十月, 2007
東海大學師資培育中心網站被植入惡意連結
2007 年 10 月 19 日 – 16:27:00東海大學師資培育中心網站被植入惡意連結,此惡意程式為 WORM_RBOT.GBG,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Wayne 和匿名網友)
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\system32\mswinsvcr.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\morgan[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\flash7[1].exe
C:\WINDOWS\system32\mswinsvcr.exe
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Microsoft
Data=mswinsvcr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Value=Microsoft
Data=mswinsvcr.exe
到目前為止 (2007/10/19 @ 16:38),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
flash7[1].exe:
[ Trend ], “WORM_RBOT.GBG”
morgan[1].htm:
[ Trend ], “VBS_PSYME.AUN”
mswinsvcr.exe:
[ Trend ], “WORM_RBOT.GBG”
國光客運網站被植入惡意連結
2007 年 10 月 18 日 – 23:33:00國光客運網站被植入惡意連結,此惡意程式為 TROJ_HEURI.AW,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Jimau 和匿名網友)
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\system32\sysfldr.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\exe[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\out[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\out[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\out[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index[1].htm
C:\WINDOWS\system32\sysfldr.dll
到目前為止 (2007/10/17 @ 00:25),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
sysfldr.dll:
[ Trend ], “TROJ_HEURI.AW”
exe[1]:
[ Kaspersky ], “PAK:FSG”
[ Sophos ], “Mal/Basine-C”
[ Panda ], “Suspicious file”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Crypted”
[ Norman ], “Security Risk Suspicious_F.gen”
臺北市商業處網站被駭
2007 年 10 月 18 日 – 18:38:00臺北市商業處網站被駭,在這裡要注意的是這個網站有可能被植入惡意連結或惡意程式碼,所以,他們的網管應該要找出系統或軟體的安全漏洞,然後,儘快修補這些漏洞,而不是只是移除/修改那些遭駭的檔案。
Note: 使用者資訊有遭竊嗎?
中國國民黨網站被植入惡意連結
2007 年 10 月 18 日 – 18:24:00中國國民黨網站被植入惡意連結,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Jimau)
Note: 今天下午四點多打電話給他們資訊中心,竟然,到現在都沒有處理。:-(
惡意連結/程式碼是放置在 main.asp (其他頁面可能要仔細檢查一下囉) 中的 MTS3Intorface.js,URL 解碼後為:
執行之後,有下面的行為:
[Added service]
NAME: SVKP
DISPLAY: SVKP
FILE: \??\C:\WINDOWS\system32\SVKP.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\MTS3Intorface[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\main[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\butt_over[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\sub01[1].htm
C:\WINDOWS\system32\SVKP.sys
到目前為止 (2007/10/18 @ ),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
稍後更新…
光陽重型機車網站被植入惡意連結
2007 年 10 月 17 日 – 14:29:00更新資訊:目前已修復 (2007/10/17 @ 14:38)
光陽重型機車網站被植入惡意連結,此惡意程式為 VBS_PSYME.AXC
,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Wayne)
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\moi.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gmsex[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\h[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\main[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\m[1].htm
到目前為止 (2007/10/17 @ 13:52),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
m[1].htm:
[ Trend ], “VBS_PSYME.AXC”
h[1].htm:
[ Alpha_Gen ], “Heur_Infrm-1″
[ Sophos ], “Mal/Iframe-A”
yahoo.js:
[ Alpha_Gen ], “Possible_EncScr”
[ HBEDV ], “EXP/IframeBOF.M”
HiNet理財網又被植入惡意連結
2007 年 10 月 12 日 – 07:24:00更新資訊:目前已修復
**高度危險網站:常常被植入惡意連結,列入網站黑名單,不建議瀏覽此網站**
HiNet理財網又被植入惡意連結,此惡意程式為 Trojan-PSW.Win32.OnLineGames
,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Jimau)
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\system32\avwgdst.exe
