大砲開講

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，蠻慘的，請各位小心。

到目前為止 (2007/6/25 @ 11:28)，下面的防毒軟體可以偵測到這些惡意檔案 (僅供參考)：

2[1].exe:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “TrojanDropper:Win32/Agent.gen!A”
[ Kaspersky ], “Trojan-Proxy.Win32.Small.du”
[ Nod32 ], “a variant of Win32/Agent.NIK trojan”
2[2].exe:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “TrojanDropper:Win32/Agent.gen!A”
[ Kaspersky ], “Trojan-Proxy.Win32.Small.du”
[ McAfee ], “[00000c70.EXE]:corrupted”
[ Fortinet ], “suspicious”
7[1].exe:
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.te”
[ McAfee ], “New Malware.bl !!”
[ Nod32 ], “Win32/PSW.OnLineGames.YA trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.XPACK.Gen”
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ Ewido ], “Trojan.OnLineGames.wp”
LYLOADER.EXE:
[ Alpha_Gen ], “Possible_Virus”
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.nn”
[ McAfee ], “New Malware.aj !!”
[ Panda ], “Suspicious file”
[ Nod32 ], “a variant of Win32/PSW.Agent.NEC trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/PSW.OnLineGames.NN.213″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
LYMANGR.DLL:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “VirTool:Win32/Obfuscator.C”
[ Kaspersky ], “PAK:UPack, Trojan-PSW.Win32.OnLineGames.nn”
[ McAfee ], “Generic PWS.j”
[ Fortinet ], “PWS.J!tr”
[ HBEDV ], “TR/PSW.OnLineGames.NN.213″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Ewido ], “Trojan.OnLineGames.nn”
msccrt.dll:
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.es”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.NBZ trojan”
[ HBEDV ], “HEUR/Malware”
msccrt.exe:
[ Microsoft ], “PWS:Win32/Lmir.gen!J”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.es”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.YA trojan”
[ HBEDV ], “TR/Dropper.Gen”
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ Ewido ], “Trojan.OnLineGames.es”
msdebug.dll:
[ Symantec ], “Infostealer”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact”
[ Nod32 ], “a variant of Win32/Agent.NIK trojan”
netsrvcs.dll:
[ Symantec ], “Infostealer”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact”
[ Nod32 ], “a variant of Win32/Agent.NIK trojan”
Ravasktao.dll:
[ Alpha_Gen ], “Possible_OLGM-8″
[ Microsoft ], “PWS:Win32/Skatayo.A!dll”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.ql”
[ McAfee ], “PWS-LegMir.dll”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Spy.Gen”
[ Rising ], “Trojan.PSW.Win32.AskTao.d”
[ Ewido ], “Trojan.OnLineGames.ql”
RemoteDbg.dll:
[ Symantec ], “Infostealer”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact”
[ McAfee ], “BackDoor-DKH”
[ Nod32 ], “a variant of Win32/Agent.NIK trojan”
RichDll.dll:
[ Symantec ], “W32.Looked.AH”
[ Microsoft ], “[->(Petite 2.2)]:Virus:Win32/Viking.gen”
[ Kaspersky ], “PAK:Petite, Worm.Win32.Viking.ls”
[ McAfee ], “W32/HLLP.Philis.dll”
[ Panda ], “W32/Viking.VG.worm”
[ Nod32 ], “probably a variant of Win32/Viking virus”
[ Fortinet ], “W32/Viking.LS”
[ HBEDV ], “TR/PSW.Delf.AF.2″
[ Ewido ], “Worm.Viking.ls”
