此部落格 (rogerspeaking.blogspot.com) 已經移至 rogerspeaking.com,此部落格所有舊文章仍然可以瀏覽,但如果您想留言或瀏覽新文章的話,麻煩請至 rogerspeaking.com,謝謝。造成您的不便,深感抱歉。
2008年4月9日星期三
2008年3月25日星期二
曼秀雷敦網站被值入惡意連結
曼秀雷敦網站被值入惡意連結,此惡意程式為 PWS:Win32/Gamania.gen!D,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
Google Search查詢的結果,如下圖所示:
執行之後,有下面的行為:
[DLL Injection]
C:\WINDOWS\Debug\0C9C4681802F.dll
[Added file]
C:\Documents and Settings\Administrator\Desktop\2.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\microsofts.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\js[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ms06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ma2[1].exe
C:\WINDOWS\Debug\0C9C4681802F.dll
C:\WINDOWS\Debug\0C9C4681802F.exe
[Added COM/BHO]
{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}-C:\WINDOWS\Debug\0C9C4681802F.dll
到目前為止 (2008/3/25 @ 11:),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
0C9C4681802F.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Gamania.gen!D"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.tdw"
[ Panda ], "Trj/Lineage.HTK"
[ Panda_Beta ], "Trj/Lineage.HTK"
[ Alwil ], "Win32:Gamania-EB [Trj]"
[ CAV ], "Win32/Lineage!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Online.tdw"
[ Norman ], "Trojan W32/OnLineGames.ALRD"
[ Rising ], "Trojan.PSW.Win32.QMOnline.gl"
[ Ikarus ], "Generic.Lineage"
[ quickheal ], "TrojanPSW.OnLineGames.rzt"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ WebWasher ], "Trojan.PSW.Online.tdw"
0C9C4681802F.exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Gamania.gen!D"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.spw"
[ McAfee ], "New Malware.x !!"
[ McAfee_Beta ], "New Malware.x !!"
[ Alwil ], "Win32:Gamania-EB [Trj]"
[ CAV ], "Win32/Lineage!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.spw"
[ Norman ], "Trojan W32/OnLineGames.ALND"
[ Rising ], "Trojan.Win32.Agent.zri"
[ Clamav ], "Trojan.Spy-26631"
[ Ikarus ], "Trojan-Spy.Win32.Delf.GI"
[ Grisoft ], "Trojan horse Generic9.BGHG"
[ quickheal ], "TrojanPSW.OnLineGames.spw"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ WebWasher ], "Trojan.PSW.OnlineGames.spw"
ma2[1].exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Gamania.gen!D"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.spw"
[ McAfee ], "New Malware.x !!"
[ McAfee_Beta ], "New Malware.x !!"
[ Alwil ], "Win32:Gamania-EB [Trj]"
[ CAV ], "Win32/Lineage!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.spw"
[ Norman ], "Trojan W32/OnLineGames.ALND"
[ Rising ], "Trojan.Win32.Agent.zri"
[ Clamav ], "Trojan.Spy-26631"
[ Ikarus ], "Trojan-Spy.Win32.Delf.GI"
[ Grisoft ], "Trojan horse Generic9.BGHG"
[ quickheal ], "TrojanPSW.OnLineGames.spw"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ WebWasher ], "Trojan.PSW.OnlineGames.spw"
ms06014[1].htm:
[ Microsoft ], "[->(SCRIPT0000)]:TrojanDownloader:VBS/Psyme.gen!D"
[ Kaspersky ], "Trojan-Downloader.VBS.Agent.lb"
[ Sophos ], "Mal/Psyme-A"
[ HBEDV ], "JS/Dldr.Noopt.1969"
[ Rising ], "Trojan.DL.Script.VBS.Small.fb"
[ Ikarus ], "JS.Downloader.Noopt.1969"
[ Ewido ], "Downloader.AniLoad.nae"
[ Grisoft ], "Virus found JS/Downloader.Agent"
[ WebWasher ], "Script.Dldr.Noopt.1969"
2008年2月25日星期一
NAUTICA台灣網站被值入惡意連結
注意:目前惡意連結已移除 (2008/2/25@16:14)
NAUTICA台灣網站被值入惡意連結,此惡意程式為 TROJ_DLOADER.EMD,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
展示影片,請看這裡。
Google Search查詢的結果,如下所示:
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\System32\CcEvtSvc.exe
[Added service]
NAME: CcEvtSvc
DISPLAY: CcEvtSvc
FILE: C:\WINDOWS\System32\CcEvtSvc.exe -k netsvcs
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\in[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\nautica-taiwan.com[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\stat[1].htm
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\CcEvtSvc.exe
C:\WINDOWS\system32\MI84.tmp
C:\WINDOWS\system32\reeppoor.tmp
C:\winzvdi.exe
到目前為止 (2008/2/22 @ 20:35),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
CcEvtSvc.exe:
[ Trend ], "TROJ_BMVD.A"
MI84.tmp:
[ Trend ], "TROJ_BMVD.A"
winzvdi.exe:
[ Trend ], "TROJ_DLOADER.EMD"
in[1].htm:
[ Kaspersky ], "Trojan-Downloader.JS.Zapchast.f"
[ HBEDV ], "HEUR/Exploit.HTML"
nautica-taiwan.com[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Sophos ], "Mal/Iframe-F"
[ HBEDV ], "HTML/Dldr.Iframe.U"
[ WebWasher ], "Script.Dldr.Iframe.U"
[ bitdefender ], "Trojan.IFrame.AK"
stat[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
台中縣清水鎮公所被轉址與被入惡意連結
注意:都已經N天了,目前惡意連結還在(2008/2/25@15:40),無言...
