國立台灣海洋大學學生宿舍管理系統網站被植入惡意連結

2008 年 09 月 23 日 – 12:35:11

國立台灣海洋大學學生宿舍管理系統網站被植入惡意連結,此惡意程式為 BDS/Pcclient.brp,最近有瀏覽這個網頁的網友,請要盡速檢查自己的電腦是否有中毒的情形。

惡意連結/程式碼是放置在上述網址 (其他網頁,應該要仔細檢查) 中的:

下面是網頁信譽評等掃描的結果:

Google Search 查詢結果(發現異狀),如下圖所示:

阿碼科技 HackAlert (偵測惡意行為) 查詢結果(發現異狀),如下圖所示:

McAfee SiteAdvisor 查詢結果(未發現異狀),如下圖所示:

趨勢科技網頁信譽評等查詢結果(發現異狀),如下圖所示:

finjan 網頁信譽評等查詢結果(未發現異狀),如下圖所示:

Dr.Web 網頁信譽評等查詢結果(未發現異狀),如下圖所示:

Exploit Prevention Labs 網頁信譽評等查詢結果(發現異狀),如下圖所示

賽門鐵克 Safe Web 查詢結果(未發現異狀),如下圖所示:

執行之後,有下面的行為:

[DLL injection]
C:\WINDOWS\system32\tmrcts.dll

[Added service]
NAME: 1
DISPLAY: 2
FILE: C:\WINDOWS\system32\svchost.exe -k 1

NAME: yhaixsdr
DISPLAY: yhaixsdr
FILE: \??\C:\WINDOWS\system32\drivers\tmrcts.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\r1[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\s[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\14[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\15[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\count[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\013[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\r2008[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\{48A8BEC2-367B-46DA-A677-1A6267874C9A}_電影[1].swf
C:\WINDOWS\system32\000595e3.inf
C:\WINDOWS\system32\drivers\tmrcts.sys
C:\WINDOWS\system32\tmrcts.dll

下列是 VirusTotal 掃描結果 (僅提供參考):

File 013.exe-1 received on 09.23.2008 06:23:07 (CET)

Result: 30/36 (83.34%)
Antivirus      Version      Last Update      Result
AhnLab-V3    2008.9.23.0    2008.09.22    Win-Trojan/PcClient.9728.AN
AntiVir    7.8.1.34    2008.09.22    BDS/Pcclient.brp
Authentium    5.1.0.4    2008.09.22    W32/PcClient.C.gen!Eldorado
Avast    4.8.1195.0    2008.09.22    Win32:Downloader-AZY
AVG    8.0.0.161    2008.09.22    BackDoor.PcClient.2.S
BitDefender    7.2    2008.09.23    Trojan.Crypt.DG
CAT-QuickHeal    9.50    2008.09.23    Backdoor.PcClient.cvg
ClamAV    0.93.1    2008.09.23    Trojan.PcClient-860
DrWeb    4.44.0.09170    2008.09.22    BackDoor.Update.19
eSafe    7.0.17.0    2008.09.22    -
eTrust-Vet    31.6.6099    2008.09.22    Win32/Pcclient.GA
Ewido    4.0    2008.09.22    Backdoor.PcClient.bhw
F-Prot    4.4.4.56    2008.09.22    W32/PcClient.C.gen!Eldorado
F-Secure    8.0.14332.0    2008.09.23    Backdoor.Win32.PcClient.cvg
Fortinet    3.113.0.0    2008.09.22    -
GData    19    2008.09.23    Trojan.Crypt.DG
Ikarus    T3.1.1.34.0    2008.09.23    Backdoor.Win32.PcClient.yw
K7AntiVirus    7.10.467    2008.09.22    Backdoor.Win32.PcClient.cvg
Kaspersky    7.0.0.125    2008.09.23    Backdoor.Win32.PcClient.cvg
McAfee    5389    2008.09.22    BackDoor-CKB
Microsoft    1.3903    2008.09.23    Backdoor:Win32/PcClient.DA
NOD32v2    3462    2008.09.23    a variant of Win32/PcClient
Norman    5.80.02    2008.09.19    PCClient.gen3
Panda    9.0.0.4    2008.09.22    -
PCTools    4.4.2.0    2008.09.22    Backdoor.PcClient.Gen.3
Prevx1    V2    2008.09.23    -
Rising    20.63.10.00    2008.09.23    Backdoor.Win32.Loader.a
Sophos    4.33.0    2008.09.23    -
Sunbelt    3.1.1662.1    2008.09.23    -
Symantec    10    2008.09.23    Backdoor.Formador
TheHacker    6.3.0.9.091    2008.09.23    Backdoor/PcClient.cvg
TrendMicro    8.700.0.1004    2008.09.23    BKDR_PCCLIEN.YE
VBA32    3.12.8.5    2008.09.23    Backdoor.Win32.PcClient.cvg
ViRobot    2008.9.23.1388    2008.09.23    Backdoor.Win32.PcClient.52948
VirusBuster    4.5.11.0    2008.09.22    Backdoor.PcClient.Gen.3
Webwasher-Gateway    6.6.2    2008.09.22    Trojan.Backdoor.Pcclient.brp

Additional information
File size: 56293 bytes
MD5…: b56150844030acd7f17764295a23c77f
SHA1..: 30ef0a02ae389299dc19e413b100ff6b307d2792
SHA256: 4bcc2775d565b1ece1228417583e427f8cb32ba77cac547cfb191b1f7312c5f3
SHA512: cd9d7e011261ab75facf20b532472b1ec9b270e4ad47f71d6b3207a72e5bef1e
6698dd696cdf931a11568fbf903bc735ad19097eec9ab0ce28e07f83828e5246
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40277a
timedatestamp…..: 0×47219690 (Fri Oct 26 07:26:08 2007)
machinetype…….: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0x174a 0×1800 5.97 e23eac2cc8f36b1b70bd41a06d633daf
.rdata 0×3000 0×674 0×800 4.23 016fea0dc66381125bdc2abd0713d702
.data 0×4000 0×1158 0×200 1.67 06d28e95fe161735a010a803d8935420

( 6 imports )
> SHLWAPI.dll: StrChrA, StrStrA, StrToIntA
> USER32.dll: PostThreadMessageA, wsprintfA
> ADVAPI32.dll: DeleteService, OpenSCManagerA, OpenServiceA, CloseServiceHandle, QueryServiceStatus, ControlService
> ole32.dll: CoCreateGuid
> MSVCRT.dll: _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, __setusermatherr, _initterm, __getmainargs, exit, _XcptFilter, _exit, _EH_prolog, __CxxFrameHandler, time, srand, rand, memcpy, memset, __2@YAPAXI@Z, __3@YAXPAX@Z, _acmdln
> KERNEL32.dll: SetFilePointer, GetModuleFileNameA, DeleteFileA, GetModuleHandleA, GetStartupInfoA, ReadFile, CreateMutexA, GetLastError, GetFileAttributesExA, ReleaseMutex, lstrcpyA, lstrlenA, Sleep, LoadLibraryA, GetProcAddress, FreeLibrary, CreateFileA, WriteFile, GetSystemDirectoryA, lstrcatA, WaitForSingleObject, CloseHandle, GetFileTime, SetFileTime

( 0 exports )

請在此留下您的意見

大砲開講 is proudly powered by WordPress Entries (RSS) and Comments (RSS).