即時通訊

MSN病毒(Photos1-2008.zip)祝您新年快樂

2008 年 01 月 04 日 – 15:31:00

新一波的MSN病毒又開始到處流竄,最近各位的MSN可能會收到名為 Photos1-2008.zip、PrivatePhoto2008.zip 或 Dc6.zip 的檔案,壓縮檔中包含一個名為 photo151.JPEG_www.HappyNewYear.com 或 Image78145-2008.jpg_www.MsnMessenger.scr 的檔案,請各位千萬不要執行此檔案,否則,後果自行負責囉!

執行之後,有下面的行為:

第一種行為:
[Added process]
C:\WINDOWS\happy2008.exe
C:\WINDOWS\svchost.exe

[DLL injection]
C:\WINDOWS\svchost.exe

[Added file]
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc6.zip
C:\setup.exe
C:\WINDOWS\happy2008.exe
C:\WINDOWS\Photos1-2008.zip
C:\WINDOWS\PrivatePhoto2008.zip
C:\WINDOWS\svchost.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Windows svchost
Data=svchost.exe

第二種行為:
[Added process]
C:\WINDOWS\svchost.exe

[DLL injection]
C:\WINDOWS\svchost.exe

[Added file]
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc6.zip
C:\WINDOWS\PrivatePhoto2008.zip
C:\WINDOWS\svchost.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Windows svchost
Data=svchost.exe

到目前為止 (2008/1/4 @ 15:03),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

Dc6.zip/photo151.JPEG_www.HappyNewYear.com:
[ Trend ], "WORM_IRCBOT.EL"
happy2008.exe:
[ Trend ], "WORM_IRCBOT.EL"
Photos1-2008.zip/photo151.JPEG_www.HappyNewYear.com:
[ Trend ], "WORM_IRCBOT.EL"
PrivatePhoto2008.zip/Image78145-2008.jpg_www.MsnMessenger.scr:
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ WebWasher ], "BlockReason.46 (suspicious)"
setup.exe:
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ WebWasher ], "BlockReason.46 (suspicious)"
svchost.exe:
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ WebWasher ], "BlockReason.46 (suspicious)"

即時通訊, 惡意程式 | 瀏覽數:1,732 | 0 迴響 »

聖誕節MSN病毒

2007 年 12 月 26 日 – 13:14:00

昨天收到從一個朋友的MSN傳送過來的一個樣本,名為「christmas-2007.zip」,壓縮檔中包含一個名為 「img2007-12.JPEG.scr」的檔案,分析後,它具有惡意行為,請各位小心囉。

執行之後,有下面的行為:

[Added process]
C:\WINDOWS\servidevice.exe

[Added file]
C:\WINDOWS\Chirstmas-2007.zip
C:\WINDOWS\servidevice.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=ryan1918
Data=servidevice.exe

到目前為止 (2007/12/25 @ 13:58),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

Chirstmas-2007.zip/img2007-12.JPEG.scr:
[ Nod32 ], "Win32/IRCBot.ABP trojan"
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ Ikarus ], "Trojan-Downloader.Win32.Banload.ams"
[ Authentium ], "W32/Document-disguised-based!Maximus"
[ WebWasher ], "BlockReason.46 (suspicious)"
servidevice.exe:
[ Nod32 ], "Win32/IRCBot.ABP trojan"
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ Ikarus ], "Trojan-Downloader.Win32.Banload.ams"
[ Authentium ], "W32/Document-disguised-based!Maximus"
[ WebWasher ], "BlockReason.46 (suspicious)"

即時通訊, 惡意程式 | 瀏覽數:1,461 | 0 迴響 »

另一隻即時通訊病毒

2007 年 08 月 15 日 – 15:36:00

前幾天,有個朋友從 MSN 上傳了一個檔案給我,是最近新聞報導的那隻即時通訊病毒,我朋友的電腦肯定中毒了,如果您也中獎,請參考一下囉。

執行之後,有下面的行為:

[Added process]
C:\WINDOWS\svchost.exe

[Deleted process]
C:\WINDOWS\system32\wscntfy.exe

[DLL injection]
C:\WINDOWS\svchost.exe

[Modified service]
NAME: wscsvc
DISPLAY: Security Center
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\svchost.exe -k netsvcs

[Added file]
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc6.zip
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc7\img807.exe
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc8.zip
C:\WINDOWS\img1756.zip
C:\WINDOWS\svchost.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Microsoft Genuine Logon
Data=svchost.exe

到目前為止,下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):尚未完成掃描,稍後更新。

即時通訊, 惡意程式 | 瀏覽數:1,745 | 1 迴響 »

小心即時通病毒

2007 年 07 月 26 日 – 16:58:00

剛剛有個朋友傳來一個即時通 (Windows Live Messenger) 訊息,上面寫著「傳送檔案 images.zip」,我當然不會傻傻地執行此檔案囉,感覺就像是惡意程式,請各位自己小心囉,萬一中獎,依照執行後的行為,即可清除此惡意程式。

執行之後,有下面的行為:

[Added process]
C:\WINDOWS\winlog32.exe

[Deleted process]
C:\WINDOWS\system32\wscntfy.exe

[Modified service]
NAME: wscsvc
DISPLAY: Security Center
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\svchost.exe-1 -k netsvcs

[Added file]
C:\WINDOWS\images.zip (image.zip 的 MD5 為 1f3809384c5ec47892b2a61de4f587c3,image.zip 包含 IMG34814.pif 檔案,MD5 為 fc5415dc9054ee0934e3ff3e587de444)
C:\WINDOWS\winlog32.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MSN
Data=winlog32.exe

到目前為止 (2007/7/26@ 16:55),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

winlog32.exe:
[ Microsoft ], "Backdoor:Win32/Sdbot.gen!A"
[ Kaspersky ], "IM-Worm.Win32.Agent.f"
[ HBEDV ], "HEUR/Malware"
[ Ewido ], "Backdoor.Bifrose.agk"
images.zip-1/IMG34814.pif:
[ Microsoft ], "Backdoor:Win32/Sdbot.gen!A"
[ Kaspersky ], "IM-Worm.Win32.Agent.f"
[ HBEDV ], "HEUR/Malware"
[ Ewido ], "Backdoor.Bifrose.agk"

注意:如果您的朋友透過即時通傳送一個連結或檔案給你,你只要先與您的朋友確定一下剛剛的訊息,即可避免中毒的情形。

即時通訊, 惡意程式 | 瀏覽數:2,009 | 8 迴響 »

即時通訊惡意程式 4

2007 年 02 月 21 日 – 13:48:00

昨天在微風論壇上,看見網友 (亞勾鏈) 張貼一則疑似即時通訊惡意程式的文章,如下圖所示:

messenger_virus_post_20070221.png

沒錯,這是惡意程式的連結,所以,還是老生常談的一句話不要亂執行來路不明的連結

惡意連結為:

messenger_virus_url_20070221.png

經過轉換後,真實網址為:

messenger_virus_url_translated_200702211.png

惡意程式碼的一部分為:

messenger_virus_code_20070221.png

執行之後,有下面的行為:

[Added process]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.Exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.Exe (注入 svchost.exe 的執行程序)
C:\WINDOWS\Debug\UserMode\ACC27FC0.dll (注入某些執行程序如檔案總管等)

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.Exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\tpp[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\syn[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\top[1].exe
C:\WINDOWS\Debug\UserMode\ACC27FC0.dll
C:\WINDOWS\Debug\UserMode\ACC27FC0.exe
C:\WINDOWS\system32\a.exe

[Added COM/BHO]
{04E1F9F4-5B00-410B-882D-6E2EF34A7EF3}-C:\WINDOWS\debug\userMode\ACC27FC0.dll

到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:

ACC27FC0.dll:
[ Kaspersky ], "PAK:NSPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "probably a variant of Win32/PSW.Lineage.DN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Ikarus ], "Backdoor.Win32.PcClient.GV"
ACC27FC0.exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
svchost.Exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
syn[1].htm:
[ Panda ], "Exploit/IESlice.A"
[ HBEDV ], "HTML/Dldr.Agen.AJ.8″
[ Ewido ], "Downloader.Agent.m"
[ Grisoft ], "Virus identified VBS/Psyme.N"
top[1].exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
tpp[1].exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
a.exe:
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Lineage.VX"
[ Norman ], "Virus W32/Viking.EQ"
index.html:
[ HBEDV ], "HTML/Dldr.Agen.AJ.8″
[ Ewido ], "Downloader.Agent.m"
[ Grisoft ], "Virus identified VBS/Psyme.N"

即時通訊, 惡意程式 | 瀏覽數:1,149 | 0 迴響 »

即時通訊惡意程式 3

2007 年 02 月 14 日 – 21:25:00

今天在台灣論壇上,看見另一個網友 (傻气≠朱哥) 張貼了一個疑似即時通訊惡意程式,各位可以參考一下他們的對話 (如下圖所示)。還是老生常談的一句話不要亂執行來路不明的連結

messenger_virus4_post_20070214.png

惡意連結為:

messenger_virus4_url_20070214.png

惡意程式碼的一部分為:

messenger_virus4_code_20070214.png

執行之後,有下面的行為:

[Added process]
C:\Program Files\Internet Explorer\SVCHOST.EXE
C:\Program Files\Internet Explorer\SMSS.EXE
C:\Program Files\Internet Explorer\SERVICES.EXE
C:\Program Files\Internet Explorer\9Sy.exe
C:\Program Files\Internet Explorer\WINLOGON.EXE
C:\Program Files\Internet Explorer\LSASS.EXE

[DLL injection]
C:\Program Files\Internet Explorer\SVCHOST.EXE (注入 svchost.exe 的執行程序)
C:\Program Files\Internet Explorer\WINLOGON.EXE (注入 winlogon.exe 的執行程序)
C:\Program Files\Windows Media Player\svchost.exe (注入 svchost.exe 的執行程序)
C:\WINDOWS\system32\dllf.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\dllran.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\msndll.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\PDLL.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\qmdll.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\xgdll.dll (注入某些執行程序如檔案總管等)

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\$$a1C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Ding.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\run[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\tt1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\z4[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\qm[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\fg[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\xg[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\mf[1].exe
C:\Program Files\Internet Explorer\9Sy.exe
C:\Program Files\Internet Explorer\LSASS.EXE
C:\Program Files\Internet Explorer\SERVICES.EXE
C:\Program Files\Internet Explorer\SMSS.EXE
C:\Program Files\Internet Explorer\SVCHOST.EXE
C:\Program Files\Internet Explorer\WINLOGON.EXE
C:\Program Files\Microsoft\svhost32.exe
C:\Program Files\svhost32.exe
C:\Program Files\Windows Media Player\svchost.exe
C:\WINDOWS\$hf_mig$\svhost32.exe
C:\WINDOWS\Config\svhost32.exe
C:\WINDOWS\Help\rundll32.exe
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\RichDll.dll
C:\WINDOWS\system32\dllf.dll
C:\WINDOWS\system32\dllran.dll
C:\WINDOWS\system32\msndll.dll
C:\WINDOWS\system32\PDLL.dll
C:\WINDOWS\system32\qmdll.dll
C:\WINDOWS\system32\xgdll.dll
C:\WINDOWS\uninstall\rundl132.exe
C:\_desktop.ini

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=load,Data=C:\WINDOWS\uninstall\rundl132.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=qm,Data=C:\Program Files\Microsoft\svhost32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=fzg,Data=C:\WINDOWS\Config\svhost32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=xg,Data=C:\Program Files\svhost32.exe

