十一月, 2007

新竹市文化局網站被植入惡意連結

2007 年 11 月 30 日 – 11:06:00

新竹市文化局網站被植入惡意連結,此惡意程式為 Backdoor:Win32/PcClient,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: 匿名網友)

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:

執行之後,有下面的行為:

[DLL injection]
C:\WINDOWS\system32\ncepjn.dll

[Added service]
NAME: ymutexfy
DISPLAY: ymutexfy
FILE: \??\C:\WINDOWS\system32\drivers\ncepjn.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\g913995[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\mainpic02[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\cpro8[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ma[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\tengrui8[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1449166[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\14[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\8[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\hcccb.gov[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\huohu[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1026[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cpro1[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\g913995[1].htm
C:\WINDOWS\system32\000462c8.inf
C:\WINDOWS\system32\drivers\ncepjn.sys
C:\WINDOWS\system32\ncepjn.dll
C:\wwwcuteqqcn.pif

到目前為止 (2007/11/29 @ 16:01),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

14[1].htm:
[ McAfee ], “[00000060.js]:Obfuscated Script.d !!”
[ McAfee_Beta ], “[00000060.js]:Obfuscated Script.d !!”
[ HBEDV ], “JS/Dldr.Agent.afg”
[ Rising ], “Trojan.DL.Script.JS.Agent.lrx”
[ Grisoft ], “Virus found Downloader.Small”
[ Authentium ], “JS/IFrameBoF.H”
[ WebWasher ], “Script.Dldr.Agent.afg”
ncepjn.sys:
[ HBEDV ], “HEUR/Damaged”
[ Grisoft ], “Virus identified Obfustat.VXS”
[ WebWasher ], “BlockReason.46 (suspicious)”
ncepjn.dll:
[ Microsoft ], “Backdoor:Win32/PcClient”
[ Alwil ], “Win32:Agent-MDR [Trj]“
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Malware”
[ Ikarus ], “Backdoor.Win32.PcClient.LH”
[ WebWasher ], “BlockReason.46 (suspicious)”
wwwcuteqqcn.pif:
[ Alwil ], “Win32:Agent-EPC [Trj]“
[ Ikarus ], “Backdoor.Win32.PcClient.yw”
[ Grisoft ], “Virus found BackDoor.PcClient”
[ WebWasher ], “BlockReason.46 (suspicious)”
g913995[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
8[1].htm:
[ eAladdin ], “JS.Small.au (Non-Removable)”
[ WebWasher ], “BlockReason.46 (suspicious)”
1026[1].exe:
[ Alwil ], “Win32:Agent-EPC [Trj]“
[ Ikarus ], “Backdoor.Win32.PcClient.yw”
[ Grisoft ], “Virus found BackDoor.PcClient”
[ WebWasher ], “BlockReason.46 (suspicious)”
tengrui8[1].htm:
[ Alpha_Gen ], “Heur_Infrm-1″
[ Norman ], “Security Risk HTML/Exploit!IFrame.A”
[ WebWasher ], “BlockReason.46 (suspicious)”
ma[1].htm:
[ Alpha_Gen ], “Heur_Infrm-2″
[ HBEDV ], “HEUR/Exploit.HTML”
[ Norman ], “Security Risk HTML/Exploit!IFrame.A”
[ WebWasher ], “BlockReason.46 (suspicious)”

元照網路書店網站被植入惡意連結

2007 年 11 月 30 日 – 10:49:00

元照網路書店網站被植入惡意連結,此惡意程式為 TROJ_HARNIG.CW,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Jimau)

惡意連結/程式碼是放置在 index.asp (其他頁面可能要仔細檢查一下囉) 中的:

解碼後為:

執行之後,有下面的行為:

[Added process]
C:\WINDOWS\system32\com\SMSS.EXE
C:\WINDOWS\system32\com\LSASS.EXE
C:\WINDOWS\system32\drivers\alg.exe

[DLL injection]
C:\WINDOWS\system32\Com\LSASS.EXE
C:\WINDOWS\system32\Com\netcfg.dll
C:\WINDOWS\system32\Com\SMSS.EXE
C:\WINDOWS\system32\dnsq.dll

[Added file]
C:\AUTORUN.INF
C:\Documents and Settings\Administrator\Local Settings\Temp\tzgl.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~s.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1378348[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\468[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\468[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\goto[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\HOOK[1].dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\100932[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1388306[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a9[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\dd[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\flash[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1492703[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\count[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\head[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\r[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\Stop[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a10[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a11[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a7[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\svchost[1].exe
C:\pagefile.pif
C:\WINDOWS\system32\000.cfg0
C:\WINDOWS\system32\Com\LSASS.EXE
C:\WINDOWS\system32\Com\netcfg.000
C:\WINDOWS\system32\Com\netcfg.dll
C:\WINDOWS\system32\Com\SMSS.EXE
C:\WINDOWS\system32\dnsq.dll
C:\WINDOWS\system32\dnsq.dll.log
C:\WINDOWS\system32\drivers\alg.exe
C:\WINDOWS\system32\drivers\alg.exe.log
C:\WINDOWS\system32\drivers\npf.sys.log
C:\WINDOWS\system32\ntfsus.exe
C:\WINDOWS\system32\ntfsus.exe.log
C:\WINDOWS\system32\packet.dll.log
C:\WINDOWS\system32\pthreadVC.dll.log
C:\WINDOWS\system32\wpcap.dll.log

[Added COM/BHO]
{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}-C:\WINDOWS\system32\com\netcfg.dll
{D9901239-34A2-448D-A000-3705544ECE9D}-C:\WINDOWS\system32\com\netcfg.dll

