2008 一月 | 大砲開講

一月, 2008

聲寶公司網站遭駭且被值入惡意程式

2008 年 01 月 25 日 – 18:23:00

注意：目前此網站尚未修復 (2008/1/25 @ 18:28)

聲寶公司網站遭駭且被值入惡意程式，此惡意程式為 BKDR_JAVAKBD.A/TSPY_MPASS.A，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。閱讀全文 »

惡意程式, 網站安全 | 瀏覽數：805 | 1 迴響 »

全球華文行銷知識庫網站又被植入惡意連結

2008 年 01 月 24 日 – 22:52:00

全球華文行銷知識庫網站又被植入惡意連結，此惡意程式為 Infostealer.Lineage，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。閱讀全文 »

惡意程式, 網站安全 | 瀏覽數：802 | 1 迴響 »

「資安技術教育訓練」準備要開課了

2008 年 01 月 18 日 – 16:59:00

Malware-Test Lab將在今年二、三月舉辦「資安技術教育訓練」，名額有限，額滿不再招生，如果您有興趣的話，請盡速報名。閱讀全文 »

教育訓練 | 瀏覽數：1,116 | 13 迴響 »

情人節未到，風暴蠕蟲先到

2008 年 01 月 16 日 – 14:54:00

情人節快要到了，風暴蠕蟲(Storm Worm)作者也跟著蠢蠢欲動。最近發現很多垃圾郵件中都包含風暴蠕蟲的下載連結，如果不小心點擊連結，那會很慘勒。閱讀全文 »

垃圾郵件, 惡意程式, 網站安全 | 瀏覽數：774 | 1 迴響 »

GSN 政府網際服務網被植入惡意連結

2008 年 01 月 16 日 – 10:40:00

更新資訊：目前已修復

GSN 政府網際服務網被植入惡意連結，此惡意程式為 Backdoor.Win32.Agent.ana，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在 04-03.html，但是指到 202(dot)39(dot)47(dot)197，這台主機應該被駭客完全控制了 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\drum[1].ani
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\update[1].exe
C:\Documents and Settings\All Users\Application Data\Microsoft\back1.reg
C:\Documents and Settings\All Users\Application Data\Microsoft\back2.reg
C:\Documents and Settings\All Users\Application Data\Microsoft\Comon\ctfmon.exe

到目前為止 (2008/1/15 @ 15:19)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

04-03[1].htm:
[ WebWasher ], 『BlockReason.46 (suspicious)』
ctfmon.exe-:
[ Alpha_Gen ], 『Possible_HUPIGON』
[ Kaspersky ], 『Backdoor.Win32.Agent.ana』
[ Sophos ], 『Mal/Dropper-G』
[ CAV ], 『Win32/Lidoor.B』
[ Nod32 ], 『Win32/Agent.ANA trojan』
[ HBEDV ], 『BDS/Agent.bze』
[ Grisoft ], 『Trojan horse BackDoor.Agent.GIX』
[ vba32 ], 『MalwareScope.Trojan-PSW.Game.14″
[ Authentium ], 『W32/Backdoor.ARVK』
[ WebWasher ], 『Trojan.Backdoor.Agent.bze』
[ bitdefender ], 『BehavesLike:Win32.ExplorerHijack』
drum[1].ani:
[ Symantec ], 『Downloader』
[ Microsoft ], 『Exploit:Win32/Anicmoo.A』
[ Kaspersky ], 『Exploit.Win32.IMG-ANI.gen』
[ McAfee ], 『Exploit-ANIfile.c』
[ McAfee_Beta ], 『Exploit-ANIfile.c』
[ Alwil ], 『CVE-2007-0038″
[ Nod32 ], 『a variant of Win32/TrojanDownloader.Ani.Gen trojan』
[ Fortinet ], 『W32/MalFormed_ANI.C』
[ HBEDV ], 『EXP/Ani.Gen』
[ Rising ], 『Hack.SuspiciousAni』
[ Grisoft ], 『Virus found Exploit』
[ WebWasher ], 『Exploit.Ani.Gen』
[ bitdefender ], 『Exploit.Win32.MS05-002.Gen』
server_time[1].htm:
[ WebWasher ], 『BlockReason.46 (suspicious)』
update[1].exe:
[ IntelliTrap ], 『PAK_Generic.001″
[ Alpha_Gen ], 『Possible_HUPIGON』
[ Symantec ], 『Backdoor.Trojan』
[ Kaspersky ], 『PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact』
[ Sophos ], 『[FILE:0000]:Mal/Dropper-G, Mal/Dropper-G』
[ Panda ], 『Suspicious file』
[ Panda_Beta ], 『Suspicious file』
[ Nod32 ], 『a variant of Win32/Agent.BZE trojan』
[ HBEDV ], 『BDS/Agent.bze』
[ eAladdin ], 『Suspicious File [100]『
[ vba32 ], 『MalwareScope.Trojan-PSW.Game.14″
[ Sunbelt ], 『VIPRE.Suspicious』
[ WebWasher ], 『Trojan.Backdoor.Agent.bze』
[ bitdefender ], 『BehavesLike:Win32.ExplorerHijack』

