大砲開講

惡意連結是放置在 template_style_01.asp (可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

當執行此惡意程式之後，會產生應用程式錯誤的訊息：

執行之後，有下面的行為：

[Deleted process]
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\music[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\top[1].js
C:\WINDOWS\Help\69GH0BNS.dll
C:\WINDOWS\Help\69GH0BNS.exe

[Added COM/BHO]
{79921D3F-7537-463E-9E38-CD503A8FA485}-C:\WINDOWS\help\69GH0BNS.dll

到目前為止 (2007/4/30 @ 12:09)，下面的防毒軟體可以偵測到這些惡意檔案：

69GH0BNS.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
69GH0BNS.dll:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
music.png:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”

惡意連結是放置在首頁 (可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

執行之後，有下面的行為：

[Deleted process]
C:\WINDOWS\system32\wuauclt.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\play[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\top[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\play[1].png
C:\WINDOWS\Help\69GH0BNS.dll
C:\WINDOWS\Help\69GH0BNS.exe

[ Added COM/BHO ]
{79921D3F-7537-463E-9E38-CD503A8FA485}-C:\WINDOWS\help\69GH0BNS.dll

到目前為止 (2007/4/30 @ 11:43)，下面的防毒軟體可以偵測到這些惡意檔案：

69GH0BNS.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
69GH0BNS.dll:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
play[1].png:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”

惡意連結是放置在首頁 (可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

執行之後，有下面的行為：

[Deleted process]
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe (注入 svchost.exe 的執行程序)

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].Exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\wm[1].htm
C:\WINDOWS\Debug\UserMode\3CA549D.dll
C:\WINDOWS\Debug\UserMode\3CA549D.exe

[Added COM/BHO]
{38E5B7AE-E624-4234-A47E-5CC167C550F9}-C:\WINDOWS\debug\userMode\3CA549D.dll

到目前為止 (2007/4/30 @ 11:43)，下面的防毒軟體可以偵測到這些惡意檔案：

3CA549D.dll:
[ Trend ], “Possible_Infostl”
3CA549D.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ McAfee ], “New Malware.bx !!”
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
svchost.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ McAfee ], “New Malware.bx !!”
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
wm[1].htm:
[ Ewido ], “Downloader.Agent.m”
1[1].Exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ McAfee ], “New Malware.bx !!”
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”

惡意連結是放置在首頁及很多頁面 (可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

當執行此惡意程式後，會產生一個應用程式錯誤，之後，網路就出問題：

執行之後，有下面的行為：

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\7888p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\9197p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\test[1].js
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/4/28 @ 23:35)，下面的防毒軟體可以偵測到這些惡意檔案：

avp.exe:
[ Sophos ], “Mal/Packer”
od2media.dll:
[ Sophos ], “Mal/EncPk-F”
update[1].exe:
[ Sophos ], “Mal/Packer”
7888p[1].jpg:
[ Sophos ], “Troj/Animoo-L”
9197p[1].jpg:
[ Sophos ], “Troj/Animoo-L”

惡意連結是放置在首頁及 d_day.asp (其他頁面可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

當執行此惡意程式後，會產生一個應用程式錯誤，之後，網路就出問題：

執行之後，有下面的行為：

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\7888p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\9197p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\test[1].js
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/4/28 @ 23:35)，下面的防毒軟體可以偵測到這些惡意檔案：

avp.exe:
[ Sophos ], “Mal/Packer”
od2media.dll:
[ Sophos ], “Mal/EncPk-F”
update[1].exe:
[ Sophos ], “Mal/Packer”
7888p[1].jpg:
[ Sophos ], “Troj/Animoo-L”
9197p[1].jpg:
[ Sophos ], “Troj/Animoo-L”