到目前為止 (2007/11/29 @ 12:27),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

a4[1].htm:
[ Trend ], “EXPL_EXECOD.A.”
a1[1].htm:
[ Trend ], “VBS_PSYME.BCC”
SMSS.EXE:
[ Trend ], “TROJ_HARNIG.CW”
a10[1].htm:
[ Trend ], “HTML_SHELLCOD.AV”
a6[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
a5[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
a2[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
TINTSETP.EXE:
[ WebWasher ], “BlockReason.46 (suspicious)”
ImScInst.exe:
[ WebWasher ], “BlockReason.46 (suspicious)”
Stop[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Kaspersky ], “PAK:FSG”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ Norman ], “Trojan Harnig.gen1″
[ eAladdin ], “Suspicious File [100]“
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “BlockReason.46 (suspicious)”
ntfsus.log:
[ IntelliTrap ], “PAK_Generic.001″
[ Kaspersky ], “PAK:FSG”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ Norman ], “Trojan Harnig.gen1″
[ eAladdin ], “Suspicious File [100]“
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “BlockReason.46 (suspicious)”
ntfsus.exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Kaspersky ], “PAK:FSG”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ Norman ], “Trojan Harnig.gen1″
[ eAladdin ], “Suspicious File [
100]“
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “BlockReason.46 (suspicious)”
HOOK[1].dll:
[ WebWasher ], “BlockReason.46 (suspicious)”
dnsq.log:
[ WebWasher ], “BlockReason.46 (suspicious)”
dnsq.dll:
[ WebWasher ], “BlockReason.46 (suspicious)”
wpcap.log:
[ WebWasher ], “BlockReason.46 (suspicious)”
svchost[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Kaspersky ], “PAK:FSG”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ Norman ], “Security Risk Suspicious_F.gen”
[ eAladdin ], “Suspicious File [100]“
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “BlockReason.46 (suspicious)”
alg.exe.log:
[ IntelliTrap ], “PAK_Generic.001″
[ Kaspersky ], “PAK:FSG”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ Norman ], “Security Risk Suspicious_F.gen”
[ eAladdin ], “Suspicious File [100]“
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “BlockReason.46 (suspicious)”
alg.exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Kaspersky ], “PAK:FSG”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ Norman ], “Security Risk Suspicious_F.gen”
[ eAladdin ], “Suspicious File [100]“
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “BlockReason.46 (suspicious)”
pthreadVC.log:
[ WebWasher ], “BlockReason.46 (suspicious)”
packet.log:
[ WebWasher ], “BlockReason.46 (suspicious)”
npf.sys.log:
[ WebWasher ], “BlockReason.46 (suspicious)”
000.cfg0-pe
[ Sophos ], “[FILE:0001]:Mal/Packer”
[ Ikarus ], “Trojan.Win32.Agent.czg”
[ WebWasher ], “BlockReason.46 (suspicious)”
netcfg.dll:
[ Ikarus ], “Trojan.Win32.Agent.czh”
[ WebWasher ], “BlockReason.46 (suspicious)”
netcfg.000:
[ Ikarus ], “Trojan.Win32.Agent.czh”
[ WebWasher ], “BlockReason.46 (suspicious)”
r[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
tzgl.exe:
[ Sophos ], “[FILE:0001]:Mal/Packer”
[ Ikarus ], “Trojan.Win32.Agent.czg”
[ WebWasher ], “BlockReason.46 (suspicious)”
pagefile.pif:
[ Sophos ], “[FILE:0001]:Mal/Packer”
[ Ikarus ], “Trojan.Win32.Agent.czg”
[ WebWasher ], “BlockReason.46 (suspicious)”
LSASS.exe:
[ Sophos ], “[FILE:0001]:Mal/Packer”
[ Ikarus ], “Trojan.Win32.Agent.czg”
[ WebWasher ], “BlockReason.46 (suspicious)”
a11[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
a9[1].htm:
[ Alpha_Gen ], “Possible_Hifrm-3″
[ Microsoft ], “[->(SCRIPT0001)->(EmbeddedCode)]:Exploit:Win32/Senglot.A”
[ McAfee ], “JS/Exploit-BO.gen”
[ McAfee_Beta ], “JS/Exploit-BO.gen”
[ Sophos ], “Mal/JSShell-A”
[ HBEDV ], “HTML/Shellcode.Gen”
[ Norman ], “Trojan HTML/IFrameBof.A”
[ Ikarus ], “Exploit.HTML.IframeBof”
[ WebWasher ], “Script.Shellcode.Gen”
a7[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”

國立台灣師範大學國語教學中心網站遭駭且被植入惡意程式

2007 年 11 月 30 日 – 10:38:00

國立台灣師範大學國語教學中心網站遭駭且被植入惡意程式,不過,此惡意程式已經無法下載。在這裡要注意的是這個網站有可能被植入惡意連結或惡意程式碼,所以,他們的網管應該要找出系統或軟體的安全漏洞,然後,儘快修補這些漏洞,而不是只是移除/修改那些遭駭的檔案。

首頁:

遭駭之網頁:

Google Search的結果(遭駭次數蠻多,還不改善):

惡意程式連結為(已失效,但原來之網址好像是正常網站):

台北市雜誌商業同業公會又被植入惡意連結

2007 年 11 月 28 日 – 16:17:00

台灣安全設備與服務產業協會網站被植入惡意連結

2007 年 11 月 27 日 – 12:53:00

台灣安全設備與服務產業協會網站被植入惡意連結,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。

惡意連結/程式碼是放置在 news01.asp (其他頁面可能要仔細檢查一下囉) 中的

執行之後,有下面的行為:

[DLL injection]
C:\WINDOWS\Help\F3A94B4F83BD.DLL

[Added file]
C:\Documents and Settings\Administrator\Desktop\2.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\m[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\h[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\news01[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gmsex[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\main[1].js
C:\WINDOWS\Help\F3A94B4F83BD.DLL
C:\WINDOWS\Help\F3A94B4F83BD.EXE

[Added COM/BHO]
{2B5174CE-5BFF-4FC3-B9BD-34EF88004AB1}-C:\WINDOWS\HELP\F3A94B4F83BD.DLL

到目前為止 (2007/11/28 @ 02:04),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

F3A94B4F83BD.DLL:
[ Trend ], “TROJ_AGENT.AGAC”
F3A94B4F83BD.DLL:
[ Trend ], “Possible_Infostl”
F3A94B4F83BD.EXE:
[ Trend ], “TROJ_AGENT.AGAC”
gmsex[1].exe:
[ Trend ], “ROJ_AGENT.AGAC”
m[1].htm:
[ Trend ], “VBS_PSYME.AXC”
h[1].htm:
[ Alpha_Gen ], “Heur_Infrm-1″
[ Sophos ], “Mal/Iframe-A”
[ Norman ], “Security Risk HTML/Exploit!IFrame.A”
news01[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
yahoo.js:
[ HBEDV ], “JS/Agent.acg”
[ vba32 ], “Exploit.HTML.Ashell.a”
[ WebWasher ], “Script.Agent.acg”

高雄縣政府水利局網站被植入惡意連結

2007 年 11 月 26 日 – 13:04:00

高雄縣政府水利局網站被植入惡意連結,最近有瀏覽這個網頁的網友 (最好認真檢查,因為它植入很多惡意檔案),應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。

注意:此惡意程式執行後,會產生很多惡意的執行程序,很容易造成系統當機。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的

執行之後的畫面為 (現在好像不能執行,不知為什麼?):

女人國女性購物社群入口網站又被植入惡意連結

2007 年 11 月 26 日 – 12:55:00

女人國女性購物社群入口網站又被植入惡意連結,此惡意程式為 Trojan-PSW.Win32.OnLineGames

.dr

,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的 (放置在她們自己的網站中):

執行之後,有下面的行為:

[Added service]
NAME: Winsysser
DISPLAY: WindowsServer
FILE: C:\WINDOWS\system32\ddos.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\~V5SFDYCLNTKs.ExE
C:\Documents and Settings\Administrator\Local Settings\Temp\~V5SFDYCLNTKs.VbS
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\bot[1].exe
C:\WINDOWS\system32\ddos.exe

到目前為止 (2007/11/23 @ 17:28),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

bo0k.htm:
[ Alpha_Gen ], “Possible_EncScr”
[ Beta_Gen ], “Possible_EncScr”
[ McAfee ], “[0000001a.vbs]:VBS/Psyme”
[ McAfee_Beta ], “[0000001a.vbs]:VBS/Psyme”
[ HBEDV ], “HEUR/Exploit.HTML”
[ WebWasher ], “BlockReason.46 (suspicious)”
bot[1].exe:
[ IntelliTrap ], “PAK_Generic.006″
[ Alpha_Gen ], “Possible_HUPIGON”
[ Microsoft ], “[->(Upack)]:VirTool:Win32/DelfInject.gen!L”
[ Kaspersky ], “PAK:UPack, Trojan-PSW.Win32.OnLineGames.dr”
[ McAfee ], “BackDoor-ALC”
[ McAfee_Beta ], “BackDoor-ALC”
[ Sophos ], “Mal/Behav-058″
[ Panda ], “Bck/Antilam.AN”
[ Panda_Beta ], “Bck/Antilam.AN”
[ Nod32 ], “Win32/Delf.NEA trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.CFI.Gen”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Ikarus ], “Trojan-Spy.Win32.Banker.ahy”
[ Ewido ], “Backdoor.Delf.aow”
[ eAladdin ], “Suspicious File [100]“
[ vba32 ], “MalwareScope.Trojan-PSW.Game.14″
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.Crypt.CFI.Gen”
[ bitdefender ], “Backdoor.Delf.HAR”
ddos.exe:
[ IntelliTrap ], “PAK_Generic.006″
[ Alpha_Gen ], “Possible_HUPIGON”
[ Microsoft ], “[->(Upack)]:VirTool:Win32/DelfInject.gen!L”
[ Kaspersky ], “PAK:UPack, Trojan-PSW.Win32.OnLineGames.dr”
[ McAfee ], “BackDoor-ALC”
[ McAfee_Beta ], “BackDoor-ALC”
[ Sophos ], “Mal/Behav-058″
[ Panda ], “Bck/Antilam.AN”
[ Panda_Beta ], “Bck/Antilam.AN”
[ Nod32 ], “Win32/Delf.NEA trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.CFI.Gen”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Ikarus ], “Trojan-Spy.Win32.Banker.ahy”
[ Ewido ], “Backdoor.Delf.aow”
[ eAladdin ], “Suspicious File [100]“
[ vba32 ], “MalwareScope.Trojan-PSW.Game.14″
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.Crypt.CFI.Gen”
[ bitdefender ], “Backdoor.Delf.HAR”

台灣小冠鸚鵡俱樂部被植入惡意連結

2007 年 11 月 26 日 – 12:46:00

台灣小冠鸚鵡俱樂部被植入惡意連結,此惡意程式為 TSPY_LINEAGE.GLP,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:

執行之後,有下面的行為:

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\WINDOWS\Web\printers\images\ndmai.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\614001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\g[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\2004[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\717001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ah[1].c
C:\WINDOWS\Web\printers\images\ndmai.dll
C:\WINDOWS\Web\printers\images\ndmai.exe

[Added COM/BHO]
{7152C68A-D93C-49BF-AFEF-6B4576849A7E}-C:\WINDOWS\Web\printers\images\ndmai.dll

到目前為止 (2007/11/23 @ 17:30),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

717001[1].htm:
[ Trend ]: “JS_AGENT.AAJP”
ah[1].c:
[ Trend ]: “EXPL_ANICMOO.GEN”
ndmai.dll:
[ Trend ]: “Possible_Infostl”
ndmai.exe:
[ Trend ]: “TSPY_LINEAGE.GLP”
svchost.exe:
[ Trend ]: “TSPY_LINEAGE.GLP”
2004[1].exe:
[ Trend ]: “SPY_LINEAGE.GLP”
614001[1].htm:
[ Kaspersky ], “Trojan-Downloader.JS.Psyme.ub”
[ McAfee ], “VBS/Psyme”
[ McAfee_Beta ], “VBS/Psyme”
[ Sophos ], “Mal/Psyme-A”
[ HBEDV ], “HTML/ADODB.Exploit.Gen”
[ Rising ], “Trojan.DL.Script.VBS.Agent.xiz”
[ WebWasher ], “Script.ADODB.Exploit.Gen”
[ bitdefender ], “Generic.XPL.ADODB.8324063C”
g[1].htm:
[ Alpha_Gen ], “Heur_Infrm-2″
[ WebWasher ], “BlockReason.46 (suspicious)”
g[1].htm:
[ McAfee ], “ObfuscatedHtml”
[ McAfee_Beta ], “ObfuscatedHtml”
[ WebWasher ], “BlockReason.46 (suspicious)”
11181239.rar:
[ Alpha_Gen ], “Possible_Hifrm”
[ Beta_Gen ], “Possible_Hifrm”
[ Sophos ], “Mal/Iframe-C”

新都里餐廳網站遭駭

2007 年 11 月 23 日 – 17:29:00

新都里餐廳網站遭駭,在這裡要注意的是這個網站有可能被植入惡意連結或惡意程式碼,所以,他們的網管應該要找出系統或軟體的安全漏洞,然後,儘快修補這些漏洞,而不是只是移除/修改那些遭駭的檔案。

遭駭前首頁:

遭駭後首頁:

至於詳細的資訊,請參考 Turk-h

政大統計系系友會網站被植入惡意連結

2007 年 11 月 20 日 – 09:24:00

僑光應用華語文系網站被植入惡意連結

2007 年 11 月 20 日 – 09:11:00

僑光應用華語文系網站被植入惡意連結,此惡意程式為 Trojan-PSW.Win32.OnLineGames

.idg,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:

執行之後,有下面的行為:

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\upxdnd.dll

[Added service]
NAME: PciHardDisk
DISPLAY: PciHardDisk
FILE: \??\C:\WINDOWS\system32\drivers\pcidisk.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\e19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ee1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ee2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\sa[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xm22[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\eeecom[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\mianeeecom[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\psasnbf[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1364595[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ac[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\bb[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cj[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\e2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\e[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\login[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1358616[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\7[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\bf[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\common[1].htm
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\system32\Com\comrepl32.exe
C:\WINDOWS\system32\CRYPSERV.EXE
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\drivers\pcibus.sys
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\~tmp9493.exe
C:\WINDOWS\~tmp9591.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=upxdnd
Data=C:\WINDOWS\upxdnd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=DbgHlp32
Data=C:\WINDOWS\DbgHlp32.exe