C:\WINDOWS\system32\raqjbtl.exe
C:\WINDOWS\system32\kawdbaz.exe
C:\WINDOWS\system32\rsztdsp.exe
C:\WINDOWS\system32\avzxdst.exe
C:\WINDOWS\system32\rsmyesp.exe
C:\WINDOWS\system32\rarjbtl.exe
C:\WINDOWS\IGM.exe
C:\WINDOWS\system32\kafyeaz.exe
C:\WINDOWS\IGW.exe
C:\WINDOWS\system32\sidjaaz.exe
C:\WINDOWS\system32\kapjbaz.exe
C:\WINDOWS\system32\rsjzbsp.exe
C:\WINDOWS\system32\kaqhfaz.exe
C:\WINDOWS\system32\kvdxcis.exe
C:\WINDOWS\system32\avwlcst.exe
C:\WINDOWS\system32\ratbftl.exe
[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\WINDOWS\system32\avwgdmn.dll
C:\WINDOWS\system32\avwlcmn.dll
C:\WINDOWS\system32\avzxdmn.dll
C:\WINDOWS\system32\kafyezy.dll
C:\WINDOWS\system32\kapjbzy.dll
C:\WINDOWS\system32\kaqhfzy.dll
C:\WINDOWS\system32\kawdbzy.dll
C:\WINDOWS\system32\kvdxcma.dll
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\raqjbpi.dll
C:\WINDOWS\system32\raqjbtl.exe
C:\WINDOWS\system32\ratbfpi.dll
C:\WINDOWS\system32\rsjzbpm.dll
C:\WINDOWS\system32\rsmyepm.dll
C:\WINDOWS\system32\rsztdpm.dll
C:\WINDOWS\system32\sidjazy.dll
[Added service]
NAME: Winownes
DISPLAY: Telephotsgoogle
FILE: C:\WINDOWS\system32\sedrsvedt.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYLOADER.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDEG32.DLL
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\6[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ad_an[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\0[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\16[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\4[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\8[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\kb[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1299644[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\15[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\014[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\17[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\5[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\9[1].exe
C:\WINDOWS\136741MM.DLL
C:\WINDOWS\136741WO.DLL
C:\WINDOWS\Fonts\ardaase.fon
C:\WINDOWS\Fonts\cadaafx.fon
C:\WINDOWS\Fonts\chqiaur.fon
C:\WINDOWS\Fonts\chreaur.fon
C:\WINDOWS\Fonts\chtiaur.fon
C:\WINDOWS\Fonts\enfeafx.fon
C:\WINDOWS\Fonts\enhuafx.fon
C:\WINDOWS\Fonts\enpoafx.fon
C:\WINDOWS\Fonts\enweafx.fon
C:\WINDOWS\Fonts\gejiand.fon
C:\WINDOWS\Fonts\gemoand.fon
C:\WINDOWS\Fonts\gezeand.fon
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\IGM.exe
C:\WINDOWS\IGW.exe
C:\WINDOWS\system32\0.exe
C:\WINDOWS\system32\avwgain.dll
C:\WINDOWS\system32\avwgdmn.dll
C:\WINDOWS\system32\avwgdst.exe
C:\WINDOWS\system32\avwlcin.dll
C:\WINDOWS\system32\avwlcmn.dll
C:\WINDOWS\system32\avwlcst.exe
C:\WINDOWS\system32\avzxain.dll
C:\WINDOWS\system32\avzxdmn.dll
C:\WINDOWS\system32\avzxdst.exe
C:\WINDOWS\system32\kafyacs.dll
C:\WINDOWS\system32\kafyeaz.exe
C:\WINDOWS\system32\kafyezy.dll
C:\WINDOWS\system32\kapjacs.dll
C:\WINDOWS\system32\kapjbaz.exe
C:\WINDOWS\system32\kapjbzy.dll
C:\WINDOWS\system32\kaqhfaz.exe
C:\WINDOWS\system32\kaqhfcs.dll
C:\WINDOWS\system32\kaqhfzy.dll
C:\WINDOWS\system32\kawdacs.dll
C:\WINDOWS\system32\kawdbaz.exe
C:\WINDOWS\system32\kawdbzy.dll
C:\WINDOWS\system32\kvdxacf.dll
C:\WINDOWS\system32\kvdxcis.exe
C:\WINDOWS\system32\kvdxcma.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\raqjani.dll
C:\WINDOWS\system32\raqjbpi.dll
C:\WINDOWS\system32\raqjbtl.exe
C:\WINDOWS\system32\rarjani.dll