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

當執行此惡意程式後，會產生一個應用程式錯誤，之後，網路就出問題：

最扯的是利用八大電視台所提供的聯絡方式，竟然出現錯誤，那怎麼通知他們，該不會又要我花錢打電話給他們：

執行之後，有下面的行為：

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\7888p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\9197p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\test[1].js
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/4/28 @ 23:35)，下面的防毒軟體可以偵測到這些惡意檔案：

avp.exe:
[ Sophos ], “Mal/Packer”
od2media.dll:
[ Sophos ], “Mal/EncPk-F”
update[1].exe:
[ Sophos ], “Mal/Packer”
7888p[1].jpg:
[ Sophos ], “Troj/Animoo-L”
9197p[1].jpg:
[ Sophos ], “Troj/Animoo-L”

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\avp.exe

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\test[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\update[1].exe
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1014
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

ID: 1015
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/4/25 @ 03:02)，下面的防毒軟體可以偵測到這些惡意檔案：

avp.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Beta_Gen ], “Possible_MLWR-1″
[ Microsoft ], “Virus:Win32/Detnat.F”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.kw”
[ McAfee ], “New Malware.w !!”
[ Sophos ], “Mal/Packer”
[ Nod32 ], “a variant of Win32/PSW.Maran trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSAnti.Gen”
[ Norman ], “Trojan W32/OnLineGames.EAT”
[ Ahnlab ], “infected by Win32/NSAnti.suspicious”
od2media.dll:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Beta_Gen ], “Possible_MLWR-1″
[ Microsoft ], “Virus:Win32/Detnat.F”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.kw”
[ Sophos ], “Mal/EncPk-F”
[ Nod32 ], “a variant of Win32/PSW.Maran trojan”
[ Fortinet ], “W32/OnLineGames.KW!tr.pws”
[ HBEDV ], “TR/Crypt.NSAnti.Gen”
[ Norman ], “Trojan Suspicious_N.gen”
[ Ewido ], “Trojan.OnLineGames.kw”
[ Ahnlab ], “infected by Win32/NSAnti.suspicious”
test[1].js:
[ HBEDV ], “JS/Dldr.Ani.A”
update[1].exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Beta_Gen ], “TROJ_NSANTI.CE”
[ Microsoft ], “Virus:Win32/Detnat.F”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.kw”
[ McAfee ], “New Malware.w !!”
[ Sophos ], “Mal/Packer”
[ Nod32 ], “a variant of Win32/PSW.Maran trojan”
[ Fortinet ], “W32/OnLineGames.KW!tr.pws”
[ HBEDV ], “TR/Crypt.NSAnti.Gen”
[ Norman ], “Trojan Suspicious_N.gen”
[ Ewido ], “Trojan.OnLineGames.kw”
[ Ahnlab ], “infected by Win32/NSAnti.suspicious”
update[1].htm:
[ Beta_Gen ], “HTML_AGENT.AACU”
[ Kaspersky ], “Exploit.HTML.Ascii.f”
[ McAfee ], “ObfuscatedHtml !!”
[ HBEDV ], “VBS/Dldr.Psyme.FZ”
[ Ikarus ], “Exploit.HTML.Ascii.f”

財團法人證券投資人及期貨交易人保護中心網站首頁：

惡意連結是放置在 left.asp (其他頁面可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

執行之後，有下面的行為：

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\20070418a.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\614[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\a2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\20070418a[1].exe

到目前為止 (2007/4/24 @ 23:17)，下面的防毒軟體可以偵測到這些惡意檔案：

20070418a.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Beta_Gen ], “Possible_MLWR-1″
[ Symantec ], “Infostealer.Lineage”
[ McAfee ], “New Malware.bc !!”
[ Sophos ], “Mal/EncPk-F”
[ Nod32 ], “Win32/Pacex.Gen virus”
[ Fortinet ], “PossibleThreat”
[ HBEDV ], “TR/Crypt.XPACK.Gen”
[ Ewido ], “Trojan.Small”
xiong.gif:
[ Beta_Gen ], “EXPL_ANICMOO.GEN”
[ Symantec ], “Trojan.Exploit.131″
[ Microsoft ], “Exploit:Win32/Anicmoo.A”
[ Kaspersky ], “Exploit.Win32.IMG-ANI.ac”
[ McAfee ], “Exploit-ANIfile.c”
[ Sophos ], “Exp/Animoo-A”
[ Panda ], “Exploit/LoadImage”
[ Nod32 ], “a variant of Win32/TrojanDownloader.Ani.Gen trojan”
[ Fortinet ], “W32/ANI07.A!exploit”
[ HBEDV ], “EXP/Ani.Gen”
[ Rising ], “Hack.SuspiciousAni”
[ Ewido ], “Not-A-Virus.Exploit.Win32.IMGANI.ac”
614[1].htm:
[ HBEDV ], “VBS/Dldr.Agent.6171″