到目前為止 (2007/11/19 @ 13:50),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

e[1].js:
[ Kaspersky ], “Trojan-Downloader.JS.Small.ie”
ee1[1].htm:
[ McAfee ], “VBS/Psyme”
[ McAfee_Beta ], “VBS/Psyme”
[ Sophos ], “Mal/Psyme-A”
[ HBEDV ], “HTML/ADODB.Exploit.Gen”
[ WebWasher ], “BlockReason.46 (suspicious)”
[ bitdefender ], “Generic.XPL.ADODB.D6239DC6″
ee2[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
Microsoft.vbs:
[ Kaspersky ], “Trojan.VBS.Runner.o”
[ HBEDV ], “VBS/Runner.O.3″
[ Ewido ], “Trojan.Runner.o”
[ vba32 ], “Trojan.VBS.Runner.o”
[ Authentium ], “VBS/WSRunner.I”
[ WebWasher ], “Script.Runner.O.3″
pcibus.sys:
[ Symantec ], “W32.Fujacks.L”
[ Microsoft ], “Exploit:Win32/Siveras.E”
[ Kaspersky ], “Worm.Win32.Downloader.ay”
[ Sophos ], “[FILE:0000\FILE:0000]:Mal/Behav-160″
[ Nod32 ], “a variant of Win32/Jalous worm”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Dldr.Agent.45056″
[ Rising ], “Trojan.Win32.Mnless.zjf”
[ Ikarus ], “Worm.Win32.Downloader.ay”
[ WebWasher ], “BlockReason.46 (suspicious)”
upxdnd.dll:
[ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.idg”
[ CAV ], “Win32/Frethog!generic”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.HCV trojan”
[ HBEDV ], “TR/Spy.Gen”
[ Ikarus ], “Trojan-PWS.Win32.OnLineGames.ibz”
[ vba32 ], “MalwareScope.Trojan-PSW.Game.12″
[ WebWasher ], “BlockReason.46 (suspicious)”
[ CAV Beta ], “Win32/Frethog!generic”
upxdnd.exe:
[ IntelliTrap ], “PAK_Generic.006″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Microsoft ], “[->(Upack)]:PWS:Win32/Frethog.gen!D”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack, PAK:PE_Patch, Trojan-PSW.Win32.OnLineGames.idg”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “Mal/Packer”
[ Panda ], “Suspicious file”
[ Panda_Beta ], “Suspicious file”
[ CAV ], “Win32/Frethog!generic”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.NFL trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Spy.Gen”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Ikarus ], “Trojan-Downloader.Win32.Zlob.and”
[ eAladdin ], “Suspicious File [104]“
[ vba32 ], “MalwareScope.Trojan-PSW.Game.3″
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.Dropper.Gen”
[ bitdefender ], “Generic.PWS.Games.4.D673289C”
[ CAV Beta ], “Win32/Frethog!generic”
xm22[1].htm:
[ Alpha_Gen ], “Heur_Infrm-1″
[ WebWasher ], “BlockReason.46 (suspicious)”
5[1].htm:
[ Ewido ], “Trojan.Concon.b”
[ WebWasher ], “BlockReason.46 (suspicious)”
7[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
1358616[1].js:
[ HBEDV ], “JS/Iframe.B”
ac[1].htm:
[ Alpha_Gen ], “Heur_Infrm-2″
[ Beta_Gen ], “Possible_Hifrm”
[ WebWasher ], “BlockReason.46 (suspicious)”
bb[1].js:
[ HBEDV ], “JS/Iframe.894″
bf[1].htm:
[ Kaspersky ], “Trojan-Downloader.JS.Agent.aec”
[ WebWasher ], “BlockReason.46 (suspicious)”
click[1].htm:
[ Sophos ], “Mal/Iframe-A”
common[1].htm:
[ Alpha_Gen ], “Heur_Infrm-1″
[ Sophos ], “Mal/Iframe-A”
[ HBEDV ], “HEUR/Exploit.HTML”
comrepl32.exe:
[ Kaspersky ], “Worm.Win32.Downloader.ay”
[ Nod32 ], “a variant of Win32/Jalous worm”
[ Rising ], “Trojan.Win32.Mnless.zjg”
[ WebWasher ], “BlockReason.46 (suspicious)”
DbgHlp32.dll:
[ Microsoft ], “PWS:Win32/Frethog.gen!B”
[ CAV ], “Win32/Frethog!generic”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.NFL trojan”
[ Fortinet ], “W32/OnlineGames.SUM!tr.pws”
[ HBEDV ], “HEUR/Malware”
[ vba32 ], “MalwareScope.Trojan-PSW.Game.1″
[ WebWasher ], “BlockReason.46 (suspicious)”
[ bitdefender ], “DeepScan:Generic.PWS.Games.1.9F7D5E5E”
[ CAV Beta ], “Win32/Frethog!generic”
DbgHlp32.exe:
[ IntelliTrap ], “PAK_Generic.006″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Microsoft ], “[->(Upack)]:PWS:Win32/Frethog.gen!D”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “Mal/Behav-156″
[ Panda ], “Suspicious file”
[ Panda_Beta ], “Suspicious file”
[ CAV ], “Win32/Frethog!generic”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.NFL trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Dropper.Gen”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Ikarus ], “Trojan-Downloader.Win32.Zlob.and”
[ eAladdin ], “Suspicious File [104]“
[ vba32 ], “MalwareScope.Trojan-PSW.Game.3″
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.Dropper.Gen”
[ bitdefender ], “Generic.PWS.Games.4.7B745937″
[ CAV Beta ], “Win32/Frethog!generic”
e2[1].exe:
[ IntelliTrap ], “PAK_Generic.006″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Microsoft ], “[->(Upack)]:PWS:Win32/Frethog.gen!D”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack, PAK:PE_Patch, Trojan-PSW.Win32.OnLineGames.idg”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “Mal/Packer”
[ Panda ], “Suspicious file”
[ Panda_Beta ], “Suspicious file”
[ CAV ], “Win32/Frethog!generic”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.NFL trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Spy.Gen”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Ikarus ], “Trojan-Downloader.Win32.Zlob.and”
[ eAladdin ], “Suspicious File [104]“
[ vba32 ], “MalwareScope.Trojan-PSW.Game.3″
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.Dropper.Gen”
[ bitdefender ], “Generic.PWS.Games.4.D673289C”
[ CAV Beta ], “Win32/Frethog!generic”
e19[1].exe:
[ IntelliTrap ], “PAK_Generic.006″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Microsoft ], “[->(Upack)]:PWS:Win32/Frethog.gen!D”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “Mal/Behav-156″
[ Panda ], “Suspicious file”
[ Panda_Beta ], “Suspicious file”
[ CAV ], “Win32/Frethog!generic”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.NFL trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Dropper.Gen”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Ikarus ], “Trojan-Downloader.Win32.Zlob.and”
[ eAladdin ], “Suspicious File [104]“
[ vba32 ], “MalwareScope.Trojan-PSW.Game.3″
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.Dropper.Gen”
[ bitdefender ], “Generic.PWS.Games.4.7B745937″
[ CAV Beta ], “Win32/Frethog!generic”
eeecom[1].exe:
[ Trend ], “WORM_DLOADER.QFD”
mianeeecom[1].exe:
[ Trend ], “WORM_DLOADER.QFD”
svchost.exe:
[ Trend ], “WORM_DLOADER.QFD”
~tmp9493.exe:
[ Trend ], “WORM_DLOADER.QFD”
~tmp9591.exe:
[ Trend ], “WORM_DLOADER.QFD”
1[1].htm:
[ Trend ], “HTML_DLOADER.RUD”
2[1].htm:
[ Trend ], “JS_PSYME.BBA”
4[1].htm:
[ Trend ], “HTML_DLOADER.QZC”
6[1].htm:
[ Trend ], “VBS_PSYME.BAZ”
cj[1].exe:
[ Trend ], “Possible_Mlwr-15″
CRYPSERV.EXE:
[ Trend ], “ossible_Mlwr-15″