RUNDLL32.exe:
[ Alpha_Gen ], “Possible_Virus”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.mk”
[ McAfee ], “New Malware.aj !!”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Crypted”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
sys174.exe:
[ Symantec ], “Infostealer”
[ Microsoft ], “TrojanDownloader:Win32/Small.gen!N”
[ Kaspersky ], “Trojan-Downloader.Win32.Agent.bkm”
[ Nod32 ], “probably a variant of Win32/TrojanDownloader.Delf.NJH trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Hijack.Explor.3546″
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ Rising ], “Trojan.DL.Win32.Mnless.apg”
sys250.exe:
[ Symantec ], “Infostealer”
[ Microsoft ], “TrojanDownloader:Win32/Small.gen!N”
[ Kaspersky ], “Trojan-Downloader.Win32.Agent.bkm”
[ Nod32 ], “probably a variant of Win32/TrojanDownloader.Delf.NJH trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Hijack.Explor.3546″
[ Norman ], “[Heur
istic Sandbox detection]:Virus W32/Malware”
[ Rising ], “Trojan.DL.Win32.Mnless.apg”
test[1].exe:
[ HBEDV ], “HEUR/Malware”
TIMHost.dll:
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.yn”
[ Panda ], “Trj/Agent.FTX”
[ HBEDV ], “HEUR/Malware”
[ Rising ], “Trojan.PSW.Win32.RocOnline.b”
[ Ewido ], “Trojan.OnLineGames.yn”
TIMHost.exe:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “PWS:Win32/Lmir.gen!J”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.yn”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.YA trojan”
[ HBEDV ], “TR/Dropper.Gen”
[ Norman ], “Trojan W32/OnLineGames.HGK”
[ Rising ], “Trojan.PSW.Win32.RocOnline.b”
[ Ewido ], “Trojan.OnLineGames.yn”
windds32.dll:
[ Symantec ], “Infostealer”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact”
[ Nod32 ], “a variant of Win32/Agent.NIK trojan”
windhcp.ocx:
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, Trojan-Proxy.Win32.Small.fl”
[ McAfee ], “BackDoor-DKH”
[ Panda ], “Trj/Gampass.B”
[ Nod32 ], “a variant of Win32/Agent.NIK trojan”
[ HBEDV ], “TR/Agent.22016.B”
WinForm.exe:
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.te”
[ McAfee ], “New Malware.bl !!”
[ Nod32 ], “Win32/PSW.OnLineGames.YA trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.XPACK.Gen”
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ Ewido ], “Trojan.OnLineGames.wp”
WMIApiSrv.dll:
[ Symantec ], “Infostealer”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact”
[ McAfee ], “BackDoor-DKH”
[ Nod32 ], “a variant of Win32/Agent.NIK trojan”
0[1].exe:
[ Trend ], “TSPY_DELF.HGK”
1[1].exe:
[ Trend ], “PE_LOOKED.ACM-O”
game.com:
[ Trend ], “TSPY_DELF.HGK”
Logo1_.exe:
[ Trend ], “PE_LOOKED.ACM-O”
msimg32.dll:
[ Trend ], “TSPY_LEGMIR.BPW”
MsIMMs32.exe:
[ Trend ], “TSPY_LEGMIR.BPX”
rundl132.exe:
[ Trend ], “PE_LOOKED.ACM-O”
SERVICES.exe:
[ Trend ], “TSPY_ONLINEG.FDO”
sservet.exe:
[ Trend ], “TROJ_DELF.ECJ”
sys211.exe:
[ Trend ], “TROJ_DELF.ECJ”
sys263.exe:
[ Trend ], “TROJ_DELF.ECJ”
sys270.exe:
[ Trend ], “PE_LOOKED.ACM-O”
sys321142.exe:
[ Trend ], “TSPY_ONLINEG.EEZ”
sys90.exe:
[ Trend ], “PE_LOOKED.ACM-O”
WinForm.dll:
[ Trend ], “TSPY_ONLINEG.DHY”FTE”