C:\WINDOWS\system32\rarjbpi.dll
C:\WINDOWS\system32\rarjbtl.exe
C:\WINDOWS\system32\ratbani.dll
C:\WINDOWS\system32\ratbfpi.dll
C:\WINDOWS\system32\ratbftl.exe
C:\WINDOWS\system32\rsjzafg.dll
C:\WINDOWS\system32\rsjzbpm.dll
C:\WINDOWS\system32\rsjzbsp.exe
C:\WINDOWS\system32\rsmyafg.dll
C:\WINDOWS\system32\rsmyepm.dll
C:\WINDOWS\system32\rsmyesp.exe
C:\WINDOWS\system32\rsztafg.dll
C:\WINDOWS\system32\rsztdpm.dll
C:\WINDOWS\system32\rsztdsp.exe
C:\WINDOWS\system32\sedrsvedt.exe
C:\WINDOWS\system32\sidjaaz.exe
C:\WINDOWS\system32\sidjacs.dll
C:\WINDOWS\system32\sidjazy.dll
[ Added COM/BHO ]
{18847374-8323-FADC-B443-4732ABCD3781}-C:\WINDOWS\system32\sidjazy.dll
{22FAACDE-34DA-CCD4-AB4D-DA34485A3422}-C:\WINDOWS\system32\rsjzbpm.dll
{24783410-4F90-34A0-7820-3230ACD05F42}-C:\WINDOWS\system32\raqjbpi.dll
{2598FF45-DA60-F48A-BC43-10AC47853D52}-C:\WINDOWS\system32\rarjbpi.dll
{28907901-1416-3389-9981-372178569982}-C:\WINDOWS\system32\kawdbzy.dll
{2A321487-4977-D98A-C8D5-6488257545A2}-C:\WINDOWS\system32\kapjbzy.dll
{3960356A-458E-DE24-BD50-268F589A56A3}-C:\WINDOWS\system32\avwlcmn.dll
{3C87A354-ABC3-DEDE-FF33-3213FD7447C3}-C:\WINDOWS\system32\kvdxcma.dll
{434345F1-DACF-3452-CB7D-4620F34A1534}-C:\WINDOWS\system32\rsztdpm.dll
{4859245F-345D-BC13-AC4F-145D47DA34F4}-C:\WINDOWS\system32\avzxdmn.dll
{4A1247C1-53DA-FF43-ABD3-345F323A48D4}-C:\WINDOWS\system32\avwgdmn.dll
{5B681598-AD5F-BC8C-77DC-748FAC8D3FB5}-C:\WINDOWS\system32\kafyezy.dll
{5E32FA58-3453-FA2D-BC49-F340348ACCE5}-C:\WINDOWS\system32\rsmyepm.dll
{66650011-3344-6688-4899-345FABCD1566}-C:\WINDOWS\system32\ratbfpi.dll
{67D81718-1314-5200-2597-587901018076}-C:\WINDOWS\system32\kaqhfzy.dll
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\IGM.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSys
Data=C:\WINDOWS\IGW.exe
到目前為止 (2007/10/11 @ ),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
sidjazy.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “Trojan:Win32/Delf.AT!dll”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.dzq”
[ McAfee ], “PWS-OnlineGames.i”
[ Panda ], “Trj/Lineage.BZE”
[ Nod32 ], “Win32/PSW.OnLineGames.DZQ trojan”
[ Fortinet ], “W32/OnLineGames.DZQ!tr.pws”
[ HBEDV ], “TR/PSW.OnlineGames.dzq”
[ Norman ], “Trojan W32/Malware.AYNM”
avwgdmn.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “Trojan:Win32/Delf.AT!dll”
[ McAfee ], “PWS-OnlineGames.a.dll”
[ Sophos ], “Mal/Gampass-A”
[ Fortinet ], “Delagen.A!tr.pws”
[ HBEDV ], “HEUR/Malware”
raqjbpi.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “Trojan:Win32/Delf.AT!dll”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.eax”
[ McAfee ], “PWS-OnlineGames.a.dll”
[ Panda ], “Trj/Lineage.BZE”
[ Fortinet ], “W32/Delagen.A!tr.pws”
[ HBEDV ], “TR/PSW.OnlineGames.eax”
[ Norman ], “Trojan W32/Malware.AZEH”
avzxdmn.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “Trojan:Win32/Delf.AT!dll”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.dzu”
[ McAfee ], “PWS-OnlineGames.a.dll”
[ Sophos ], “Mal/Gampass-A”
[ Panda ], “Generic”
[ Fortinet ], “W32/Delagen.A!tr.pws”
[ HBEDV ], “TR/PSW.OnlineGames.dzu”
[ Norman ], “Trojan W32/OnLineGames.PGQ”
rsztdpm.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “Trojan:Win32/Delf.AT!dll”
[ McAfee ], “PWS-OnlineGames.k.dll”
[ HBEDV ], “HEUR/Malware”
avwlcst.exe:
[ Beta_Gen ], “Possible_Crypt-6″
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “[->(Upack)]:Trojan:Win32/SystemHijack.gen”
[ Kaspersky ], “PAK:UPack”
[ McAfee ], “New Malware.n !!”