中國國民黨網站又被植入惡意連結 :-(

2007 年 11 月 14 日 – 09:05:00

注意:此惡意檔案放置在國民黨網站中,所以,『網站信譽評等技術』有可能失效。

中國國民黨網站又被植入惡意連結,此惡意程式為 Backdoor.Win32.PcClient.bal 或 Rootkit/PcClient.FK,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。

惡意連結/程式碼是放置在 main.asp (其他頁面可能要仔細檢查一下囉) 中的:

執行之後,有下面的行為:

[DLL injection]
C:\WINDOWS\system32\clrptm.dll

[Added service]
NAME: yysjstwz
DISPLAY: yysjstwz
FILE: \??\C:\WINDOWS\system32\drivers\clrptm.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\temp003[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\category1_1_1_4_3[1].htm
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\WINDOWS\system32\clrptm.dll
C:\WINDOWS\system32\drivers\clrptm.sys

到目前為止 (2007/11/14 @ 09:00),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

clrptm.dll:
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, Backdoor.Win32.PcClient.bal”
[ Sophos ], “Mal/Behav-024″
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ vba32 ], “Trojan-Downloader.Win32.Delf.ain”
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “BlockReason.46 (suspicious)”
[ bitdefender ], “Backdoor.Agent.YYF”
clrptm.sys:
[ Alpha_Gen ], “Possible_Rootkit”
[ Kaspersky ], “Rootkit.Win32.Agent.iz”
[ McAfee ], “New Malware.an !!”
[ McAfee_Beta ], “New Malware.an !!”
[ Panda ], “Rootkit/PcClient.FK”
[ Panda_Beta ], “Rootkit/PcClient.FK”
[ Nod32 ], “probably unknown NewHeur_PE virus [7]“
[ HBEDV ], “TR/Rootkit.Gen”
[ Rising ], “RootKit.Win32.Agent.nhx”
[ quickheal ], “Rootkit.Agent.iz”
[ WebWasher ], “Trojan.Rootkit.Gen”
temp003[1].jpg:
[ IntelliTrap ], “PAK_Generic.001″
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, Backdoor.Win32.PcClient.aid”
[ Ikarus ], “Backdoor.Win32.PcClient.yw”
[ vba32 ], “Trojan.Win32.Agent.ckf”
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “BlockReason.46 (suspicious)”
[ bitdefender ], “Backdoor.Generic.25313″
category1_1_1_4_3[1].htm:
[ Alpha_Gen ], “Possible_EncScr”
[ Beta_Gen ], “Possible_EncScr”
[ Microsoft ], “[->(SCRIPT0001)]:Worm:VBS/VBSWG.gen”
[ HBEDV ], “HEUR/Exploit.HTML”
[ WebWasher ], “BlockReason.46 (suspicious)”

幸運草網站又被植入惡意連結

2007 年 11 月 12 日 – 23:21:00

幸運草網站又被植入惡意連結,此惡意程式為 TROJ_GENETIK.GM,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:

執行之後,有下面的行為:

[DLL injection]
C:\WINDOWS\system32\msavpw0.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\cn_Ajax[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cn[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cn[1].exe
C:\WINDOWS\system32\msavpw0.dll

[ Added COM/BHO ]
{86AAC8D7-BA19-48AC-9269-3C76A52642EC}-C:\WINDOWS\system32\msavpw0.dll

到目前為止 (2007/11/08 @ 13:39),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

msavpw0.dll:
[ Trend ], “Possible_Strat-6″
cn[1].exe:
[ Trend ], “TROJ_GENETIK.GM”
cn_Ajax[1].htm:
[ Microsoft ], “[->(SCRIPT0000)->(EmbeddedCode)->(SCRIPT0000)]:TrojanDownloader:VBS/Agent.EI”
[ Fortinet ], “VBS/Small.DR!tr.dldr”
[ HBEDV ], “HEUR/Exploit.HTML”
[ Ewido ], “Downloader.Agent.m”

心態不改 難保不會再被入侵

2007 年 11 月 08 日 – 10:31:00

這則新聞說明了現在大部分遭入侵企業的心態:

此則新聞部分內容:
〔記者吳幸樺/台南報導〕
[...] 成大表示,由於這兩天圖書館進行評鑑,暫時將防火牆鬆綁,才會被駭客入侵,幸好駭客的目的只是惡作劇,並未損及電腦資料庫。

成功大學表示,這兩天學校在辦評鑑,地點就在圖書館,必須接收大批資料,將防火牆暫時鬆綁,沒想到竟給了駭客入侵的機會。

成大表示,[...],幸好只是無傷的惡作劇,未造成資料被盜或系統受損。

  • 黑手遮天、粉飾太平:因為某種原因,所以,導致被入侵。意思是說,那些被入侵的企業根本沒有建立『資安事件標準處理程序』。
  • 使用者的資料沒有被竊取:誰可以驗證他們所說的話呢?最好能立法強制企業須接受有能力之公正單位檢視,並公佈結果。
  • 很少檢視系統有安全漏洞:根本沒有能力調查到底系統是如何被入侵?
  • 我們已經安裝了相關的資安軟體:關鍵的問題不在到底安裝了多少資安軟體,而是在於會不會使用這些資安軟體,或是會不會分析這些資安軟體所產生的記錄檔。