台中縣清水鎮公所被轉址與被入惡意連結,此惡意程式為 TSPY_QQPASS.CH,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: 匿名網友)
當連上台中縣清水鎮公所網站後,馬上被轉址到下列網站:
該網頁原始碼,如下所示:
展示影片,請看這裡。
Google Search查詢的結果,沒發現任何異狀,如下所示:
執行之後,有下面的行為:
[Added process]
C:\Program Files\Common Files\svchost.exe
[DLL injection]
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\OnlO0r.dll
C:\WINDOWS\system32\fhdoor0.dll
C:\WINDOWS\system32\mndoor0.dll
C:\WINDOWS\system32\qhdoor0.dll
C:\WINDOWS\system32\qzdoor0.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\M1.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ss[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\addr[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\main[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\s[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\add_54738542[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ms[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\%46%41%51%2E%6A%73[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1542776[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\FAQ[1].htm
C:\Program Files\Common Files\fjOs0r.dll
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\OnlO0r.bak
C:\Program Files\Internet Explorer\OnlO0r.dll
C:\Program Files\Internet Explorer\OnlO0r.obk
C:\temp.exe
C:\WINDOWS\system32\fhdoor0.dll
C:\WINDOWS\system32\mndoor0.dll
C:\WINDOWS\system32\qhdoor0.dll
C:\WINDOWS\system32\qqdoor0.dll
C:\WINDOWS\system32\qsdoor0.dll
C:\WINDOWS\system32\qzdoor0.dll
C:\WINDOWS\~Temp358.tmp
[Added COM/BHO]
{49C496E9-732D-4F5D-BEE9-EC113FAA1C97}-C:\WINDOWS\system32\qzdoor0.dll
{61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28}-C:\WINDOWS\system32\mndoor0.dll
{6C7596CB-31CC-BBA3-BE51-2EEA62F9C51D}-C:\Program Files\Common Files\fjOs0r.dll
{80F15C30-5E9D-4CB9-BE85-F3D5564C6F83}-C:\WINDOWS\system32\fhdoor0.dll
{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}-C:\WINDOWS\system32\qhdoor0.dll
{C2626E66-D21B-E628-C1DF-1DACCFA36ED2}-C:\Program Files\Common Files\fjOs0r.dll
{C26A8AB5-B935-400C-A152-0488714725B1}-C:\WINDOWS\system32\qsdoor0.dll
{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}-C:\Program Files\Internet Explorer\OnlO0r.dll
{D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF}-C:\WINDOWS\system32\qqdoor0.dll
到目前為止 (2008/2/19 @ 01:31),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
qqdoor0.dll:
[ Trend ], "Possible_Strat-6"
qhdoor0.dll:
[ Trend ], "TSPY_QQPASS.CH"
mndoor0.dll:
[ Trend ], "Possible_Strat-6"
fhdoor0.dll:
[ Trend ], "TSPY_FRETHOG.WF"
svchost.exe:
[ Trend ], "TSPY_ONLINEG.BOM"
OnlO0r.bak:
[ Trend ], "TROJ_Generic.A"
s[1].exe:
[ Trend ], "TROJ_Generic.A"
~Temp358.tmp:
[ Trend ], "TROJ_Generic.A"
qzdoor0.dll:
[ Trend ], "TSPY_FRETHOG.WF"
qsdoor0.dll:
[ Trend ], "TSPY_FRETHOG.WF"
OnlO0r.obk:
[ Symantec ], "W32.Drom"
[ Microsoft ], "Worm:Win32/Rodvir.gen"
[ Kaspersky ], "Trojan-PSW.Win32.Delf.apc"
[ McAfee ], "PWS-QQPass"
[ McAfee_Beta ], "PWS-QQPass"
[ Sophos ], "Mal/PWS-K"
[ Alwil ], "Win32:AutoRun-U"
[ CAV ], "Win32/Rodvir.AJ"
[ Nod32 ], "Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/PSW.Delf.ifd.11"
[ Norman ], "Trojan W32/QQPass.HSC"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.lpg"
[ Grisoft ], "Trojan horse PSW.Generic5.AJLF"
[ quickheal ], "TrojanPSW.Delf.apc"
[ vba32 ], "Trojan-PSW.Win32.Delf.apc"
[ Authentium ], "W32/InfoStealer!Generic"
[ Sunbelt ], "Trojan-PWS.Delf.IFD"
[ WebWasher ], "Trojan.PSW.Delf.ifd.11"
[ bitdefender ], "Trojan.PWS.Delf.IFD"
temp.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Symantec ], "W32.Drom"
[ Microsoft ], "[->(UPX)]:Worm:Win32/Rodvir.gen"
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX"
[ McAfee ], "[0000d0f0.EXE]:PWS-QQPass"