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\System32\alg32.exe
C:\WINDOWS\system32\upnpsvc.exe
C:\WINDOWS\thhshy.exe
C:\WINDOWS\system32\systemm.exe

[DLL injection]
C:\Documents and Settings\Administrator\Desktop\svchost.exe (注入 svchost.exe 執行程序)
C:\Documents and Settings\Administrator\Local Settings\Temp\upxdnd.dll (注入某些執行程序如檔案總管等)
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll (注入某些執行程序如檔案總管等)
C:\Program Files\Internet Explorer\LSASS.EXE (注入 lsass.exe 執行程序)
C:\WINDOWS\system32\cmdbcs.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\mppds.dll (注入檔案總管執行程序)
C:\WINDOWS\system32\msccrt.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\RAVWM419.dll (注入檔案總管執行程序)
C:\WINDOWS\system32\winform.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\Winhttps.dll (注入 IE 執行程序)

[Added service]
NAME: Asynchronous UPnP Support Services
DISPLAY: Asynchronous UPnP Support Services
FILE: C:\WINDOWS\system32\upnpsvc.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

NAME: WinWMServiceNow
DISPLAY: WinWMServiceNow
FILE: C:\Documents and Settings\Administrator\Local Settings\Temp\RAVWM.EXE

[Added file]
C:\Documents and Settings\Administrator\Desktop\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\RAVWM.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\upxdnd.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\upxdnd.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\0614[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[3].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\97725[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma5[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma6[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma8[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\mm[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\mm[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\mm[3].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\ok[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\xjz2007[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\888[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\9772513[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\comeoncool[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\downma1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\downma8[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\kg[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\stat[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\xjz2007[3].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\click[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\xjz2007[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\06014[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\8xz[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\9772513[1].htm
C:\Doc
uments and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma11[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma12[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma1[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma2[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma4[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma9[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\muxiao2[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\sa[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\top[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\vbb[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\xjz2007[1].bmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\xjz2007[1].htm
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll
C:\Program Files\Internet Explorer\10Sy.exe
C:\Program Files\Internet Explorer\LSASS.EXE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\MirSet.ini
C:\WINDOWS\mppds.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\RichDll.dll
C:\WINDOWS\system32\alg32.dat
C:\WINDOWS\system32\alg32.exe
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\msccrt.dll
C:\WINDOWS\system32\RAVWM419.dll
C:\WINDOWS\system32\systemm.exe
C:\WINDOWS\system32\thhshy.dll
C:\WINDOWS\system32\UPnPSvc.dll
C:\WINDOWS\system32\upnpsvc.exe
C:\WINDOWS\system32\winform.dll
C:\WINDOWS\system32\Winhttps.dat
C:\WINDOWS\system32\Winhttps.dll
C:\WINDOWS\thhshy.exe
C:\WINDOWS\uninstall\rundl132.exe
C:\WINDOWS\winform.exe
C:\WINDOWS\~tmp.tmp
C:\_desktop.ini

[Modified file]
感染所有 PE 執行檔

[Added LSP]
ID: 1012
NAME: MT-TcpFilter

ID: 1013
NAME: MSAFD Tcpip [TCP/IP]