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\20070418a[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\6143[1].htm
C:\Program Files\%system%\0613ds.exe
C:\Program Files\%system%\1.bat
C:\Program Files\%system%\1.vbs

到目前為止 (2007/6/25 @ 11:29)，下面的防毒軟體可以偵測到這些惡意檔案 (僅供參考)：

0613ds.exe:
[ Trend ], “TSPY_LINEAGE.FTD”
20070418a[1].exe:
[ Trend ], “TSPY_LINEAGE.FTE”
svchost.exe:
[ Trend ], “TSPY_LINEAGE.FTE”
6143[1].htm:
[ Microsoft ], “[->(SCRIPT0000)]:TrojanDownloader:VBS/Mumawow.A”
[ Nod32 ], “VBS/TrojanDownloader.Psyme.FN trojan”
[ Rising ], “Trojan.DL.VBS.Agent.cgk”
1.bat:
[ Panda ], “Trj/QQPass.AER”

在說明之前，我要先說明測試方法，目前大部分的防毒軟體測試組織都只針對偵測率部份做評比 (由於人力及財力的問題，目前我們也只能做這部份，不過，將來會慢慢加入其他測試項目)，理由很簡單，因為只要擁有樣本即可做此項測試。那為什麼不做其他測試項目呢？因為技術問題和測試時間較久，大部分的測試組織都不做這些項目，但這些測試項目對防毒軟體的好壞影響蠻大的，到最後，消費者只能比較偵測率的高低，以做為購買防毒軟體的依據。假若各位了解這些測試方法的話，就比較不容易受到矇騙，而進一步要求防毒軟體廠商公布使用其他測試方法所得到的測試結果，這樣一來，各位就知道哪些防毒軟體是比較好的。

那如何驗證防毒軟體測試報告呢？測試機構至少需要提供下列三個數據，我們才能驗證測試報告：

1. 更新記錄檔 (Update Logs) (必要)
2. 掃描記錄檔 (Scan Logs) (必要)
3. 樣本的 MD5 或 SHA1 值 (非必要)

為什麼呢？

關於第一點，如果測試機構沒有提供更新記錄檔的話，有可能他們所使用的產品、掃毒引擎 (Virus Scan Engine) 或 病毒特徵碼 (Virus Signature) 是由廠商特別提供的版本 (Special Build)，根本沒有放置在防毒軟體廠商的官方網站上，簡直只是為了通過測試，雙方配合演出而已。

關於第二點，如果測試機構沒有提供掃描記錄檔的話 (有些防毒軟體根本沒有完整的記錄檔)，有可能他們不是使用產品在做測試，而是使用無圖形介面的掃描引擎 (Command-line Virus Scanner)。這樣有什麼好處，可以做自動化測試，比較方便，而且，此掃毒引擎介面通常由掃描引擎部門所開發出來，比較沒有產品整合的問題。另一個可能是無法算出真正的偵測率，各位通常所看到的偵測率是由圖形介面顯示出來的結果，此結果有可能有灌水之嫌 (從我們的測試經驗中，有蠻多這種情形發生)，所以，必須經由掃描記錄檔才可以算出真正的偵測率。

關於第三點，如果測試機構有提供樣本的 MD5 或 SHA1 值的話 (最好是提供樣本囉，但大部分的測試組織都不可能提供樣本給其他單位)，擁有很多樣本的單位或個人，就可以檢查到底這些測試機構所使用樣本的重複率有多高。如果重複率很高，而每個測試機構所公佈的測試報告差異甚大，就可以知道有些測試組織可能將測試報告動過手腳。

希望以上三點說明，能讓各位更了解如何看待防毒軟體測試報告，進而要求測試機構或廠商提供或公佈更多的資訊，這樣才不會造成資訊不對稱，而造成錯誤的決定。

最後，歡迎各位踴躍發表自己的想法囉。

延伸閱讀：
防毒軟體評比之奧秘
如何測試與選擇防毒軟體和反間諜軟體

惡意連結是放置在 member (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\member[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\test[1].js
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (C:\WINDOWS\system32\od2media.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/6/23 @ 21:24)，下面的防毒軟體可以偵測到這些惡意檔案 (僅供參考)：

od2media.dll:
[ Trend ], “TSPY_ONLINEG.BHX”
update[1].exe:
[ Trend ], “TSPY_ONLINEG.FHV:
update[1].htm:
[ Trend ], “HTML_AGENT.AACU”
avp.exe:
[ Trend ], “TSPY_ONLINEG.ASH”
update.htm:
[ Trend ], “VBS_AGENT.OVW”
member[1].htm:
[ Alpha_Gen ], “Heur_Infrm-1″
[ Microsoft ], “[->(IframeRefI)]:Exploit:HTML/IframeRef.gen”

惡意連結是放置在 exam (其他頁面可能要仔細檢查一下囉) 中的：

網頁被嵌入一個 RM 檔案，如下圖所示：

如果系統有安裝 Real Player，當你進入此網頁時，它會自動執行起來。

到目前為止 (2007/6/21 @ 21:18)，下面的防毒軟體可以偵測到這些惡意檔案 (僅供參考)：

l3.smi:
[ Beta_Gen ], “HTML_Generic.CON”
[ Alwil ], “Win32:Trojano-3455 [Trj]“
[ HBEDV ], “EXP/HTML.BM.A”