惡意程式, 網站安全 | 瀏覽數：698 | 2 迴響 »

台北市公寓大廈暨社區服務協會網站被植入惡意連結

2008 年 01 月 14 日 – 17:47:00

台北市公寓大廈暨社區服務協會網站被植入惡意連結，此惡意程式為 TSPY_ONLINEG.NSM，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: 匿名網友)

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\system32\gjcsczc.exe
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avwlist.exe
C:\WINDOWS\system32\mszxaab32.dll
C:\WINDOWS\Fonts\kawdjaz.exe
C:\WINDOWS\system32\rsjzasp.exe
C:\WINDOWS\Fonts\raqjltl.exe
C:\WINDOWS\Fonts\rsztosp.exe
C:\WINDOWS\system32\TxoMoU.Exe
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\Fonts\ratbttl.exe
C:\WINDOWS\system32\kvdxsmis.exe
c:\Program Files\lsasso.exe
C:\WINDOWS\system32\gjtmazc.exe
C:\WINDOWS\Fonts\rsjzbsp.exe
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\system32\swrcfac.exe
C:\WINDOWS\Fonts\avwgist.exe
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avwlist.exe
C:\WINDOWS\Fonts\kawdjaz.exe
C:\WINDOWS\Fonts\raqjltl.exe
C:\WINDOWS\system32\avzxmst.exe
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\Fonts\rsmyksp.exe
C:\WINDOWS\Fonts\jsqxbzc.exe
C:\WINDOWS\Fonts\jsqxbzc.exe
C:\WINDOWS\system32\swrcfac.exe
C:\WINDOWS\Fonts\jsqsczc.exe
C:\WINDOWS\Fonts\avwljst.exe
C:\WINDOWS\Fonts\wsmsfax.exe
C:\WINDOWS\system32\okmhdaz.exe
C:\WINDOWS\system32\jsqxazc.exe
C:\WINDOWS\Fonts\rarjftl.exe
C:\WINDOWS\Fonts\gjcsdzc.exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Program Files\Common Files\Microsoft Shared\MSInfo\System76.Ins
C:\Program Files\Common Files\Services\svchost.exe
C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys
C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
C:\WINDOWS\124327MM.DLL
C:\WINDOWS\124327WL.DLL
C:\WINDOWS\Fonts\avwgimn.dll
C:\WINDOWS\Fonts\avwljmn.dll
C:\WINDOWS\Fonts\gjcsdyc.dll
C:\WINDOWS\Fonts\jsqscyc.dll
C:\WINDOWS\Fonts\jsqxbyc.dll
C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\raqjlpi.dll
C:\WINDOWS\Fonts\rarjfpi.dll
C:\WINDOWS\Fonts\ratbtpi.dll
C:\WINDOWS\Fonts\rsjzbpm.dll
C:\WINDOWS\Fonts\rsmykpm.dll
C:\WINDOWS\Fonts\rsztopm.dll
C:\WINDOWS\Fonts\wsmsfzx.dll
C:\WINDOWS\system32\aimivc.dll
C:\WINDOWS\system32\anxitdnwow.dll
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwlimn.dll
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\avzxmmn.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\DirectX10.dll
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\gdmsi32.dll
C:\WINDOWS\system32\gdwli32.dll
C:\WINDOWS\system32\gjcscyc.dll
C:\WINDOWS\system32\gjtmayc.dll
C:\WINDOWS\system32\hrekfp.dll
C:\WINDOWS\system32\IGB_DJOL_1007.dll
C:\WINDOWS\system32\jdzctd.dll
C:\WINDOWS\system32\jsqxayc.dll
C:\WINDOWS\system32\kvdxsmma.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\kxhqcluzx.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\okmhdzy.dll
C:\WINDOWS\system32\oyhkmx.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\rcmwkscdj.dll
C:\WINDOWS\system32\rsjzapm.dll
C:\WINDOWS\system32\swrcfzc.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\whulgh.dll
C:\WINDOWS\system32\WinForm.dll
C:\WINDOWS\system32\wsmsezx.dll
C:\WINDOWS\system32\WSockDrv32.dll
C:\WINDOWS\system32\zeakpn.dll

