OKWAP 英華達網站又被植入惡意連結,此惡意程式為 ADWARE_RUGO 和 QQPass 變種,稍後會更新資訊,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個 網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。
惡意連結是放置在 event_hot.asp (可能要仔細檢查一下或重新安裝) 中的:
執行之後,有下面的行為 (值入很多東西,情況滿慘的):
[Added process]
C:\WINDOWS\IMEINPUTS.EXE
C:\WINDOWS\system32\SVCH0ST.EXE
C:\WINDOWS\system32\f91b.exe
[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\SVCH0ST.exe
C:\Program Files\Internet Explorer\Connection Wizard\isignup.sys
C:\WINDOWS\preupd.dll
C:\WINDOWS\system32\5E9F0D5.DLL
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\msccrt.dll
C:\WINDOWS\system32\nwizAsktao.dll
C:\WINDOWS\system32\nwizqjsj.dll
C:\WINDOWS\system32\SVCH0ST.EXE
C:\WINDOWS\system32\upxdnd.dll
[Added service]
NAME: 2FED61CD
DISPLAY: 2FED61CD
FILE: C:\WINDOWS\system32\AE9C6AE4.EXE -d
NAME: fast
DISPLAY: Fast Client
FILE: C:\WINDOWS\system32\f91b.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\009.mdb
C:\Documents and Settings\Administrator\Local Settings\Temp\bofang.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\GTIAPI.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\hbcmd.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IECONFIG.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\lfrmewrk.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mhso.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mhso0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\RGInstall.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\SPy.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\SVCH0ST.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\zhu3.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ldasd[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\pop[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\SC0NFIG1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\SPy[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\007[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\658359[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\bind_50423[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\IECOFIG[1].EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\s[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\wanmeishijie[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\yun[1].js
:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\596139[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\boolan64[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\IECONFIG[1].EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\SPSJ[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\SVCH0ST[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cj[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\IEXPL0R[1].EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\MCONFIG[1].EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\TIMPLATF0RM[1].exe
C:\Program Files\Internet Explorer\Connection Wizard\isignup.dll
C:\Program Files\Internet Explorer\Connection Wizard\isignup.sys
C:\WINDOWS\0e460.dat
C:\WINDOWS\4603f.avi
C:\WINDOWS\603fa.jpg
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\e4603.cfg
C:\WINDOWS\IMEINPUTS.EXE
C:\WINDOWS\mppds.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\preupd.dll
C:\WINDOWS\system32\1-716696
C:\WINDOWS\system32\5E9F0D5.DLL
C:\WINDOWS\system32\7df9.dll
C:\WINDOWS\system32\91b6.dll
C:\WINDOWS\system32\AE9C6AE4.EXE
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\ctfnom.exe
C:\WINDOWS\system32\df91.dll
C:\WINDOWS\system32\drivers\usbinte.sys
C:\WINDOWS\system32\f91b.exe
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\msccrt.dll
C:\WINDOWS\system32\nwizAsktao.dll
C:\WINDOWS\system32\nwizAsktao.exe
C:\WINDOWS\system32\nwizqjsj.dll
C:\WINDOWS\system32\nwizqjsj.exe
C:\WINDOWS\system32\nwizwmsjs.dll
C:\WINDOWS\system32\nwizwmsjs.exe
C:\WINDOWS\system32\SVCH0ST.EXE
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\upxdnd.exe
到目前為止 (2007/5/21 @ 14:25),下面的防毒軟體可以偵測到這些惡意檔案 (除了 ANI 的檔案外):
SC0NFIG1[1].exe:
[ Trend ], “TSPY_ONLINEG.BYF”
wanmeishijie[1].exe:
[ Trend ], “TROJ_INFOSTEA.BI”
0e460.dat:
[ Trend ], “ADW_RUGO.A”
7df9.dll:
[ Trend ], “ADW_RUGO.A”
bofang.dll:
[ Trend ], “ADW_RUGO.A”
boolan64[1].exe:
[ Trend ], “TROJ_AGENT.AAEO”
df91.dll:
[ Trend ], “ADW_RUGO.A”
e4603.cfg:
[ Trend ], “ADW_RUGO.A”
f91b.exe:
[ Trend ], “ADW_RUGO.A”
hbcmd.dll:
[ Trend ], “ADW_RUGO.