異常現象網頁：

程式碼的部份：

正常網頁：

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\ddd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ddd.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\help[2].htm

到目前為止 (2007/6/21 @ 20:43)，下面的防毒軟體可以偵測到這些惡意檔案 (僅供參考)：

1[2].htm:
[ McAfee ], “ObfuscatedHtml”
[ Fortinet ], “HTML/ASCII.gen!exploit”
[ Norman ], “Trojan AsciiExploit.gen”
help[2].htm:
[ McAfee ], “ObfuscatedHtml”
[ Fortinet ], “HTML/ASCII.gen!exploit”
[ Norman ], “Trojan AsciiExploit.gen”
1.htm:
[ Nod32 ], “JS/Exploit.ADODB.Stream.EY trojan”

惡意連結是放置在 NoticeHouse.asp (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added hidden process]
C:\Program Files\Internet Explorer\iexplore.exe (此程序會鎖住 C:\WINDOWS\68.exe)

[Added service]
NAME: svchost
DISPLAY: svchost
FILE: C:\WINDOWS\68.exe (hidden IE process locks this file)

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\gz2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\sex[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gz1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\sexy[1].htm
C:\WINDOWS\68.exe
C:\WINDOWS\qq1.exe

到目前為止 (2007/6/21 @ 16:46)，下面的防毒軟體可以偵測到這些惡意檔案 (僅供參考)：

gz1[1].exe:
[ Trend ], “BKDR_HUPIGON.UH”
68.exe:
[ Fortinet ], “suspicious”
[ HBEDV ], “BDS/Hupigon.Gen”
[ Rising ], “Backdoor.Gpigeon.GEN”
gz2[1].exe:
[ Fortinet ], “suspicious”
[ HBEDV ], “BDS/Hupigon.Gen”
[ Rising ], “Backdoor.Gpigeon.GEN”
sex[1].htm:
[ Microsoft ], “[->(SCRIPT0000)]:TrojanDownloader:JS/Agent.FT”
[ McAfee ], “[000000b6.vbs]:Exploit-MS06-014″
[ Fortinet ], “VBS/Psyme.DN!tr.dldr”
[ Norman ], “Trojan VBS/Psyme.AK”
[ Rising ], “Trojan.VBS.Agent.z”
[ Ewido ], “Downloader.Psyme.hb”
sexy[1].htm:
[ Microsoft ], “[->(SCRIPT0000)]:TrojanDownloader:JS/Agent.FT”
[ McAfee ], “[000000b6.vbs]:Exploit-MS06-014″
[ Fortinet ], “VBS/Psyme.DN!tr.dldr”
[ Norman ], “Trojan VBS/Psyme.AK”
[ Rising ], “Trojan.VBS.Agent.z”
[ Ewido ], “Downloader.Psyme.hb”
svchost.vbs:
[ Symantec ], “Trojan Horse”

首頁：

遭置換網頁：

至於詳細的資訊，請參考 zone-h。

惡意連結是放置在 index.asp (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\Debug\UserMode\CBD61.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\moi.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gmsex[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\live[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\selfs[1].htm
C:\kao.reg
C:\Program Files\Common Files\live.exe
C:\Program Files\Internet Explorer\loadie.EXE
C:\WINDOWS\Debug\UserMode\CBD61.dll
C:\WINDOWS\Debug\UserMode\CBD61.exe

[Added COM/BHO]
{3CD55043-005A-49B8-B298-0618D55A543C}-C:\WINDOWS\debug\userMode\CBD61.dll

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=AutoRun
Data=C:\Program Files\Internet Explorer\loadie.EXE