[Added service]
NAME: PciHardDisk
DISPLAY: PciHardDisk
FILE: \??\C:\WINDOWS\system32\fat32.sys

NAME: PciHdd
DISPLAY: PciHdd
FILE: \??\C:\WINDOWS\system32\drivers\pcihdd.sys

[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Local Settings\Temp\callrun.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\commomds.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\LYLOADER.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDEG32.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\OPE133.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPE98.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPE99.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPEC8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPEED.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPEF3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPEFA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\temp336.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp104.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp105.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp106.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp107.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp108.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp10B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp10D.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp10E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp110.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp111.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp113.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp115.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp117.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp118.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11A.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp120.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp121.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp124.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp125.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp126.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp128.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp129.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp12A.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp12B.tmp
C:\Documents and Settings\Administrator\Lo
cal Settings\Temp\tmp12C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp12E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp12F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp130.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp131.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp132.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpAA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpAB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpAC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpAD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpEA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpEB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpEC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpFD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\370[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a11[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a16[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a22[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a26[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ha[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\jh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\real[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\s28[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\shell[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\shell[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\shibie[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\vip[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\web[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\Zn3703[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\Zn3703[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\6681666[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a15[1].exe
C:\Documents and Settings\Administrator\Local
Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a17[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a20[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a24[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\baidu[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\g15[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\g1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\gg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ha[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\s28[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\shell[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\shibie[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\web[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\xx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\101logo[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1531419[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\370[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a23[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a28[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\dm[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\g15[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\gg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ha[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\IENoRun[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ms[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\rl[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\shell[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\table[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\985195[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a21[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a25[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\dm[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\IE[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\mm_menu[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ms1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\s28[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\s[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\web[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\xx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\Zn3703[1].htm
C:\Documents and Settings\Administrator\ntuser.com
C:\pagefile.pif
C:\Program Files\Common Files\Microsoft Shared\MSInfo\System36.jup
C:\Program Files\Common Files\Microsoft Shared\MSInfo\System76.Ins
C:\Program Files\Common Files\Services\svchost.exe
C:\Program Files\ctfmond.exe
C:\Program Files\ctfmonf.exe
C:\Program Files\ctfmoni.exe
C:\Program Files\ctfmonj.exe
C:\Program Files\ctfmonk.exe
C:\Program Files\Internet Explorer\PLUGINS\anHVaZQ7.exe
C:\Program Files\Internet Explorer\PLUGINS\Bh6I6kyz.exe
C:\Program Files\Internet Explorer\PLUGINS\DV21yAp4.exe
C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys
C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Tao
C:\Program Files\Internet Explorer\PLUGINS\NvWin_5.Jmp
C:\Program Files\Internet Explorer\PLUGINS\Sy_Win7k.Jmp
C:\Program Files\Internet Explorer\PLUGINS\v7FOBoPh.exe
C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Tao
C:\Program Files\lsass6.exe
C:\Program Files\lsass7.exe
C:\Program Files\lsasso.exe
C:\soS.Exe
C:\WINDOWS\124327L.exe
C:\WINDOWS\124327M.exe
C:\WINDOWS\124327MM.DLL
C:\WINDOWS\124327WL.DLL
C:\WINDOWS\AVPSrv.exE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\Fonts\ardasbse.fon
C:\WINDOWS\Fonts\armebsea.fon
C:\WINDOWS\Fonts\avwghina.dll
C:\WINDOWS\Fonts\avwgiin.dll
C:\WINDOWS\Fonts\avwgimn.dll
C:\WINDOWS\Fonts\avwgist.exe
C:\WINDOWS\Fonts\avwliinc.dll
C:\WINDOWS\Fonts\avwljin.dll
C:\WINDOWS\Fonts\avwljmn.dll
C:\WINDOWS\Fonts\avwljst.exe
C:\WINDOWS\Fonts\avzxlin.dll
C:\WINDOWS\Fonts\avzxminc.dll
C:\WINDOWS\Fonts\chqibur.fon
C:\WINDOWS\Fonts\chrebur.fon
C:\WINDOWS\Fonts\chtibur.fon
C:\WINDOWS\Fonts\enwebfx.fon
C:\WINDOWS\Fonts\gejibnd.fon
C:\WINDOWS\Fonts\gemobnd.fon
C:\WINDOWS\Fonts\gezebnd.fon
C:\WINDOWS\Fonts\gjcscssb.dll
C:\WINDOWS\Fonts\gjcsdss.dll
C:\WINDOWS\Fonts\gjcsdyc.dll
C:\WINDOWS\Fonts\gjcsdzc.exe
C:\WINDOWS\Fonts\gjcubxw.fon
C:\WINDOWS\Fonts\gjtmass.dll
C:\WINDOWS\Fonts\gjtoaxw.fon
C:\WINDOWS\Fonts\jshubxw.fon
C:\WINDOWS\Fonts\jsqscss.dll
C:\WINDOWS\Fonts\jsqscyc.dll