A”
IECOFIG[1].EXE:
[ Trend ], “TROJ_INFOSTEA.BE”
lfrmewrk.exe:
[ Trend ], “ADW_RUGO.A”
msccrt.exe:
[ Trend ], “TSPY_ONLINEG.BYF”
nwizAsktao.exe:
[ Trend ], “TROJ_INFOSTEA.BE”
nwizqjsj.exe:
[ Trend ], “TROJ_INFOSTEA.BI”
RGInstall.dll:
[ Trend ], “ADW_RUGO.A”
SPSJ[1].exe:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ Sophos ], “Mal/Behav-027″
[ Panda ], “Suspicious file”
[ Nod32 ], “a variant of Win32/PSW.Agent.NEW trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Ewido ], “Trojan.WOW.qp”
SPy.exe:
[ Microsoft ], “[->(UPX)]:TrojanDropper:Win32/Dowque.A”
[ Kaspersky ], “PAK:UPX”
[ Sophos ], “[FILE:0000]:Mal/QQPass-B”
[ Nod32 ], “probably a variant of Win32/PSW.QQShou trojan”
[ Fortinet ], “W32/QQShou.5D42!tr.pws”
[ HBEDV ], “DR/Delphi.Gen”
[ Norman ], “Trojan W32/Malware.TQE”
SVCH0ST.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Virus W32/Viking.gen5″
TIMPLATF0RM[1].exe:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.tl”
[ Sophos ], “Mal/Behav:06″
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.SunOnline.n”
upxdnd.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “PWS:Win32/Frethog.A!dll”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.tl”
[ McAfee ], “PWS-LegMir.dll”
[ Sophos ], “Troj/PSW-Gen”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ HBEDV ], “HEUR/Malware”
upxdnd.exe:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.tl”
[ Sophos ], “Mal/Behav:06″
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.SunOnline.n”
usbinte.sys:
[ HBEDV ], “TR/Rootkit.Gen”
5E9F0D5.dll:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Microsoft ], “VirTool:Win32/Obfuscator.A”
[ Nod32 ], “probably a variant of Win32/Agent.NEO trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Trojan Hupigon.gen66″
007[1].exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Virus W32/Viking.gen5″
009.mdb:
[ Microsoft ], “Worm:Win32/Oanum!ini”
91b6.dll:
[ McAfee ], “Adware-BDSearch”
[ Panda ], “Adware/Sohu”
[ Rising ], “Trojan.Mnless.ksj”
[ Ewido ], “Adware.WSearch”
AE9C6AE4.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Microsoft ], “VirTool:Win32/Obfuscator.A”
[ McAfee ], “New Malware.dm !!”
[ Panda ], “Suspicious file”
[ Nod32 ], “a variant of Win32/Agent.NEO trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Crypted”
[ Norman ], “Trojan Hupigon.gen66″
bind_50423[1].exe:
[ Kaspersky ], “PAK:PE_Patch”
cj[1].exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Microsoft ], “VirTool:Win32/Obfuscator.A”
[ McAfee ], “New Malware.dm !!”
[ Panda ], “Suspicious file”
[ Nod32 ], “a variant of Win32/Agent.NEO trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Crypted”
[ Norman ], “Trojan Hupigon.gen66″
cmdbcs.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “PWS:Win32/Lmir.gen!B”
[ McAfee ], “PWS-LegMir.dll”
[ Sophos ], “Troj/PSW-Gen”
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.OnlineGames.bog”
cmdbcs.exe:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.tl”
[ McAfee ], “PWS-LegMir.gen.b”
[ Sophos ], “Mal/Behav:06″
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.SunOnline.n”
ctfnom.exe:
[ Kaspersky ], “PAK:NSPack, Trojan-Downloader.Win32.Small.czl”
[ McAfee ], “New Malware.aq !!”