到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:

svhost32.exe:
[ Trend ], "PE_LOOKED.SI"
svhost32.exe:
[ Trend ], "PE_LOOKED.SI"
tt1[1].exe:
[ Trend ], "TSPY_LINEAGE.EKJ"
xg[1].exe:
[ Trend ], "TSPY_LINEAGE.DNH"
xgdll.dll:
[ Trend ], "TSPY_LINEAGE.ELM"
z4[1].exe:
[ Trend ], "PE_LOOKED.SI-O"
Ding.com:
[ Trend ], "PE_LOOKED.SI-O"
Logo1_.exe:
[ Trend ], "PE_LOOKED.SI-O"
msndll.dll:
[ Trend ], "TSPY_LINEAGE.EHS"
rundl132.exe:
[ Trend ], "PE_LOOKED.SI-O"
SMSS.exe:
[ Trend ], "TSPY_LINEAGE.EKJ"
svchost.exe:
[ Trend ], "TSPY_LINEAGE.EKJ"
svhost32.exe:
[ Alpha_Gen ], "Possible_MLWR.01″
[ Beta_Gen ], "Possible_MLWR-1″
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
WINLOGON.exe:
[ Alpha_Gen ], "Possible_MLWR.01″
[ Beta_Gen ], "Possible_MLWR-1″
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
9Sy.exe:
[ Alpha_Gen ], "Possible_MLWR.01″
[ Beta_Gen ], "Possible_MLWR-1″
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
dllf.dll:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3″
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ McAfee ], "New Malware.w !!"
[ Nod32 ], "Win32/PSW.Lineage.NDI trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
dllran.dll:
[ Alpha_Gen ], "Possible_MLWR.01″
[ Beta_Gen ], "Possible_MLWR-1″
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
fg[1].exe:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3″
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ Nod32 ], "Win32/PSW.Lineage.NDI trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
[ Grisoft ], "Trojan horse Generic3.VZ"
LSASS.exe:
[ Kaspersky ], "PAK:PE_Patch"
[ McAfee ], "New Malware.w !!"
[ Panda ], "Trj/Lineage.CFA"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Grisoft ], "Trojan horse PSW.Generic3.DQP"
mf[1].exe:
[ Alpha_Gen ], "Possible_MLWR.01″
[ Beta_Gen ], "Possible_MLWR-1″
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
PDLL.dll:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3″
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ McAfee ], "PWS-Gamania.dll"
[ Nod32 ], "Win32/PSW.Lineage.DN trojan"
[ Fortin
et ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
qm[1].exe:
[ Alpha_Gen ], "Possible_MLWR.01″
[ Beta_Gen ], "Possible_MLWR-1″
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
qmdll.dll:
[ Alpha_Gen ], "Possible_Infostl"
[ Beta_Gen ], "Possible_Infostl"
[ McAfee ], "PWS-Lineage.dll"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
RichDll.dll:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3″
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ Kaspersky ], "Worm.Win32.Viking.gb"
[ McAfee ], "New Malware.w !!"
[ Panda ], "W32/Viking.GZ.drp"
[ Nod32 ], "Win32/Viking.CN virus"
[ Fortinet ], "W32/Viking.GB"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
[ Grisoft ], "Virus identified Worm/Delf.ARI"
run[1].exe:
[ Alpha_Gen ], "Possible_MLWR.01″
[ Beta_Gen ], "Possible_MLWR-1″
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
rundll32.exe:
[ Alpha_Gen ], "Possible_MLWR.01″
[ Beta_Gen ], "Possible_MLWR-1″
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
SERVICES.exe:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3″
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ Nod32 ], "Win32/PSW.Lineage.NDI trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
[ Grisoft ], "Trojan horse Generic3.VZ"
SVCHOST.exe:
[ Alpha_Gen ], "Possible_MLWR.01″
[ Beta_Gen ], "Possible_MLWR-1″
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
svhost32.exe:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3″
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ Nod32 ], "Win32/PSW.Lineage.NDI trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
[ Grisoft ], "Trojan horse Generic3.VZ"

即時通訊, 惡意程式 | 瀏覽數:1,821 | 0 迴響 »