到目前為止 (2007/4/23 @ 20:37)，下面的防毒軟體可以偵測到這些惡意檔案：

SysWFGQQ.dll:
[ Trend ], “Possible_Infostl”
winform.dll:
[ Trend ], “TSPY_ONLINEG.BCK”
winform.exe:
[ Trend ], “TSPY_LEGMIR.BCH”
xjz2007[1].htm:
[ Trend ], , “TROJ_DLOADER.JXD”
~tmp.tmp:
[ Trend ], “PE_LOOKED.XL-O”
8xz[1].exe:
[ Trend ], “TROJ_MIANCRYP.AI”
0614[1].js:
[ Trend ], “JS_PSYME.AMQ”
06014[4].htm:
[ Trend ], “EXPL_AGENT.AADR”
97725[1].exe:
[ Trend ], “PE_LOOKED.XL-O”
downma3[1].exe:
[ Trend ], “TSPY_ONLINEG.IA”
downma7[1].exe:
[ Trend ], “TROJ_DELF.GGR”
downma8[1].exe:
[ Trend ], “TROJ_MULTDROP.FU”
kg[1].exe:
[ Trend ], “WORM_DELF.GGU”
Logo1_.exe:
[ Trend ], “PE_LOOKED.XL-O”
LSASS.EXE:
[ Trend ], “TROJ_MULTDROP.FU”
mppds.exe:
[ Trend ], “TSPY_ONLINEG.IA”
RAVWM.EXE:
[ Trend ], “TROJ_DELF.GGR”
RichDll.dll:
[ Trend ], “TROJ_LOOKED.XL”
svchost.exe:
[ Trend ], “TROJ_MIANCRYP.AI”
systemm.exe:
[ Trend ], “HKTL_ARPSNIFFE.F”
SysWFGQQ2.dll:
[ Trend ], “Possible_Infostl”
thhshy.dll:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Symantec ], “Infostealer.Gampass”
[ McAfee ], “PWS-Zhengtu”
[ Sophos ], “Troj/PSW-Gen”
[ Nod32 ], “a variant of Win32/Agent.NHN trojan”
[ HBEDV ], “HEUR/Malware”
thhshy.exe:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.es”
[ Sophos ], “Mal/Behav-106″
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ Fortinet ], “W32/OnLineGames.ES!tr.pws”
[ HBEDV ], “HEUR/Malware”
[ Ewido ], “Trojan.OnLineGames.es”
UPnPSvc.dll:
[ McAfee ], “New DLL-b !!”
upnpsvc.exe:
[ Kaspersky ], “Trojan-PSW.Win32.Lmir.amj”
[ McAfee ], “[00004734.EXE]:New DLL-b !!”
[ HBEDV ], “HEUR/Crypted”
[ Ewido ], “Trojan.Lmir.amj”
upxdnd.dll:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Microsoft ], “PWS:Win32/Frethog.A!dll”
[ Nod32 ], “a variant of Win32/PSW.Agent.NDF trojan”
[ HBEDV ], “HEUR/Malware”
upxdnd.exe:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Microsoft ], “PWS:Win32/Frethog.A”
[ McAfee ], “PWS-LegMir.gen.b”
[ Nod32 ], “a variant of Win32/PSW.Agent.NDF trojan”
[ Fortinet ], “LegMir.B!tr.pws”
[ HBEDV ], “HEUR/Malware”
upxdnd.exe:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Microsoft ], “PWS:Win32/Frethog.A”
[ McAfee ], “PWS-LegMir.gen.b”
[ Nod32 ], “a variant of Win32/PSW.Agent.NDF trojan”
[ Fortinet ], “LegMir.B!tr.pws”
[ HBEDV ], “HEUR/Malware”
Winhttps.dat:
[ Symantec ], “Infostealer.Lemir”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.nw”
[ Sophos ], “Troj/LegMir-ATL”
[ Fortinet ], “W32/LSP”
[ HBEDV ], “TR/PSW.OnLineGames.NW.6″
[ Norman ], “Trojan W32/OnLineGames.DYR”
[ Ewido ], “Trojan.OnLineGames.nw”
Winhttps.dll:
[ Symantec ], “Infostealer.Lemir”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.nw”
[ Sophos ], “Troj/LegMir-ATL”
[ Fortinet ], “W32/LSP”
[ HBEDV ], “TR/PSW.OnLineGames.NW.6″
[ Norman ], “Trojan W32/OnLineGames.DYR”
[ Ewido ], “Trojan.OnLineGames.nw”
xjz2007[3].js:
[ Alpha_Gen ], “Heur_Infrm-2″
[ Symantec ], “Trojan Horse”
10Sy.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Microsoft ], “VirTool:Win32/Obfuscator.B”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.os”
[ Sophos ], “Mal/EncPk-F”
