前為止 (2008/8/11 @ 17:52),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
mnmhisrv.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.sora"
[ Sophos ], "Mal/Behav-010″
[ Alwil ], "Win32:Trojan-gen {Other}"
[ HBEDV ], "TR/Downloader.Gen"
[ Ikarus ], "Virus.Win32.OnLineGames.EAT"
[ Grisoft ], "Trojan horse Generic11.HPC"
[ WebWasher ], "Trojan.Dldr.Delphi.Gen"
[ drweb ], "Trojan.PWS.Wsgame.6334″
cliconfgzx.dll:
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.spfw"
[ McAfee ], "PWS-OnlineGames.bx"
[ Alwil ], "Win32:Agent-AAZD [Trj]"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NQM trojan"
[ Rising ], "Trojan.PSW.Win32.Mapdimp.o"
[ Ikarus ], "Trojan-Spy"
[ Grisoft ], "Trojan horse PSW.Generic6.WVG"
[ virusbuster ], "Trojan.DL.OnlineGames.Gen.90″
[ WebWasher ], "Trojan.Onlinegames.ANOD"
[ drweb ], "Trojan.PWS.Wsgame.7007″
xpsbos.dll:
[ TrendChina ], "TROJ_XAGENT.D-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-Spy.Win32.Agent.dpa"
[ McAfee ], "PWS-OnlineGames.bp"
[ Panda ], "Trj/Lineage.JGR"
[ Panda_Beta ], "Trj/Lineage.JGR"
[ Alwil ], "Win32:Agent-ZRP [Trj]"
[ CAV ], "Win32/Treemz!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NXI trojan"
[ Fortinet ], "Spy/Agent"
[ Rising ], "Trojan.PSW.Win32.ZhengTu.yob"
[ Ikarus ], "Trojan-Spy.Win32.Agent.dpa"
[ Grisoft ], "Trojan horse PSW.Generic6.VCB"
[ quickheal ], "TrojanSpy.Agent.dpa"
[ virusbuster ], "Trojan.OnlineGames.Gen.99″
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.PWS.OnlineGames.ZKH"
[ drweb ], "Trojan.PWS.Wsgame.6864″
keyiftp.dll:
[ TrendChina ], "TROJ_XAGENT.C-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.soqc"
[ McAfee ], "PWS-OnlineGames.bp"
[ Sophos ], "Mal/Generic-A"
[ Panda ], "Trj/Lineage.JIW"
[ Panda_Beta ], "Trj/Lineage.JIW"
[ Alwil ], "Win32:Agent-ZRP [Trj]"
[ CAV ], "Win32/Treemz!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NXN trojan"
[ Fortinet ], "Spy/OnLineGames"
[ Norman ], "Trojan W32/OnLineGames.BOLU"
[ Ikarus ], "Trojan-GameThief.Win32.OnLineGames.soqc"
[ Grisoft ], "Trojan horse PSW.Generic6.WIK"
[ quickheal ], "TrojanGameThief.OnLineGames.s"
[ virusbuster ], "Trojan.OnlineGames.Gen.99″
[ WebWasher ], "Trojan.Onlinegames.SIJX.32″
[ bitdefender ], "Trojan.OnLineGames.SIJX"
[ drweb ], "Trojan.PWS.Wsgame.6860″
sgdewg.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.sljc"
[ McAfee ], "PWS-OnlineGames.br"
[ Sophos ], "Mal/Generic-A"
[ Panda ], "Trj/Lineage.JGK"
[ Panda_Beta ], "Trj/Lineage.JGK"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun.MY"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NOA trojan"
[ Fortinet ], "Spy/OnLineGames"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan OnLineGames.BHOR"
[ Rising ], "Trojan.PSW.Win32.GameOL.pco"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.alrf"
[ Ewido ], "Trojan.OnLineGames.sjfz"
[ Grisoft ], "Trojan horse PSW.Generic6.UYC"
[ quickheal ], "TrojanGameThief.OnLineGames.s"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ Sunbelt ], "Trojan-GameThief.Win32.OnLineGames.sljc"
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
esceps.dll:
[ TrendChina ], "TROJ_XAGENT.D-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-Spy.Win32.Agent.dhi"
[ McAfee ], "PWS-OnlineGames.bj"
[ Panda ], "Trj/Lineage.JGP"
[ Panda_Beta ], "Trj/Lineage.JGP"
[ Alwil ], "Win32:Agent-ZRP [Trj]"
[ CAV ], "Win32/Treemz.AX"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NXN trojan"
[ Fortinet ], "W32/OnLineGames.BJ!tr.pws"
[ Norman ], "Trojan W32/Agent.GSHE"
[ Rising ], "Trojan.PSW.Win32.GameOL.ovi"
[ Clamav ], "Trojan.Spy-49288″
[ Ikarus ], "Trojan-Spy.Win32.Agent.dhi"
[ Grisoft ], "Trojan horse PSW.Generic6.TNT"
[ quickheal ], "TrojanSpy.Agent.dhi"
[ virusbuster ], "Trojan.OnlineGames.Gen.99″
[ WebWasher ], "Trojan.Spy.Agent.dhi.20″
[ bitdefender ], "Trojan.PWS.OnlineGames.ZKH"
[ drweb ], "Trojan.PWS.Legmir.2095″
dntggf.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.soaj"
[ McAfee ], "PWS-OnlineGames.br"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NOA trojan"
[ Fortinet ], "PossibleThreat"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan OnLineGames.BHOR"