即時通訊惡意程式 2

2007 年 02 月 14 日 – 09:43:00

昨天在台灣論壇上,看見有一個網友 (熾熱狂風) 張貼了一個疑似即時通訊惡意程式,其對話蠻具吸引力的 (如下所示),一般使用者很可能會執行它。

twbbs_post_about_messenger_virus_20070215.png

上圖的網怎麼這麼奇怪呢?寫錯了嗎?沒錯,這是另一種網址表示方式,經過轉換後,網址為:

twbbs_messenger_virus_url_20070214.png

惡意程式碼的一部分為:

twbbs_messenger_virus_code_20070214.png

執行之後,有下面的行為 (在我的測試機器上,會產生一些應用程式錯誤,就是病毒碼寫得不好啦):

[Added process]
C:\WINDOWS\system32\a.exe

[DLL injection]
C:\WINDOWS\java\classes\66A75.dll (注入某些執行程序如檔案總管等)

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.Exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\tpp[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\top[1].exe
C:\WINDOWS\java\classes\66A75.dll
C:\WINDOWS\java\classes\66A75.exe
C:\WINDOWS\system32\a.exe

[Added COM/BHO]
{C8D81FE1-EF3D-4755-BA05-0BE477385679}-C:\WINDOWS\java\classes\66A75.dll

到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:

66A75.exe:
[ Trend ], "TSPY_LINEAGE.EOP"
a.exe:
[ Trend ], "TSPY_LINEAGE.EOP"
svchost.Exe:
[ Trend ], "TSPY_LINEAGE.EOP"
top[1].exe:
[ Trend ], "TSPY_LINEAGE.EOP"
tpp[1].exe:
[ Trend ], "TSPY_LINEAGE.EOP"
66A75.dll:
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX, PAK:PE_Patch.MaskPE"
[ Panda ], "Trj/QQPass.SR"
[ Nod32 ], "a variant of Win32/PSW.Lineage.DN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"
[ Grisoft ], "Trojan horse PSW.Generic3.DNA"

最近,即時通訊病毒還真多,勸各位不要亂執行來路不明的連結,甚至,連您的朋友送過來的,也要先確認一下,不過,這裡要注意,有可能駭客已經取得您朋友的即時通訊帳號和密碼,所以,要小心一點。

即時通訊, 惡意程式 | 瀏覽數:1,212 | 0 迴響 »

即時通訊惡意程式 1

2007 年 02 月 08 日 – 23:35:00

今天下午六點多,在 PCZone 論壇上看到有人 (網友 n629) 張貼了一篇有關 MSN Messenger 病毒的文章,文章包含一個惡意連結,請各位不要亂去執行它,因為此惡意程式偷帳號與密碼,也有可能會偷信用卡卡號,而且,會監控網路情形。

此篇文章內容,如下圖所示:

msn_virus_from_pczone_post.png

文章中有一個惡意連結為:

msn_virus_url.png

一看就知道是病毒,不知道各位會不會去執行它呢?

在我的測試環境,執行之後,有下面的行為:

[Added process]
C:\WINDOWS\avp.exe

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\game[1].com
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\hs4viewer.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP]

ID: 1013
NAME: MSAFD Tcpip [TCP/IP]

到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:

avp.exe:
[ Trend ], "TROJ_MARAN.CZ:
game[1].com:
[ Kaspersky ], "ARC:RarSFX, ARC:[data.rar]:RAR, [data.rar/server.exe]:Trojan-Downloader.Win32.Murlo.ez"
[ McAfee ], "[SERVER.EXE]:New Malware.n !!"
[ Sophos ], "[SfxArchiveData\server.exe]:Troj/Maran-Gen"
[ Nod32 ], "[RAR server.exe]:probably a variant of Win32/PSW.Maran trojan"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Suspicious_U.gen"
[ Rising ], "[>>server.exe>>uPack0.34]:Trojan.PSW.JHOnline.ewe"
hs4viewer.dll:
[ Alwil ], "Win32:Maran-D [Trj]"
[ HBEDV ], "TR/Drop.Maran.C.3″

即時通訊, 惡意程式 | 瀏覽數:1,197 | 0 迴響 »

大砲開講 is proudly powered by WordPress Entries (RSS) and Comments (RSS).