C:\WINDOWS\Fonts\jsqsczc.exe
C:\WINDOWS\Fonts\jsqxassb.dll
C:\WINDOWS\Fonts\jsqxbss.dll
C:\WINDOWS\Fonts\jsqxbyc.dll
C:\WINDOWS\Fonts\jsqxbzc.exe
C:\WINDOWS\Fonts\jssgbxw.fon
C:\WINDOWS\Fonts\kawdjaz.exe
C:\WINDOWS\Fonts\kawdjcs.dll
C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\kvdxsmcfb.dll
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\msgubsd.fon
C:\WINDOWS\Fonts\mswubsd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\Fonts\mszhbsd.fon
C:\WINDOWS\Fonts\okmhdcsb.dll
C:\WINDOWS\Fonts\raqjlni.dll
C:\WINDOWS\Fo
nts\raqjlpi.dll
C:\WINDOWS\Fonts\raqjltl.exe
C:\WINDOWS\Fonts\rarjfni.dll
C:\WINDOWS\Fonts\rarjfpi.dll
C:\WINDOWS\Fonts\rarjftl.exe
C:\WINDOWS\Fonts\ratbtni.dll
C:\WINDOWS\Fonts\ratbtpi.dll
C:\WINDOWS\Fonts\ratbttl.exe
C:\WINDOWS\Fonts\rsjzafgb.dll
C:\WINDOWS\Fonts\rsjzbfg.dll
C:\WINDOWS\Fonts\rsjzbpm.dll
C:\WINDOWS\Fonts\rsjzbsp.exe
C:\WINDOWS\Fonts\rsmykfg.dll
C:\WINDOWS\Fonts\rsmykpm.dll
C:\WINDOWS\Fonts\rsmyksp.exe
C:\WINDOWS\Fonts\rsztofg.dll
C:\WINDOWS\Fonts\rsztopm.dll
C:\WINDOWS\Fonts\rsztosp.exe
C:\WINDOWS\Fonts\swrcfcsb.dll
C:\WINDOWS\Fonts\system\ati2evxx.exe
C:\WINDOWS\Fonts\wirebfw.fon
C:\WINDOWS\Fonts\wsmsecja.dll
C:\WINDOWS\Fonts\wsmsfax.exe
C:\WINDOWS\Fonts\wsmsfcj.dll
C:\WINDOWS\Fonts\wsmsfzx.dll
C:\WINDOWS\Fonts\wymoafz.fon
C:\WINDOWS\Fonts\wymobfz.fon
C:\WINDOWS\Kvsc3.exE
C:\WINDOWS\LotusHlp.exe
C:\WINDOWS\MsIMMs32.exE
C:\WINDOWS\MsPrint32D.exe
C:\WINDOWS\NVDispDRV.EXE
C:\WINDOWS\PTSShell.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\SHAProc.exe
C:\WINDOWS\system32\0SvTh.exe
C:\WINDOWS\system32\12SvTh.exe
C:\WINDOWS\system32\18SvTh.exe
C:\WINDOWS\system32\19SvTh.exe
C:\WINDOWS\system32\20SvTh.exe
C:\WINDOWS\system32\3SvTh.exe
C:\WINDOWS\system32\5SvTh.exe
C:\WINDOWS\system32\6SvTh.exe
C:\WINDOWS\system32\7SvTh.exe
C:\WINDOWS\system32\aimivc.dll
C:\WINDOWS\system32\anxitdnwow.dll
C:\WINDOWS\system32\Autorun.Inf
C:\WINDOWS\system32\AVPSrv.dll
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avwlimn.dll
C:\WINDOWS\system32\avwlist.exe
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\system32\avzxmmn.dll
C:\WINDOWS\system32\avzxmst.exe
C:\WINDOWS\system32\bgktyp.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\Com\comrepl32.exe
C:\WINDOWS\system32\config\AppEventw.cfg
C:\WINDOWS\system32\config\sysEventw.cfg
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\DirectX10.dll
C:\WINDOWS\system32\drivers\msconkt.sys
C:\WINDOWS\system32\drivers\pcibus.sys
C:\WINDOWS\system32\drivers\scvhost.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\elucgv.dll
C:\WINDOWS\system32\FTCCompress.dll
C:\WINDOWS\system32\FUEb.CoM
C:\WINDOWS\system32\FUEc.CoM
C:\WINDOWS\system32\FUEx.CoM
C:\WINDOWS\system32\gdmsi32.dll
C:\WINDOWS\system32\gdwli32.dll
C:\WINDOWS\system32\gjcscyc.dll
C:\WINDOWS\system32\gjcsczc.exe
C:\WINDOWS\system32\gjtmayc.dll
C:\WINDOWS\system32\gjtmazc.exe
C:\WINDOWS\system32\hrekfp.dll
C:\WINDOWS\system32\IGB_DJOL_1007.dll
C:\WINDOWS\system32\IGB_DJOL_1007.exe
C:\WINDOWS\system32\ixdttm.dll
C:\WINDOWS\system32\jdzctd.dll
C:\WINDOWS\system32\jsqxayc.dll
C:\WINDOWS\system32\jsqxazc.exe
C:\WINDOWS\system32\kvdxsmis.exe
C:\WINDOWS\system32\kvdxsmma.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\kxhqcluzx.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\mshmsdjs32.dll
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\mszxaab32.dll
C:\WINDOWS\system32\NVDispDrv.dll
C:\WINDOWS\system32\okmhdaz.exe
C:\WINDOWS\system32\okmhdzy.dll
C:\WINDOWS\system32\oyhkmx.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\rcmwkscdj.dll
C:\WINDOWS\system32\REGKEY.hiv
C:\WINDOWS\system32\rsjzapm.dll
C:\WINDOWS\system32\rsjzasp.exe
C:\WINDOWS\system32\sfkxrl.dll
C:\WINDOWS\system32\SHAProc.dll
C:\WINDOWS\system32\swrcfac.exe
C:\WINDOWS\system32\swrcfzc.dll
C:\WINDOWS\system32\taimpo.txt
C:\WINDOWS\system32\TxoMoU.Exe
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\whulgh.dll
C:\WINDOWS\system32\WinForm.dll
C:\WINDOWS\system32\wsmseax.exe
C:\WINDOWS\system32\wsmsezx.dll
C:\WINDOWS\system32\WSockDrv32.dll
C:\WINDOWS\system32\wsvzwl.dll
C:\WINDOWS\system32\wxptdi.sys
C:\WINDOWS\system32\xpsvde.dll
C:\WINDOWS\system32\zeakpn.dll
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\WinForm.exE
C:\WINDOWS\WSockDrv32.exe

