每週熱門新聞垃圾郵件藏木馬
2008 年 08 月 22 日 – 11:08:56最近收到很多以「Weekly top news」為主題的垃圾郵件,內容都包含一個或數個惡意連結,企圖引誘使用者點擊連結(此為社交攻擊手法),此惡意程式名稱為「TR/Crypt.XPACK.Gen」。另外,發生此惡意連結已經結合另一隻惡意程式「TROJ_NUWAR.GXZ」。
Google Search 查詢結果(未發現異狀),如下圖所示:
McAfee SiteAdvisor 查詢結果(未發現異狀),如下圖所示:
趨勢科技網頁信譽評等查詢結果(未發現異狀),如下圖所示:
finjan網頁信譽評等查詢結果(發現異狀),如下圖所示:
Dr.Web網頁信譽評等查詢結果(未發現異狀),如下圖所示:
Exploit Prevention Labs網頁信譽評等查詢結果(發現異狀),如下圖所示:
賽門鐵克 Safe Web 查詢結果(未發現異狀),如下圖所示:
執行之後,有下面的行為:
[Added process]
C:\Documents and Settings\LocalService\Application Data\633509642.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\WINDOWS\system32\pphcl76j0eg03.exe
[DLL injection]
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\rhcg76j0eg03\msvcp71.dll
[Added service]
NAME: CbEvtSvc
DISPLAY: CbEvtSvc
FILE: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs
[Added file]
C:\Documents and Settings\Administrator\Desktop\installer.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\fileslis[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\metai[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\index2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\progress[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\antivir[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\counter[1].js
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\LocalService\Application Data\658087141.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BJW6A44R\install[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MMFL79XH\ftpgd[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WDWHWPH6\20scan1[1].exe
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\rhcg76j0eg03\database.dat
C:\Program Files\rhcg76j0eg03\license.txt
C:\Program Files\rhcg76j0eg03\MFC71.dll
C:\Program Files\rhcg76j0eg03\MFC71ENU.DLL
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe.local
C:\Program Files\rhcg76j0eg03\Uninstall.exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\drivers\b9329734.sys
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\WINDOWS\system32\Restore\MachineGuid.txt
C:\WINDOWS\Temp\.ttAC.tmp
C:\WINDOWS\Temp\.ttAC.tmp.vbs
C:\WINDOWS\Temp\37D8BF6785C63DB6.tmp
C:\WINDOWS\Temp\4AECE6A407384DE3.tmp
C:\WINDOWS\Temp\92618DBC42FD0246.tmp
C:\WINDOWS\Temp\AB.tmp
C:\WINDOWS\Temp\ACBF1B06A8F8098A.tmp
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data=C:\WINDOWS\system32\lphcl76j0eg03.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SMrhcg76j0eg03
Data=C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=DisplayName
Data=AntivirXP08
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=UninstallString
Data="C:\Program Files\rhcg76j0eg03\uninstall.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
下列是 VirusTotal 掃描結果 (僅提供參考):
File unknown received on 08.20.2008 17:33:27 (CET)
Result: 26/35 (74.29%)
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - W32/Downldr2.DIHF
Avast - - Win32:Trojan-gen {Other}
AVG - - I-Worm/Nuwar.W
BitDefender - - Trojan.Peed.JRU
CAT-QuickHeal - - TrojanDownloader.Exchanger.oz
ClamAV - - -
DrWeb - - Trojan.Packed.606
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Downldr2.DIHF
F-Secure - - Trojan-Downloader.Win32.Exchanger.oz
Fortinet - - PossibleThreat
GData - - Trojan-Downloader.Win32.Exchanger.oz
Ikarus - - Trojan-Dropper.Win32.Nuwar.ldt
K7AntiVirus - - -
Kaspersky - - Trojan-Downloader.Win32.Exchanger.oz
McAfee - - -
Microsoft - - TrojanDownloader:Win32/Cbeplay.E
NOD32v2 - - Win32/Agent.ETH
Norman - - W32/DLoader.IZTO
Panda - - -
PCTools - - Trojan.Erotpics!sd6
Prevx1 - - Malicious Software
Rising - - -
Sophos - - Mal/EncPk-DA
Sunbelt - - Trojan-Downloader.Exchanger.Gen
TheHacker - - -
TrendMicro - - TROJ_NUWAR.GXZ
VBA32 - - Trojan-Downloader.Win32.Pupupitu
ViRobot - - I-Worm.Win32.Jolie.74752
VirusBuster - - Trojan.DL.Exchanger.DA
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: 10105674cc0b639b313a3db9e18d9444
SHA1: 436848261cbbc6c265b30ed8107ef17743f39ecd
SHA256: 38e6b08f83dad2162e74ea56d0bf5a92a5756e40dc5994f21ada916f02e6a033