[ Sophos ], “Mal/Packer”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
15[1].exe:
[ Beta_Gen ], “Possible_Crypt-6″
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “[->(Upack)]:Trojan:Win32/SystemHijack.gen”
[ Kaspersky ], “PAK:UPack”
[ McAfee ], “New Malware.n !!”
[ Sophos ], “Mal/Packer”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
avwgdst.exe:
[ Beta_Gen ], “Possible_Crypt-6″
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “[->(Upack)]:Trojan:Win32/SystemHijack.gen”
[ Kaspersky ], “PAK:UPack, Trojan-PSW.Win32.OnLineGames.ejx”
[ McAfee ], “New Malware.n !!”
[ Sophos ], “Mal/Packer”
[ Panda ], “Suspicious file”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ Fortinet ], “W32/OnLineGames.EJX!tr.pws”
[ HBEDV ], “TR/PSW.OnlineGames.ejx.2″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
IGW.exe:
[ McAfee ], “[00005710.EXE]:New DLL-b !!”
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Delphi.Downloader.Gen”
136741WO.DLL:
[ McAfee ], “New DLL-b !!”
[ Nod32 ], “a variant of Win32/PSW.WOW.SV trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Delphi.Downloader.Gen”
8[1].exe:
[ Microsoft ], “[->(Upack)]:PWS:Win32/Frethog.O”
[ Kaspersky ], “PAK:UPack”
[ McAfee ], “New Malware.n !!”
[ Sophos ], “Mal/Packer”
[ Nod32 ], “a variant of Win32/PSW.WOW.WU trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Delphi.Downloader.Gen”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
rsztdsp.exe:
[ Beta_Gen ], “Possible_Crypt-6″
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “[->(Upack)]:Trojan:Win32/SystemHijack.gen”
[ Kaspersky ], “PAK:UPack”
[ McAfee ], “New Malware.n !!”
[ Sophos ], “Mal/Packer”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
3[1].exe:
[ Beta_Gen ], “Possible_Crypt-6″
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “[->(Upack)]:Trojan:Win32/SystemHijack.gen”
[ Kaspersky ], “PAK:UPack”
[ McAfee ], “New Malware.n !!”
[ Sophos ], “Mal/Packer”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
MSDEG32.DLL:
[ Beta_Gen ], “Possible_Crypt-6″
[ Kaspersky ], “PAK:UPack, Trojan-PSW.Win32.OnLineGames.efr”
[ Sophos ], “Mal/Packer”
[ Panda ], “Trj/Lineage.BZE”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.DVV trojan”
[ Fortinet ], “W32/OnLineGames.EFR!tr.pws”
[ HBEDV ], “TR/PSW.OnlineGames.efr”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
kvdxcma.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “Trojan:Win32/Delf.AT!dll”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.dzp”
[ McAfee ], “PWS-OnlineGames.i”
[ Panda ], “Generic”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ Fortinet ], “W32/Delagen.A!tr.pws”
[ HBEDV ], “TR/PSW.OnlineGames.dzp.4″
[ Norman
], “Trojan W32/OnLineGames.PLZ”
avwlcmn.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “Trojan:Win32/Delf.AT!dll”
[ McAfee ], “PWS-OnlineGames.a.dll”
[ Sophos ], “Mal/Gampass-A”
[ Panda ], “Suspicious file”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ HBEDV ], “HEUR/Malware”
kapjbzy.dll:
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “Trojan:Win32/Delf.AT!dll”
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.ebw”
[ McAfee ], “PWS-OnlineGames.i”
[ Panda ], “Generic”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ Fortinet ], “Delagen.A”
[ HBEDV ], “TR/PSW.OnlineGames.ebw”
[ Norman ], “Trojan W32/Malware.AZKA”
rarjbpi.dll:
[ Trend ], “TSPY_ONLINEG.IRZ.