[Added COM/BHO]
{12FAACDE-34DA-CCD4-AB4D-DA34485A3421}-C:\WINDOWS\system32\rsjzapm.dll
{1C098A56-F90F-A789-901F-8906546720C1}-C:\WINDOWS\system32\gjtmayc.dll
{1D098345-9012-8750-8910-9128098134D1}-C:\WINDOWS\system32\jsqxayc.dll
{22FAACDE-34DA-CCD4-AB4D-DA34485A3422}-C:\WINDOWS\Fonts\rsjzbpm.dll
{2D098345-9012-8750-8910-9128098134D2}-C:\WINDOWS\Fonts\jsqxbyc.dll
{3A098324-8631-9087-7650-8907643562A3}-C:\WINDOWS\Fonts\jsqscyc.dll
{3FA10261-B890-F432-A453-69F1023513F3}-C:\WINDOWS\system32\gjcscyc.dll
{471B15AD-7A9C-491D-9C19-4E15B12DCE00}-C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys
{4A57CAD1-412F-9547-713F-9641FA3FC7A4}-C:\WINDOWS\system32\okmhdzy.dll
{4bcb7a90-b0ab-498e-81ab-9c6f50f0d977}-IGB_DJOL_1007.dll
{4FA10261-B890-F432-A453-69F1023513F4}-C:\WINDOWS\Fonts\gjcsdyc.dll
{57650011-3344-6688-4899-345FABCD1575}-C:\WINDOWS\Fonts\ratbtpi.dll
{6598FF45-DA60-F48A-BC43-10AC47853D56}-C:\WINDOWS\Fonts\rarjfpi.dll
{778A7521-FA87-34AB-34C2-4893F3AD34C7}-C:\WINDOWS\system32\swrcfzc.dll
{792FADFA-BCDE-ACDF-CDEF-21054865CBA7}-C:\WINDOWS\system32\wsmsezx.dll
{892FADFA-BCDE-ACDF-CDEF-21054865CBA8}-C:\WINDOWS\Fonts\wsmsfzx.dll
{8A1247C1-53DA-FF43-ABD3-345F323A48D8}-C:\WINDOWS\system32\avwghmn.dll
{9960356A-458E-DE24-BD50-268F589A56A9}-C:\WINDOWS\system32\avwlimn.dll
{9963387B-212E-4643-B207-82DAEA0E713D}-C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
{9A1247C1-53DA-FF43-ABD3-345F323A48D9}-C:\WINDOWS\Fonts\avwgimn.dll
{A8907901-1416-3389-9981-37217856998A}-C:\WINDOWS\Fonts\kawdjzy.dll
{A960356A-458E-DE24-BD50-268F589A56AA}-C:\WINDOWS\Fonts\avwljmn.dll
{BE32FA58-3453-FA2D-BC49-F340348ACCEB}-C:\WINDOWS\Fonts\rsmykpm.dll
{C4783410-4F90-34A0-7820-3230ACD05F4C}-C:\WINDOWS\Fonts\raqjlpi.dll
{C859245F-345D-BC13-AC4F-145D47DA34FC}-C:\WINDOWS\system32\avzxlmn.dll
{D859245F-345D-BC13-AC4F-145D47DA34FD}-C:\WINDOWS\system32\avzxmmn.dll
{DD561258-45F3-A451-F908-A258458226DD}-C:\WINDOWS\system32\kvdxsmma.dll
{F34345F1-DACF-3452-CB7D-4620F34A153F}-C:\WINDOWS\Fonts\rsztopm.dll