[ Sophos ], “Mal/Packer”
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.FKM.Gen”
GTIAPI.dll:
[ McAfee ], “Adware-BDSearch”
[ Panda ], “Adware/Sohu”
[ Rising ], “Trojan.Mnless.ksj”
[ Ewido ], “Adware.WSearch”
IECONFIG.EXE:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:UPX”
[ Sophos ], “Mal/Behav-044″
[ Panda ], “Suspicious file”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Dldr.Agent.20827″
IECONFIG[1].EXE:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:UPX”
[ Sophos ], “Mal/Behav-044″
[ Panda ], “Suspicious file”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Dldr.Agent.20827″
IEXPL0R[1].EXE:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.tl”
[ McAfee ], “PWS-LegMir.gen.b”
[ Sophos ], “Mal/Behav:06″
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.SunOnline.n”
IMEINPUTS.EXE:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:UPX”
[ Sophos ], “Mal/Behav-044″
[ Panda ], “Suspicious file”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Dldr.Agent.20827″
isignup.dll:
[ Microsoft ], “[->(UPX)]:TrojanDropper:Win32/Dowque.A”
[ Kaspersky ], “PAK:UPX”
[ Sophos ], “[FILE:0000]:Mal/QQPass-B”
[ Nod32 ], “probably a variant of Win32/PSW.QQShou trojan”
[ Fortinet ], “W32/QQShou.5D42!tr.pws”
[ HBEDV ], “DR/Delphi.Gen”
[ Norman ], “Trojan W32/Malware.TQE”
isignup.sys:
[ Sophos ], “Mal/QQPass
-B”
[ Nod32 ], “probably a variant of Win32/PSW.QQShou trojan”
[ Fortinet ], “W32/QQShou.5D42!tr.pws”
[ HBEDV ], “HEUR/Malware”
ldasd[1].exe:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.tl”
[ Sophos ], “Mal/Behav:06″
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.SunOnline.n”
MCONFIG[1].EXE:
[ Kaspersky ], “PAK:NSPack, Trojan-Downloader.Win32.Small.czl”
[ McAfee ], “New Malware.aq !!”
[ Sophos ], “Mal/Packer”
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.FKM.Gen”
mhso0.dll:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Virus W32/Viking.gen5″
mhso.exe:
[ Alpha_Gen ], “Possible_MLWR-5″
[ Sophos ], “Mal/EncPk-F”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Virus W32/Viking.gen5″
mppds.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “PWS:Win32/Lmir.gen!B”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.tl”
[ McAfee ], “PWS-LegMir.dll”
[ Sophos ], “Troj/PSW-Gen”
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.WoWar.ahi”
mppds.exe:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.tl”
[ Sophos ], “Mal/Behav:06″
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.SunOnline.n”
msccrt.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “PWS:Win32/Lmir.gen!B”
[ McAfee ], “PWS-LegMir.dll”
[ Sophos ], “Troj/PSW-Gen”
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.CabalOnline.aia”
nwizAsktao.dll:
[ Kaspersky ], “Trojan-PSW.Win32.WOW.qp”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.Asktao.e”
nwizqjsj.dll:
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.rc”
[ Panda ], “Suspicious file”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.OnlineGames.boj”
[ Ewido ], “Trojan.Nilage.bjp”
nwizwmsjs.dll:
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.sw”
[ Panda ], “Suspicious file”
[ Nod32 ], “Win32/PSW.Agent.NFD trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.WorldOnline.gi”
[ Ewido ], “Trojan.OnLineGames.sw”
nwizwmsjs.exe:
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ Sophos ], “Mal/Behav-027″
[ Panda ], “Suspicious file”
[ Nod32 ], “a variant of Win32/PSW.Agent.NEW trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Ewido ], “Trojan.WOW.qp”
preupd.dll:
[ Symantec ], “Downloader”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.qw”
[ Panda ], “Trj/INService.BL”
[ Fortinet ], “W32/OnLineGames.QW!tr.pws”
[ HBEDV ], “TR/Dldr.Agent.20827″
[ Rising ], “Trojan.PSW.ROCOnline.fp”
[ Ewido ], “Trojan.OnLineGames.qw”