kawdbzy.dll:
[ Trend ], “TSPY_ONLINEG.IRZ”
rsmyepm.dll:
[ Trend ], “TSPY_ONLINEG.ISZ”
kafyeaz.exe:
[ Trend ], “TSPY_ONLINEG.IRZ”
19[1].exe:
[ Trend ], “TSPY_ONLINEG.IRZ”
rsjzbsp.exe:
[ Trend ], “TSPY_ONLINEG.IRZ”
18[1].exe:
[ Trend ], “TSPY_ONLINEG.IRZ”
kvdxcis.exe:
[ Trend ], “TSPY_ONLINEG.IPA”
17[1].exe:
[ Trend ], “TSPY_ONLINEG.IPA”
ratbftl.exe:
TSPY_ONLINEG.IRZ”
16[1].exe:
[ Trend ], “TSPY_ONLINEG.IRZ”
kaqhfaz.exe:
[ Trend ], “TSPY_ONLINEG.ISZ”
14[1].exe:
[ Trend ], “TSPY_ONLINEG.ISZ”
kapjbaz.exe:
[ Trend ], “TROJ_SYSTEMHI.KS”
13[1].exe:
[ Trend ], “TROJ_SYSTEMHI.KS”
sidjaaz.exe:
[ Trend ], “TSPY_ONLINEG.IOX”
12[1].exe:
[ Trend ], “TSPY_ONLINEG.IOX”
raqjbtl.exe:
[ Trend ], “TSPY_ONLINEG.HZY”
10[1].exe:
[ Trend ], “TSPY_ONLINEG.HZY”
avzxdst.exe:
[ Trend ], “TROJ_SYSTEMHI.KV”
9[1].exe:
[ Trend ], “TROJ_SYSTEMHI.KV”
7[1].exe:
[ Trend ], “TSPY_ONLINEG.IDU”
IGM.exe:
[ Trend ], “TSPY_LEGMIR.CHY”
136741MM.DLL:
[ Trend ], “TSPY_LEGMIR.CHX”
6[1].exe:
[ Trend ], “TSPY_LEGMIR.CHY”
rarjbtl.exe:
[ Trend ], “TSPY_ONLINEG.IRZ”
5[1].exe:
[ Trend ], “TSPY_ONLINEG.IRZ”
kawdbaz.exe:
[ Trend ], “TSPY_ONLINEG.IRZ”
4[1].exe:
[ Trend ], “TSPY_ONLINEG.IRZ”
rsmyesp.exe:
[ Trend ], “TSPY_ONLINEG.ISZ”
LYMANGR.DLL:
[ Trend ], “TSPY_ONLINE.BD”
LYLOADER.EXE:
[ Trend ], “TSPY_ONLINE.BD”
2[1].exe:
[ Trend ], “TSPY_ONLINEG.ISZ”
1[1].exe:
[ Trend ], “TSPY_ONLINE.BD”
0[1].exe:
[ Trend ], “TSPY_ONLINEG.HEN”
0.exe:
[ Trend ], “TSPY_ONLINEG.HEN”
sedrsvedt.exe:
[ Trend ], “TROJ_SYSTEMHI.FJ”
014[1].exe:
[ Trend ], “TROJ_SYSTEMHI.FJ”
kafyezy.dll:
[ Trend ], “TSPY_ONLINEG.IRZ”
rsjzbpm.dll:
[ Trend ], “TSPY_ONLINEG.IRZ”
ratbfpi.dll:
[ Trend ], “TSPY_ONLINEG.IRZ”
kaqhfzy.dll:
[ Trend ], “TSPY_ONLINEG.ISZ”
女人國女性購物社群入口網站被植入惡意連結
2007 年 10 月 04 日 – 17:03:00女人國女性購物社群入口網站被植入惡意連結,此惡意程式為 TROJ_DLOADER.PMG,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結是放置在某些頁面首頁中 (可能要仔細檢查一下囉) 中的:
另外,她們的聯絡頁面也有問題:
執行之後,有下面的行為:
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\help[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\Ms06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\update[1].exe
C:\WINDOWS\~Temp2654.tmp
到目前為止 (2007/10/4 @ 16:30),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
update[1].exe:
[ Trend ], “TROJ_DLOADER.PMG”
~Temp2654.tmp:
[ Trend ], “TROJ_DLOADER.PMG”
help[1].htm:
[ Sophos ], “Mal/XDwif-A”
Ms06014[1].htm:
[ Kaspersky ], “Trojan-Downloader.JS.Psyme.kf”
[ HBEDV ], “JS/Dldr.Psyme.KF”
[ Rising ], “Trojan.DL.JS.Agent.lio”
創意先進有限公司(HOT)網站被植入惡意連結
2007 年 10 月 04 日 – 16:55:00創意先進有限公司(HOT)網站被植入惡意連結,此惡意程式為 PWS-Lineage,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒 (此惡意程式會竊取帳號與密碼)。
