派瑞絲希爾頓裸體影片藏木馬
2008 年 08 月 20 日 – 17:42:24最近發現很多電子郵件都跟「派瑞絲希爾頓(Paris Hilton)」,內容包含惡意連結,點擊後,會下載名為「video-paris-hilton.avi.exe」,防毒軟體偵測為Trojan-Downloader.Win32.Renos.AQ,請各位小心。
Google Search 查詢結果(未發現異狀),如下圖所示:
McAfee SiteAdvisor 查詢結果(未發現異狀),如下圖所示:
趨勢科技網頁信譽評等查詢結果(發現異狀),如下圖所示:
finjan網頁信譽評等查詢結果(發現異狀),如下圖所示:
Dr.Web網頁信譽評等查詢結果(未發現異狀),如下圖所示:
Exploit Prevention Labs網頁信譽評等查詢結果(未發現異狀),如下圖所示:
賽門鐵克 Safe Web 查詢結果(未發現異狀),如下圖所示:
執行之後,有下面的行為:
[Added process]
C:\Documents and Settings\Administrator\Desktop\video-paris-hilton.avi.exe
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
[DLL injection]
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
[Added file]
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA7.tmp.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\etherXXXXa00176
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Program Files\rhcg76j0eg03\database.dat
C:\Program Files\rhcg76j0eg03\license.txt
C:\Program Files\rhcg76j0eg03\MFC71.dll
C:\Program Files\rhcg76j0eg03\MFC71ENU.DLL
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe.local
C:\Program Files\rhcg76j0eg03\Uninstall.exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\WINDOWS\system32\Restore\MachineGuid.txt
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data=C:\WINDOWS\system32\lphcl76j0eg03.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SMrhcg76j0eg03
Data=C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=DisplayName
Data=AntivirXP08
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=UninstallString
Data="C:\Program Files\rhcg76j0eg03\uninstall.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
下列是 VirusTotal 掃描結果 (僅提供參考):
File video-paris-hilton.avi.exe received on 08.20.2008 07:59:43 (CET)
Result: 8/36 (22.22%)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.19.0 2008.08.20 -
AntiVir 7.8.1.23 2008.08.19 -
Authentium 5.1.0.4 2008.08.20 -
Avast 4.8.1195.0 2008.08.19 -
AVG 8.0.0.161 2008.08.20 -
BitDefender 7.2 2008.08.20 MemScan:Trojan.FakeAlert.AAF
CAT-QuickHeal 9.50 2008.08.19 (Suspicious) – DNAScan
ClamAV 0.93.1 2008.08.19 -
DrWeb 4.44.0.09170 2008.08.20 -
eSafe 7.0.17.0 2008.08.19 Suspicious File
eTrust-Vet 31.6.6036 2008.08.19 -
Ewido 4.0 2008.08.19 -
F-Prot 4.4.4.56 2008.08.19 -
F-Secure 7.60.13501.0 2008.08.20 -
Fortinet 3.14.0.0 2008.08.20 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.20 Trojan-Downloader.Win32.Renos.AQ
K7AntiVirus 7.10.421 2008.08.19 -
Kaspersky 7.0.0.125 2008.08.20 -
McAfee 5364 2008.08.19 -
Microsoft 1.3807 2008.08.20 TrojanDownloader:Win32/Renos.gen!AQ
NOD32v2 3369 2008.08.19 -
Norman 5.80.02 2008.08.19 AntiVirus2008.gen2
Panda 9.0.0.4 2008.08.19 -
PCTools 4.4.2.0 2008.08.19 -
Prevx1 V2 2008.08.20 Malicious Software
Rising 20.58.20.00 2008.08.20 -
Sophos 4.32.0 2008.08.20 Troj/FakeAle-FT
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.20 -
TheHacker 6.3.0.5.054 2008.08.19 -
TrendMicro 8.700.0.1004 2008.08.20 -
VBA32 3.12.8.3 2008.08.19 -
ViRobot 2008.8.19.1341 2008.08.20 -
VirusBuster 4.5.11.0 2008.08.19 -
Webwasher-Gateway 6.6.2 2008.08.19 -
Additional information
File size: 183296 bytes
MD5…: 2d77a6d4fa2df29b094e290512b087a0
SHA1..: 0a1dd7596d435cf4a6249348a038c7457f94a678
SHA256: 590afe46bfa375cf000ad323a2744bdb108e3c27faa4b90080df0f64a0d94ab7
SHA512: 5308b467bd8ae5474aea385c5577f00fd899f7640b24c88d8105aabd5addf19e
f20493c3e4e55386eb1424b48286ee21b61034693a684b0076d540e0e4f72788
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0×401000
timedatestamp…..: 0x48ab195e (Tue Aug 19 19:05:02 2008)
machinetype…….: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0×1000 0xc6ab4 0×2600 6.41 a4d45d87b08f8d94277159e0fe8a9e15
DATA 0xc8000 0x296a4 0×29200 8.00 45367edbb00e3b6724877268637ddde8
.rsrc 0xf2000 0×1000 0xa00 2.38 8ec0154fb3c0c7811715af24c77b9e13
.idata 0xf3000 0×818 0×600 2.83 649de547ef6b5432da99091f5e2cb9b0
.pack32 0xf4000 0×1000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
( 3 imports )
> kernel32.dll: OpenSemaphoreA
> user32.dll: TranslateAcceleratorA, OemToCharW, AttachThreadInput, CreateCaret, MessageBoxExA, UserClientDllInitialize, GetLastInputInfo, PeekMessageA, DdeGetLastError, DdeQueryConvInfo, LoadLocalFonts, DdeConnect
> gdi32.dll: Rectangle, CreateCompatibleBitmap, GetDeviceCaps, GdiIsPlayMetafileDC, GdiGetLocalFont, GetFontData, GdiCleanCacheDC, GdiEntry16, CreateMetaFileA, SetPaletteEntries, AddFontMemResourceEx, AbortDoc
“派瑞絲希爾頓裸體影片藏木馬” 目前有 1 迴響
釣魚郵件滿天飛…大家應該有的警覺性:
http://armorize-cht.blogspot.com/2008/08/awareness-of-e-mail.html
實戰釣魚網站:
http://mysecure.blogspot.com/2008/08/blog-post_16.html
By Crane on 2008 年 08 月 20 日 - 22:21:01