[ Nod32 ], “Win32/Pacex.Gen virus”
[ Fortinet ], “W32/OnLineGames.OS!tr.pws”
[ HBEDV ], “TR/PSW.OnLineGames.OS”
[
Ewido ], “Trojan.OnLineGames.os”
alg32.dat:
[ Kaspersky ], “PAK:FSG, Trojan-PSW.Win32.OnLineGames.nw”
[ Sophos ], “Mal/Packer”
[ Alwil ], “Win32:Zlob-S [Trj]“
[ Fortinet ], “Misc/LSP”
[ HBEDV ], “TR/PSW.OnLineGames.NW.6″
[ Norman ], “Security Risk Suspicious_F.gen”
[ Ewido ], “Trojan.OnLineGames.nw”
alg32.exe:
[ Kaspersky ], “PAK:FSG, Trojan-PSW.Win32.OnLineGames.nw”
[ Sophos ], “Mal/Packer”
[ Alwil ], “Win32:Zlob-S [Trj]“
[ Fortinet ], “Misc/LSP”
[ HBEDV ], “TR/PSW.OnLineGames.NW.6″
[ Norman ], “Security Risk Suspicious_F.gen”
[ Ewido ], “Trojan.OnLineGames.nw”
cmdbcs.dll:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Symantec ], “Infostealer.Gampass”
[ Sophos ], “Troj/PSW-Gen”
[ Nod32 ], “a variant of Win32/PSW.Agent.NCC trojan”
[ HBEDV ], “HEUR/Malware”
cmdbcs.exe:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Microsoft ], “PWS:Win32/Lmir.gen”
[ Sophos ], “Mal/Behav-106″
[ Nod32 ], “a variant of Win32/PSW.Agent.NCC trojan”
[ HBEDV ], “HEUR/Malware”
downma1[1].exe:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Microsoft ], “PWS:Win32/Frethog.A”
[ McAfee ], “PWS-LegMir.gen.b”
[ Nod32 ], “a variant of Win32/PSW.Agent.NDF trojan”
[ Fortinet ], “LegMir.B!tr.pws”
[ HBEDV ], “HEUR/Malware”
downma2[1].exe:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Microsoft ], “PWS:Win32/Lmir.gen”
[ Sophos ], “Mal/Behav-106″
[ Nod32 ], “a variant of Win32/PSW.Agent.NCC trojan”
[ HBEDV ], “HEUR/Malware”
downma9[1].exe:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Microsoft ], “PWS:Win32/Lmir.gen”
[ McAfee ], “PWS-LegMir.gen.b”
[ Sophos ], “Mal/Behav-106″
[ Nod32 ], “a variant of Win32/PSW.Agent.NCC trojan”
[ HBEDV ], “HEUR/Malware”
downma10[1].exe:
[ Kaspersky ], “PAK:FSG, Trojan-PSW.Win32.OnLineGames.nw”
[ Sophos ], “Mal/Packer”
[ Alwil ], “Win32:Zlob-S [Trj]“
[ Fortinet ], “Misc/LSP”
[ HBEDV ], “TR/PSW.OnLineGames.NW.6″
[ Norman ], “Security Risk Suspicious_F.gen”
[ Ewido ], “Trojan.OnLineGames.nw”
downma11[1].exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Microsoft ], “VirTool:Win32/Obfuscator.B”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.os”
[ Sophos ], “Mal/EncPk-F”
[ Nod32 ], “Win32/Pacex.Gen virus”
[ Fortinet ], “W32/OnLineGames.OS!tr.pws”
[ HBEDV ], “TR/PSW.OnLineGames.OS”
[ Ewido ], “Trojan.OnLineGames.os”
downma12[1].exe:
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
mppds.dll:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Symantec ], “Infostealer.Gampass”
[ Sophos ], “Troj/PSW-Gen”
[ HBEDV ], “HEUR/Malware”
msccrt.dll:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Symantec ], “Infostealer.Gampass”
[ Sophos ], “Troj/PSW-Gen”
[ HBEDV ], “HEUR/Malware”
msccrt.exe:
[ Alpha_Gen ], “Possible_OLGM-4″
[ Microsoft ], “PWS:Win32/Lmir.gen”
[ McAfee ], “PWS-LegMir.gen.b”
[ Sophos ], “Mal/Behav-106″
[ Nod32 ], “a variant of Win32/PSW.Agent.NCC trojan”
[ HBEDV ], “HEUR/Malware”
RAVWM419.dll:
[ Kaspersky ], “PAK:UPX”
[ Sophos ], “Mal/Behav-010″
[ HBEDV ], “TR/Delphi.Downloader.Gen”