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=crsss
Data=C:\WINDOWS\system32\TxoMoU.Exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinForm
Data=C:\WINDOWS\WinForm.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WSockDrv32
Data=C:\WINDOWS\WSockDrv32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=upxdnd
Data=C:\WINDOWS\upxdnd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsIMMs32
Data=C:\WINDOWS\MsIMMs32.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsPrint32D
Data=C:\WINDOWS\MsPrint32D.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=cmdbcs
Data=C:\WINDOWS\cmdbcs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=LotusHlp
Data=C:\WINDOWS\LotusHlp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=NVDispDrv
Data=C:\WINDOWS\NVDispDRV.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=AVPSrv
Data=C:\WINDOWS\AVPSrv.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=DbgHlp32
Data=C:\WINDOWS\DbgHlp32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=KVP
Data =C:\WINDOWS\system32\drivers\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\124327M.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysW
Data=C:\WINDOWS\124327L.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=
Data=C:\Program Files\Common Files\Services\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=PTSShell
Data=C:\WINDOWS\PTSShell.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Kvsc3
Data=C:\WINDOWS\Kvsc3.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SHAProc
Data=C:\WINDOWS\SHAProc.exe

HKCU\Software\Microsoft\Internet Explorer\Main
Value=Start Page
Data=http://ww.94ak.com

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Internet Explorer\Main
Value=Start Page
Data=http://ww.94ak.com

到目前為止 (2008/1/14 @ 18:13)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

稍後更新…

惡意程式, 網站安全 | 瀏覽數：649 | 0 迴響 »

MSN病毒(Photos1-2008.zip)祝您新年快樂
2008 年 01 月 04 日 – 15:31:00
新一波的MSN病毒又開始到處流竄，最近各位的MSN可能會收到名為 Photos1-2008.zip、PrivatePhoto2008.zip 或 Dc6.zip 的檔案，壓縮檔中包含一個名為 photo151.JPEG_www.HappyNewYear.com 或 Image78145-2008.jpg_www.MsnMessenger.scr 的檔案，請各位千萬不要執行此檔案，否則，後果自行負責囉！
執行之後，有下面的行為：

第一種行為：
[Added process]
C:\WINDOWS\happy2008.exe
C:\WINDOWS\svchost.exe

[DLL injection]
C:\WINDOWS\svchost.exe

[Added file]
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc6.zip
C:\setup.exe
C:\WINDOWS\happy2008.exe
C:\WINDOWS\Photos1-2008.zip
C:\WINDOWS\PrivatePhoto2008.zip
C:\WINDOWS\svchost.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Windows svchost
Data=svchost.exe

第二種行為：
[Added process]
C:\WINDOWS\svchost.exe

[DLL injection]
C:\WINDOWS\svchost.exe

[Added file]
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc6.zip
C:\WINDOWS\PrivatePhoto2008.zip
C:\WINDOWS\svchost.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Windows svchost
Data=svchost.exe

到目前為止 (2008/1/4 @ 15:03)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

Dc6.zip/photo151.JPEG_www.HappyNewYear.com:
[ Trend ], 『WORM_IRCBOT.EL』
happy2008.exe:
[ Trend ], 『WORM_IRCBOT.EL』
Photos1-2008.zip/photo151.JPEG_www.HappyNewYear.com:
[ Trend ], 『WORM_IRCBOT.EL』
PrivatePhoto2008.zip/Image78145-2008.jpg_www.MsnMessenger.scr:
[ Fortinet ], 『suspicious』
[ Rising ], 『Backdoor.Win32.PBot.b』
[ WebWasher ], 『BlockReason.46 (suspicious)』
setup.exe:
[ Fortinet ], 『suspicious』
[ Rising ], 『Backdoor.Win32.PBot.b』
[ WebWasher ], 『BlockReason.46 (suspicious)』
svchost.exe:
[ Fortinet ], 『suspicious』
[ Rising ], 『Backdoor.Win32.PBot.b』
[ WebWasher ], 『BlockReason.46 (suspicious)』

即時通訊, 惡意程式 | 瀏覽數：982 | 0 迴響 »

www.小紅傘.tw

訂閱網誌



Recent Comments

殺:以下技術需有經驗者執行否則不付任何責任 1.先下載aut

eric:HTML/Crypted.Gen' 這類的病毒絕對不能忽

終於說出口:我是個長期在大陸工作的台灣人~ 我有在玩wow 現在被

apple:朋友推薦的~不錯用!