惡意連結是放置在某些頁面首頁中 (可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\Web\printers\images\rinter.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\gfdgj45.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\614001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\717001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\2003[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ah[1].c
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\laog[1].htm
C:\WINDOWS\Web\printers\images\rinter.dll
C:\WINDOWS\Web\printers\images\rinter.exe
[Added COM/BHO]
{7152C68A-D93C-49BF-AFEF-6B4576849A7E}-C:\WINDOWS\Web\printers\images\rinter.dll
到目前為止 (2007/10/4 @ 14:24),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
614001[1].htm:
[ Trend ], “VBS_PSYME.AWI”
717001[1].htm:
[ Trend ], “JS_AGENT.AAJP”
ah[1].c:
[ Trend ], “EXPL_ANICMOO.GEN”
rinter.dll:
[ Trend ], “Possible_Infostl”
2003[1].exe:
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact”
[ McAfee ], “PWS-Lineage”
[ Fortinet ], “Lineage!tr.pws”
[ HBEDV ], “TR/PSW.Lineage.UZH.65″
gfdgj45.com:
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact”
[ McAfee ], “PWS-Lineage”
[ Fortinet ], “Lineage!tr.pws”
[ HBEDV ], “TR/PSW.Lineage.UZH.65″
laog[1].htm:
[ McAfee ], “ObfuscatedHtml”
rinter.exe:
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact”
[ McAfee ], “PWS-Lineage”
[ Fortinet ], “Lineage!tr.pws”
[ HBEDV ], “TR/PSW.Lineage.UZH.65″
彰化秀傳紀念醫院網站被植入惡意連結
2007 年 10 月 04 日 – 16:46:00彰化秀傳紀念醫院網站被植入惡意連結,(目前中華電信的ADSL無法連上此惡意連結,不知其他ADSL可以嗎?),最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結是放置在 newpage6153.htm (其他頁面可能要仔細檢查一下囉) 中的:
僑光技術學院網站被植入惡意連結
2007 年 10 月 04 日 – 16:34:00僑光技術學院網站被植入惡意連結,此惡意程式為 TROJ_DELF.HYF,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Jimau)
惡意連結是放置在某些頁面 (np3.htm, stenter.htm) 中 (可能要仔細檢查一下囉) 中的:
執行之後,有下面的行為:
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\real[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\764994885[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\main[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\css[1].js
C:\WINDOWS\rising639.exe
C:\WINDOWS\system32\drivers\KrnDigger.SYS
C:\WINDOWS\system32\lo.dll
C:\WINDOWS\system32\ss.exe
到目前為止 (2007/10/4 @ 14:19),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
rising639.exe:
[ Trend ], “TROJ_DELF.HYF”
css[1].js:
[ Alpha_Gen ], “Possible_EncScr”
[ Kaspersky ], “Trojan-Downloader.JS.Psyme.mr”
[ HBEDV ], “JS/Dldr.MarcoMedia”
KrnDigger.SYS:
[ Panda ], “Trj/Agent.GII”
[ Nod32 ], “Win32/RiskWare.PsUtils.18 application”
[ Fortinet ], “HackerTool/PsUtils”
[ HBEDV ], “SPR/Tool.PsUtils.18″
[ Rising ], “RootKit.Win32.Agent.ngr”
ss.exe:
[ Beta_Gen ], “AP_MALPK-2″
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ Sophos ], “Mal/Packer”
[ Panda ], “Trj/Agent.DPE”
[ Nod32 ], “Win32/RiskWare.PsUtils.18 application”
[ Fortinet ], “HackerTool/PsUtils”
[ HBEDV ], “SPR/HideProcess.B.2″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