惡意連結是放置在 price.asp (其他頁面可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\Help\9DD896294763.dll (注入某些執行程序如檔案總管、IE 等)

[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\gmsex[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\self[1].htm
C:\Shell.exe
C:\WINDOWS\Help\9DD896294763.dll
C:\WINDOWS\Help\9DD896294763.exe

[Added COM/BHO ]
{847990B2-96D6-4BE7-B442-24145C9924A6}-C:\WINDOWS\Help\9DD896294763.dll

到目前為止 (2007/4/20 @ 14:36)，下面的防毒軟體可以偵測到這些惡意檔案：

self[1].htm:
[ Trend ], “HTML_DLOADER.ISC”
9DD896294763.dll:
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE”
[ Panda ], “Suspicious file”
[ Nod32 ], “a variant of Win32/PSW.Lineage.DN trojan”
[ HBEDV ], “HEUR/Malware”
9DD896294763.exe:
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Trojan W32/Malware.PTS”
gmsex[1].exe:
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Trojan W32/Malware.PTS”
Shell.exe:
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Trojan W32/Malware.PTS”

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\avp.exe

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\main[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\main[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\PM[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\dap[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\ED[1].exe
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\hsvwer3.dll
C:\WINDOWS\system32\spolsv.exe
C:\WINDOWS\~tmp6691.exe

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\hsvwer3.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\hsvwer3.dll)

到目前為止 (2007/4/18 @ 18:24)，下面的防毒軟體可以偵測到這些惡意檔案：

avp.exe:
[ Kaspersky ], “Trojan-PSW.Win32.Magania.pe”
[ Sophos ], “Troj/Maran-Gen”
[ Panda ], “Trj/Lineage.DEC”
[ Nod32 ], “Win32/PSW.Maran trojan”
[ Fortinet ], “W32/Magania.PE!tr.pws”
[ HBEDV ], “TR/Agent.47736.A”
[ Rising ], “Trojan.PSW.Ran.a”
[ Ewido ], “Trojan.Maran.ag”
ED[1].exe:
[ Microsoft ], “TrojanSpy:Win32/Maran.gen!A”
[ Kaspersky ], “Trojan-PSW.Win32.Maran.cx”
[ Sophos ], “[FILE:0001]:Troj/Maran-Gen, Troj/Maran-Gen”
[ Panda ], “Trj/Lineage.DEC”
[ Nod32 ], “a variant of Win32/PSW.Maran trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Agent.47736.A”
[ Rising ], “Trojan.PSW.OnlineGames.yh”
hsvwer3.dll:
[ Kaspersky ], “Trojan-PSW.Win32.Maran.cx”
[ Panda ], “Trj/Lineage.DEC”
[ Nod32 ], “a variant of Win32/PSW.Maran trojan”
[ HBEDV ], “TR/Drop.Maran.C.3″
main[1].htm:
[ McAfee ], “VBS/Psyme”
[ Sophos ], “Mal/Psyme-A”
PM[1].exe:
[ Kaspersky ], “Trojan-Downloader.Win32.Small.ene”
[ Sophos ], “Mal/Basine-C”
[ Panda ], “Trj/Lineage.DEC”
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Trojan W32/Downloader.YR”
spolsv.exe:
[ Kaspersky ], “Trojan-Downloader.Win32.Small.ene”
[ Sophos ], “Mal/Basine-C”
[ Panda ], “Trj/Lineage.DEC”
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Trojan W32/Downloader.YR”
~tmp6691.exe:
[ Kaspersky ], “Trojan-Downloader.Win32.Small.ene”
[ Sophos ], “Mal/Basine-C”
[ Panda ], “Trj/Lineage.DEC”
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Trojan W32/Downloader.YR”