Roger:可以使用小紅傘防毒軟體試試看，下載網址：

電腦初學者:大大你好!! 我電腦最近中了nissan.exe 這個病毒

Roger:可以。

全民鐵血肏中狗:　貴盟的員林鎮和平街華碩網咖店電腦C碟中有被植入木馬程式（

ninjahsu:邱站長您好：因為之前在防毒軟體公司上班時，開始接

justin:不好意思~剛發的前一封，avast掃出taskman.exe

justin:站長你好~ 2009.11.04我使用的avast也跟鉛筆

Roger:Windows系統中，system32和windows目錄下

鉛筆小新:大砲站長你好:我今天掃毒時掃到兩個檔案防毒軟體說是病毒.

氣到想殺人:多虧他我中木馬了硍!

Roger:應該是小紅傘的問題，不過，目前已經解決了。

Recent Post

透過P2P工具 – 驢子傳播的感染型蠕蟲病毒W32.Noobert

Adobe新漏洞尚無修補程式，木馬Trojan.Pidief.H伺機攻擊

社交網站威脅手法大公開小心好友變毒蟲

搜尋布蘭妮墨菲Brittany Murphy 驟逝新聞，竟被置入假防毒軟體

趨勢科技 2010 年資安威脅預測報告出爐

小紅傘個人免費體驗版9(僅供非商業使用)──繁體中文BETA測試

趨勢科技 PSP® (PlayStation®Portable) 網路安全服務在台上市

流氓安全軟體AntivirusSystemPro 「做賊喊捉賊」

賀！德國小紅傘防毒軟體榮登2010 NOVA消費者理想品牌第二名

德國Avira小紅傘防毒軟體中文版網路搶鮮預購會

Archives

2010 年一月

2009 年十二月

2009 年十一月

2009 年九月

2009 年七月

2009 年六月

2009 年五月

2009 年四月

2009 年三月

2009 年二月

2009 年一月

2008 年十二月

2008 年十一月

2008 年十月

2008 年九月

2008 年八月

2008 年七月

2008 年六月

2008 年五月

2008 年四月

2008 年三月

2008 年二月

2008 年一月

2007 年十二月

2007 年十一月

2007 年十月

2007 年九月

2007 年八月

2007 年七月

2007 年六月

2007 年五月

2007 年四月

2007 年三月

2007 年二月

2007 年一月

2006 年十二月

2006 年十一月

2006 年十月

Categories

作業系統 (1)

免費軟體 (8)

惡意程式移除工具 (1)

漏洞檢測 (1)

系統檢測 (2)

防毒軟體 (2)

防間諜軟體 (1)

其他 (20)

問卷調查 (2)

工具教學 (10)

徵才 (1)

教育訓練 (3)

數位鑑識 (1)

新聞稿 (61)

未分類 (1)

產業動態 (120)

相關連結 (1)

研討會 (8)

研討會講義/資安文章 (7)

網站黑名單 (2)

自我觀點 (34)

虛擬機器 (1)

評比測試 (9)

誤判案例 (6)

資安新聞 (689)

DDOS攻擊 (5)

PoC (6)

Rootkit (2)

XSS (37)

加密與解密 (2)

即時通訊 (8)

垃圾郵件 (9)

威脅報告 (14)

安全更新 (6)

安全漏洞 (87)

廣告軟體 (6)

惡意程式 (500)

搜尋引擎 (2)

網站安全 (536)

網站遭駭 (56)

資料外洩 (1)

釣魚網站 (5)

驗證 (2)