尖端科技軍事雜誌網站被植入惡意連結

2007 年 11 月 08 日 – 09:39:00

尖端科技軍事雜誌網站被植入惡意連結,此惡意程式為 Trojan-PSW.Win32.OnLineGames

.guz

,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: Jimau)

惡意連結是放置在 index.asp (其他頁面可能要仔細檢查一下囉) 中的:

執行之後,有下面的行為:

[Added process]
C:\WINDOWS\system32\kawdcaz.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\IGM.exe
C:\WINDOWS\IGW.exe
C:\WINDOWS\system32\avzxest.exe
C:\WINDOWS\system32\kapjdaz.exe
C:\WINDOWS\system32\raqjdtl.exe
C:\WINDOWS\system32\avwldst.exe
C:\WINDOWS\system32\ratbgtl.exe
C:\WINDOWS\system32\avwgest.exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\WINDOWS\system32\avwgemn.dll
C:\WINDOWS\system32\avwldmn.dll
C:\WINDOWS\system32\avzxemn.dll
C:\WINDOWS\system32\dh3atl.dll
C:\WINDOWS\system32\dhatl.dll
C:\WINDOWS\system32\djatl.dll
C:\WINDOWS\system32\jzatl.dll
C:\WINDOWS\system32\kapjdzy.dll
C:\WINDOWS\system32\kawdczy.dll
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\myatl.dll
C:\WINDOWS\system32\qqhxatl.dll
C:\WINDOWS\system32\raqjdpi.dll
C:\WINDOWS\system32\raqjdtl.exe
C:\WINDOWS\system32\ratbgpi.dll
C:\WINDOWS\system32\ratbgtl.exe
C:\WINDOWS\system32\rxjhatl.dll
C:\WINDOWS\system32\sqmapi32.dll

[Added service]
NAME: WS2IFSL (正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

NAME: Wdswsdewn
DISPLAY: Telephotsgoogle
FILE: C:\WINDOWS\system32\serdst.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYLOADER.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDEG32.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp87.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\014[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\11[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\15[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\17[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\5[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\9[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\0[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\16[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\4[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\8[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1299644[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\6[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ki[1].htm
C:\WINDOWS\136741MM.DLL
C:\WINDOWS\136741WL.DLL
C:\WINDOWS\136741WO.DLL
C:\WINDOWS\Fonts\chqiaur.fon
C:\WINDOWS\Fonts\chtiaur.fon
C:\WINDOWS\Fonts\enpoafx.fon
C:\WINDOWS\Fonts\enweafx.fon
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\IGM.exe
C:\WINDOWS\IGW.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\system32\0.exe
C:\WINDOWS\system32\avwgein.dll
C:\WINDOWS\system32\avwgemn.dll
C:\WINDOWS\system32\avwgest.exe
C:\WINDOWS\system32\avwldin.dll
C:\WINDOWS\system32\avwldmn.dll
C:\WINDOWS\system32\avwldst.exe
C:\WINDOWS\system32\avzxein.dll
C:\WINDOWS\system32\avzxemn.dll
C:\WINDOWS\system32\avzxest.exe
C:\WINDOWS\system32\dh3atl.dll
C:\WINDOWS\system32\dhatl.dll
C:\WINDOWS\system32\djatl.dll
C:\WINDOWS\system32\jzatl.dll
C:\WINDOWS\system32\kapjdaz.exe
C:\WINDOWS\system32\kapjdcs.dll
C:\WINDOWS\system32\kapjdzy.dll
C:\WINDOWS\system32\kawdcaz.exe
C:\WINDOWS\system32\kawdccs.dll
C:\WINDOWS\system32\kawdczy.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\mseam.sys
C:\WINDOWS\system32\myatl.dll
C:\WINDOWS\system32\qqhxatl.dll
C:\WINDOWS\system32\raqjdni.dll
C:\WINDOWS\system32\raqjdpi.dll
C:\WINDOWS\system32\raqjdtl.exe
C:\WINDOWS\system32\ratbgni.dll
C:\WINDOWS\system32\ratbgpi.dll
C:\WINDOWS\system32\ratbgtl.exe
C:\WINDOWS\system32\rxjhatl.dll
C:\WINDOWS\system32\serdst.exe
C:\WINDOWS\system32\sqmapi32.dll
C:\WINDOWS\system32\zhtuatl.dll

[Added LSP]
ID: 1026
NAME: MSAPI Tcpip [UDP/IP] (C:\WINDOWS\system32\sqmapi32.dll)

ID: 1027
NAME: MSAPI Tcpip [TCP/IP] (C:\WINDOWS\system32\sqmapi32.dll)

[Added COM/BHO]
{38907901-1416-3389-9981-372178569983}-C:\WINDOWS\system32\kawdczy.dll
{44783410-4F90-34A0-7820-3230ACD05F44}-C:\WINDOWS\system32\raqjdpi.dll
{4960356A-458E-DE24-BD50-268F589A56A4}-C:\WINDOWS\system32\avwldmn.dll
{4A321487-4977-D98A-C8D5-6488257545A4}-C:\WINDOWS\system32\kapjdzy.dll
{5859245F-345D-BC13-AC4F-145D
47DA34F5}-C:\WINDOWS\system32\avzxemn.dll
{5A1247C1-53DA-FF43-ABD3-345F323A48D5}-C:\WINDOWS\system32\avwgemn.dll
{76650011-3344-6688-4899-345FABCD1567}-C:\WINDOWS\system32\ratbgpi.dll

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\IGM.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysW
Data=C:\WINDOWS\swchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSys
Data=C:\WINDOWS\IGW.exe