到目前為止 (2007/6/21 @ 09:29)，下面的防毒軟體可以偵測到這些惡意檔案：

CBD61.dll:
[ Trend ], “Possible_Infostl”
selfs[1].htm:
[ Trend ], “VBS_SMALL.GUK”
CBD61.exe:
[ Microsoft ], “VirTool:Win32/Obfuscator.A”
[ Nod32 ], “a variant of Win32/PSW.Lineage.ACN trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
gmsex[1].exe:
[ Microsoft ], “TrojanDownloader:Win32/Small.gen!N”
[ McAfee ], “New Malware.an !!”
[ Alwil ], “Win32:Delf-BSS [Trj]“
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Delphi.Downloader.Gen”
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ Ewido ], “Downloader.Delf.awr”
kao.reg:
[ Panda ], “Trj/QQPass.MW”
[ Nod32 ], “Win32/TrojanDownloader.Delf.NVO trojan”
[ HBEDV ], “TR/Dldr.Delf.NVO”
live.exe:
[ Microsoft ], “VirTool:Win32/Obfuscator.A”
[ Nod32 ], “a variant of Win32/PSW.Lineage.ACN trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
loadie.EXE:
[ Microsoft ], “TrojanDownloader:Win32/Small.gen!N”
[ McAfee ], “New Malware.an !!”
[ Alwil ], “Win32:Delf-BSS [Trj]“
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Delphi.Downloader.Gen”
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ Ewido ], “Downloader.Delf.awr”
moi.com:
[ Microsoft ], “TrojanDownloader:Win32/Small.gen!N”
[ McAfee ], “New Malware.an !!”
[ Alwil ], “Win32:Delf-BSS [Trj]“
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Delphi.Downloader.Gen”
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ Ewido ], “Downloader.Delf.awr”

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\win[2].htm
C:\WINDOWS\~tmp2298.exe
C:\WINDOWS\~tmp2595.exe
C:\WINDOWS\~tmp3634.exe
C:\WINDOWS\~tmp3817.exe
C:\WINDOWS\~tmp4673.exe
C:\WINDOWS\~tmp5390.exe
C:\WINDOWS\~tmp54.exe
C:\WINDOWS\~tmp6941.exe
C:\WINDOWS\~tmp7532.exe
C:\WINDOWS\~tmp7544.exe
C:\WINDOWS\~tmp946.exe

到目前為止 (2007/6/20 @ 11:07)，下面的防毒軟體可以偵測到這些惡意檔案：

~tmp2298.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
~tmp2595.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
~tmp3634.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
~tmp3817.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
~tmp4673.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
~tmp5390.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
~tmp6941.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
~tmp7532.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
~tmp7544.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
update[1].exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
win[2].htm:
[ McAfee ], “ObfuscatedHtml”
[ Fortinet ], “HTML/ASCII.gen!exploit”
[ Norman ], “Trojan AsciiExploit.gen”
~tmp54.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″
~tmp946.exe:
[ Alpha_Gen ], “Possible_ULPM”
[ Microsoft ], “PWS:Win32/Frethog.C”
[ Nod32 ], “probably a variant of Win32/Pacex.Gen virus”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSPM.Gen”
[ Norman ], “Trojan W32/OnlineGames.gen21″

我不明白的事是既然是轉載，那他們的編輯應該看過此篇文章，並也認為此篇文章值得刊登，但我個人認為我看不懂那篇文章所要表達是什麼呢？真的很懷疑，到底是我不懂防毒軟體，還是他們不懂呢？身為重要的 IT 新聞媒體，難道，他們不應該提供正確且易懂的訊息給大眾嗎？我想他們應該要好好的檢討一下囉 (應該不只他們啦)。

現在很多資安論壇上都有防毒版，但所提供的資訊，很多都是似是而非，有些真正的專家勇於表達自己的看法和分享自己的經驗，很快就會被其他網友攻擊，導致他們失去熱忱，再也不喜歡分享他們自己在資安專業領域上的經驗給大家，我自己覺得相當可惜。沒辦法，小人當道，難怪台灣的資安觀念落後其他國家。

最後，如果各位看得懂那篇文章所要表達的意思，請在這裡發表你的看法囉，或是你有其他的看法也可以在這裡發表囉。

順便一提，如果有時間的話，我會把我對防毒軟體所知道的觀念與經驗分享給各位。

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\avp.exe

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\help[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\test[1].js
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/6/14 @ 13:57)，下面的防毒軟體可以偵測到這些惡意檔案：

avp.exe:
[ Trend ], “TSPY_ONLINEG.ASH”
help[1].htm:
[ Trend ], “HTML_ASCIIEXP.E”
od2media.dll:
[ Trend ], “TSPY_ONLINEG.BHX”
update[1].exe:
[ Trend ], “TROJ_NSANTI.CE”
update[1].htm:
[ Trend ], “HTML_AGENT.AACU”