[ Rising ], "Trojan.PSW.Win32.GameOL.pco"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.alrf"
[ Grisoft ], "Trojan horse PSW.Generic6.WDP"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
jfdses.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.soxb"
[ McAfee ], "PWS-OnlineGames.br"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NOA trojan"
[ Fortinet ], "W32/OnLineGames.BR!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan OnLineGames.BHOR"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.alrf"
[ Grisoft ], "Trojan horse PSW.Generic6.WNS"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
glpvlrux.dll:
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.bkli"
[ McAfee ], "PWS-OnlineGames.bx"
[ Sophos ], "Mal/Behav-010″
[ Alwil ], "Win32:Agent-AAZD [Trj]"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NQM trojan"
[ Rising ], "Trojan.PSW.Win32.Mapdimp.o"
[ Ikarus ], "Trojan-Spy"
[ Grisoft ], "Trojan horse PSW.OnlineGames.AYNG"
[ Fprot ], "W32/OnlineGames.B.gen!GSA (generic, not disinfectable)"
[ virusbuster ], "Trojan.DL.OnlineGames.Gen.90″
[ WebWasher ], "Trojan.Onlinegames.ANOE"
[ drweb ], "Trojan.PWS.Wsgame.7006″
wrqszl.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "ARC:EmbeddedEXE, [data0000]:Trojan-GameThief.Win32.OnLineGames.sosh, [data0001]:Trojan-GameThief.Win32.OnLineGames.sosh, [data0002]:Trojan-GameThief.Win32.OnLineGames.sosh, [data0003]:Trojan-GameThief.Win32.OnLineGames.sosh, [data0004]:Trojan-GameThief.Win32.OnLineGames.sosh, [data0005]:Trojan-GameThief.Win32.OnLineGames.sosh"
[ McAfee ], "PWS-OnlineGames.br"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NOA trojan"
[ Fortinet ], "W32/OnLineGames.BR!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.alfp"
[ Grisoft ], "Trojan horse PSW.Generic6.WWY"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
dispexcb.dll:
[ Kaspersky ], "Trojan-GameThief.Win32.OnLineGames.bklj"
[ McAfee ], "PWS-OnlineGames.bx"
[ Alwil ], "Win32:Agent-AAZD [Trj]"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NQM trojan"
[ Rising ], "Trojan.PSW.Win32.Mapdimp.o"
[ Ikarus ], "Trojan-Spy"
[ Grisoft ], "Trojan horse PSW.OnlineGames.AYNV"
[ virusbuster ], "Trojan.DL.OnlineGames.Gen.90″
[ WebWasher ], "Trojan.Onlinegames.ANOD"
[ drweb ], "Trojan.PWS.Wsgame.7005″
wyhesm.dll:
[ TrendChina ], "TROJ_KAGENT.A-CN"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "ARC:EmbeddedEXE, [data0000]:Trojan-GameThief.Win32.OnLineGames.bkky, [data0001]:Trojan-GameThief.Win32.OnLineGames.bkky, [data0002]:Trojan-GameThief.Win32.OnLineGames.bkky, [data0003]:Trojan-GameThief.Win32.OnLineGames.bkky, [data0004]:Trojan-GameThief.Win32.OnLineGames.bkky, [data0005]:Trojan-GameThief.Win32.OnLineGames.bkky"
[ McAfee ], "PWS-OnlineGames.br"
[ Alwil ], "Win32:OnLineGames-DQP [Trj]"
[ CAV ], "Win32/Tilcun.NZ"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NOA trojan"
[ Fortinet ], "PossibleThreat"
[ HBEDV ], "HEUR/Malware"
[ Clamav ], "Trojan.Crypt-60″
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.alfp"
[ Grisoft ], "Trojan horse PSW.Generic6.WVH"
[ virusbuster ], "Trojan.OnlineGames.Gen.88″
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Trojan.Crypt.Delf.F"
[ drweb ], "Trojan.PWS.Gamania.12822″
Real[1].htm:
[ Kaspersky ], "Exploit.JS.Agent.tg"
[ McAfee ], "[00000042.js]:JS/Exploit-BO"
[ HBEDV ], "HTML/Dldr.Agent.EX"
[ Ikarus ], "Virus.Exploit.JS.Agent.tg"
[ Ewido ], "Not-A-Virus.Exploit.JS.Agent.pd"
[ Grisoft ], "Virus identified JS/Downloader.Agent"
[ Fprot ], "JS/Agent.HG (exact)"
[ Authentium ], "JS/Agent.HG"
[ WebWasher ], "Script.Dldr.Agent.EX"
[ bitdefender ], "Trojan.Exploit.JS.G"
fxx[1].htm:
[ Alwil ], "VBS:Obfuscated-gen [Trj]"
[ HBEDV ], "HEUR/HTML.Malware"
[ Grisoft ], "Virus found Exploit"
[ WebWasher ], "Script.Downloader.Gen"
Thunder.html:
[ Symantec ], "JS.Downloader.Trojan"
[ McAfee ], "[00000042.js]:JS/Exploit-BO"
[ HBEDV ], "HTML/Shellcode.Gen"
[ Ewido ], "Not-A-Virus.Exploit.JS.Agent.pe"
[ Grisoft ], "Virus identified JS/Downloader.Agent"
[ Fprot ], "JS/Xunlei.D (exact)"
[ Authentium ], "JS/Xunlei.D"
[ WebWasher ], "Script.Shellcode.Gen"
[ bitdefender ], "Trojan.Exploit.JS.G"
flink.html:
[ WebWasher ], "BlockReason.46 (suspicious)"