到目前為止 (2007/11/07 @ 13:35),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

mseam.sys:
[ Symantec ], “Infostealer”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.NFC trojan”
sqmapi32.dll:
[ IntelliTrap ], “PAK_Generic.006″
[ Beta_Gen ], “Possible_Crypt-6″
[ Microsoft ], “VirTool:Win32/Obfuscator.C”
[ Kaspersky ], “PAK:UPack, Trojan-PSW.Win32.OnLineGames.guz”
[ McAfee ], “PWS-OnlineGames.j”
[ McAfee_Beta ], “PWS-OnlineGames.j”
[ Sophos ], “Mal/Packer”
[ Panda ], “Suspicious file”
[ CAV ], “Win32/Spibe!generic”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.NHF trojan”
[ Fortinet ], “suspicious”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
[ CAV Beta ], “Win32/Spibe!generic”
tmp87.tmp:
[ IntelliTrap ], “PAK_Generic.006″
[ Beta_Gen ], “Possible_Crypt-6″
[ Microsoft ], “VirTool:Win32/Obfuscator.C”
[ Kaspersky ], “PAK:UPack, Trojan-PSW.Win32.WOW.adu”
[ McAfee ], “PWS-OnlineGames.j”
[ McAfee_Beta ], “PWS-OnlineGames.j”
[ Sophos ], “Mal/Packer”
[ Panda ], “Suspicious file”
[ CAV ], “Win32/Spibe!generic”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.NHF trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/PSW.Wow.adu”
[ Norman ], “Trojan W32/Agent.DASF”
[ Sunbelt ], “VIPRE.Suspicious”
[ CAV Beta ], “Win32/Spibe!generic”
2[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.WOW.adu”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “[FILE:0000]:Mal/Packer, Mal/Packer”
[ CAV ], “Win32/Zuten!generic”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.NGU trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/CrashSystem.C”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
3[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “[FILE:0000]:Mal/Packer, Mal/Packer”
[ CAV ], “Win32/Zuten!generic”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.NGU trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/PSW.Onlineg.KC.2″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
5[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “Mal/Packer”
[ CAV ], “Win32/Zuten!generic”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.NGU trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/CrashSystem.C”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
12[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.gyu”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “[FILE:0000]:Mal/Packer, Mal/Packer”
[ CAV ], “Win32/Zuten!generic”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.NGU trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/PSW.Onlineg.KC.2″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
14[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Symantec ], “Infostealer”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “[FILE:0000]:Mal/Packer, Mal/Packer”
[ CAV ], “Win32/Zuten!generic”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.NGU trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/PSW.Onlineg.KC.2″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
17[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “Mal/Packer”
[ CAV ], “Win32/Zuten!generic”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.NGU trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/CrashSystem.C”
[ Norman ], “Trojan W32/Delf.AYPE”
[ Sunbelt ], “VIPRE.Suspicious”
18[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “[FILE:0000]:Mal/Packer, Mal/Packer”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.NGU trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/PSW.Onlineg.KC.2″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
19[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Symantec ], “Infostealer.Gampass”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “[FILE:0000]:Mal/Packer, Mal/Packer”
[ CAV ], “Win32/Zuten!generic”
[ Nod32 ], “probably a variant of Win32/PSW.OnLineGames.NGU trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/CrashSystem.C”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
LYLOADER.exe:
[ IntelliTrap ], “PAK_Generic.006″
[ Alpha_Gen ], “AP_MALPK-2″
[ Beta_Gen ], “AP_MALPK-2″
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “[->(Upack)]:TrojanSpy:Win32/Agent.HZ”
[ Kaspersky ], “PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.gym”
[ McAfee ], “New Malware.aj !!”
[ McAfee_Beta ], “New Malware.aj !!”
[ Sophos ], “Mal/Packer”
[ Panda ], “Trj/Lineage.gen”
[ Panda_Beta ], “Trj/Lineage.gen”
[ CAV ], “Win32/Lolyda!generic”
[ Nod32 ], “a variant of Win32/PSW.Agent.NEC trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/PSW.Online.agb.2″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
[ CAV Beta ], “Win32/Lolyda!generic”
LYMANGR.DLL:
[ IntelliTrap ], “PAK_Generic.001″
[ Beta_Gen ], “Possible_Crypt-6″
[ Symantec ], “Infostealer.Gampass”
[ Microsoft ], “VirTool:Win32/Obfuscator.C”
[ Kaspersky ], “PAK:UPack, Trojan-PSW.Win32.OnLineGames.gyn”
[ McAfee ], “Generic PWS.j”
[ McAfee_Beta ], “Generic PWS.j”
[ Sophos ], “Mal/Packer”
[ CAV ], “Win32/Lolyda!generic”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.DTR trojan”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/PSW.Online.agb.2″
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
[ CAV Beta ], “Win32/Lolyda!generic”
MSDEG32.DLL:
[ IntelliTrap ], “PAK_Generic.001″
[ Beta_Gen ], “Possible_Crypt-6″
[ Microsoft ], “VirTool:Win32/Obfuscator.C”
[ Kaspersky ], “PAK:UPack, Trojan-PSW.Win32.OnLineGames.gyo”
[ Sophos ], “Mal/Packer”
[ CAV ], “Win32/Lolyda!generic”
[ Nod32 ], “a variant of Win32/PSW.OnLineGames.DVV trojan”
[ Fortinet ], “suspicious”
[ Norman ], “Security Risk W32/Suspicious_U.gen”
[ Sunbelt ], “VIPRE.Suspicious”
[ CAV Beta ], “Win32/Lolyda!generic”