惡意連結是放置在首頁 (其他頁面也有，可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

ANI 攻擊的部份為：

當執行此惡意程式後，會產生一個應用程式錯誤的訊息：

執行之後，有下面的行為：

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\qing.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9197p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\7888p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\test[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\update[1].exe

到目前為止 (2007/4/18 @ 03:30)，下面的防毒軟體可以偵測到這些惡意檔案：

qing.exe:
[ Trend ], “TROJ_NSANTI.CV”
[ Kaspersky, “Trojan-PSW.Win32.Maran.di”
[ McAfee ], “PWS-Lineage”
[ Sophos ], “Mal/Packer”
update[1].exe:
[ Trend ], “TROJ_NSANTI.CV”
[ Kaspersky, “Trojan-PSW.Win32.Maran.di”
[ McAfee ], “PWS-Lineage”
[ Sophos ], “Mal/Packer”
7888p[1].jpg:
[ Trend ], “TROJ_ANICMOO.AX”
[ Symantec ], “Trojan.Anicmoo”
[ Kaspersky ], “Exploit.Win32.IMG-ANI.k”
[ McAfee ], “Exploit-ANIfile.c”
[ Sophos ], “Troj/Animoo-L”
9197p[1].jpg:
[ Trend ], “TROJ_ANICMOO.AX”
[ Symantec ], “Trojan.Anicmoo”
[ Kaspersky ], “Exploit.Win32.IMG-ANI.k”
[ McAfee ], “Exploit-ANIfile.c”
[ Sophos ], “Troj/Animoo-L”
update[1].htm:
[ Kaspersky ], “Exploit.HTML.Ascii.f”

惡意連結是放置在 main.asp 和 left.asp (也許還有其他的頁面，他們可能要仔細檢查一下囉) 中的：

惡意程式碼的一部份為：

ANI 攻擊的部份為：

當執行此惡意程式後，會產生一個應用程式錯誤的訊息：

執行之後，有下面的行為：

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\qing.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9197p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\7888p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\test[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\update[1].exe

到目前為止 (2007/4/18 @ 00:14)，下面的防毒軟體可以偵測到這些惡意檔案：

qing.exe:
[ Trend ], “TROJ_NSANTI.CV”
[ Kaspersky, “Trojan-PSW.Win32.Maran.di”
[ McAfee ], “PWS-Lineage”
[ Sophos ], “Mal/Packer”
update[1].exe:
[ Trend ], “TROJ_NSANTI.CV”
[ Kaspersky, “Trojan-PSW.Win32.Maran.di”
[ McAfee ], “PWS-Lineage”
[ Sophos ], “Mal/Packer”
7888p[1].jpg:
[ Trend ], “TROJ_ANICMOO.AX”
[ Symantec ], “Trojan.Anicmoo”
[ Kaspersky ], “Exploit.Win32.IMG-ANI.k”
[ McAfee ], “Exploit-ANIfile.c”
[ Sophos ], “Troj/Animoo-L”
9197p[1].jpg:
[ Trend ], “TROJ_ANICMOO.AX”
[ Symantec ], “Trojan.Anicmoo”
[ Kaspersky ], “Exploit.Win32.IMG-ANI.k”
[ McAfee ], “Exploit-ANIfile.c”
[ Sophos ], “Troj/Animoo-L”
update[1].htm:
[ Kaspersky ], “Exploit.HTML.Ascii.f”