[ McAfee_Beta ], "[GenUnp\0000d0f0.EXE]:PWS-QQPass"
[ Sophos ], "[FILE:0000]:Mal/PWS-K"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/Autorun.BK"
[ Ikarus ], "Trojan-PWS.Win32.Delf.aky"
[ Grisoft ], "Trojan horse PSW.OnlineGames.AEIB"
[ eAladdin ], "Suspicious File [101]"
[ WebWasher ], "Trojan.Autorun.BK"
[ bitdefender ], "Dropped:Trojan.PWS.Delf.IFD"
ss[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Symantec ], "W32.Drom"
[ Microsoft ], "[->(UPX)]:Worm:Win32/Rodvir.gen"
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX"
[ McAfee ], "[0000d0f0.EXE]:PWS-QQPass"
[ McAfee_Beta ], "[GenUnp\0000d0f0.EXE]:PWS-QQPass"
[ Sophos ], "[FILE:0000]:Mal/PWS-K"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/Autorun.BK"
[ Ikarus ], "Trojan-PWS.Win32.Delf.aky"
[ Grisoft ], "Trojan horse PSW.OnlineGames.AEIB"
[ eAladdin ], "Suspicious File [101]"
[ WebWasher ], "Trojan.Autorun.BK"
[ bitdefender ], "Dropped:Trojan.PWS.Delf.IFD"
OnlO0r.dll:
[ Symantec ], "W32.Drom"
[ Microsoft ], "Worm:Win32/Rodvir.gen"
[ Kaspersky ], "Trojan-PSW.Win32.Delf.apx"
[ McAfee ], "PWS-QQPass"
[ McAfee_Beta ], "PWS-QQPass"
[ Sophos ], "Mal/PWS-K"
[ Alwil ], "Win32:AutoRun-U"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/PSW.Delf.ifd.12"
[ Ikarus ], "Trojan-PWS.Delf.IFD"
[ Grisoft ], "Trojan horse PSW.Generic5.AKDY"
[ Authentium ], "W32/InfoStealer!Generic"
[ WebWasher ], "Trojan.PSW.Delf.ifd.12"
[ bitdefender ], "Trojan.PWS.Delf.IFD"
fjOs0r.dll:
[ Symantec ], "W32.Drom"
[ Microsoft ], "Worm:Win32/Rodvir.gen"
[ Kaspersky ], "Trojan-PSW.Win32.Delf.apx"
[ McAfee ], "PWS-QQPass"
[ McAfee_Beta ], "PWS-QQPass"
[ Sophos ], "Mal/PWS-K"
[ Alwil ], "Win32:AutoRun-U"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/PSW.Delf.ifd.12"
[ Ikarus ], "Trojan-PWS.Delf.IFD"
[ Grisoft ], "Trojan horse PSW.Generic5.AKDY"
[ Authentium ], "W32/InfoStealer!Generic"
[ WebWasher ], "Trojan.PSW.Delf.ifd.12"
[ bitdefender ], "Trojan.PWS.Delf.IFD"
ms[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
FAQ[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
click[1].htm:
[ Sophos ], "Mal/Iframe-A"
addr[1].js:
[ Kaspersky ], "PAK:JSPack, Trojan-Downloader.JS.Small.kq"
[ Ikarus ], "Trojan-Downloader.JS.Small.kq"
add_54738542[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
%46%41%51%2E%6A%73[1]:
[ Sophos ], "Mal/Iframe-C"
[ Grisoft ], "Virus found HTML/Framer"
main[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
2008年2月15日星期五
協合國際法律事務所網站被值入惡意連結
注意:目前惡意連結已移除 (2008/2/15 @ 14:14)
協合國際法律事務所網站被值入惡意連結,此惡意程式為 TROJ_DLOADER.DXI,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
展示影片,請看這裡。
Google Search查詢的結果,如下所示:
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\system32\lssass.exe
C:\WINDOWS\system32\12.exe
C:\WINDOWS\system32\4.exe
[DLL injection]
C:\WINDOWS\system32\HDDGuard.dll
[Added service]
NAME: ATI2HDDSRV
DISPLAY: ATI2HDDSRV
FILE: \??\C:\WINDOWS\system32\drivers\ati32srv.sys
NAME: DeepFree Update
DISPLAY: DeepFree Update
FILE: \??\C:\WINDOWS\system32\drivers\pcihdd2.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\MicroSofts.pif
C:\Documents and Settings\Administrator\Local Settings\Temp\MicroSofts.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\11[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\985195[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\jh[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\tw[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\down[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\rl[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\vccd[1].htm
C:\WINDOWS\system32\HDDGuard.dll
C:\WINDOWS\system32\lssass.exe
C:\WINDOWS\system32\WIN.INI
C:\WINDOWS\system32\drivers\pcihdd2.sys
C:\WINDOWS\system32\drivers\ati32srv.sys
C:\WINDOWS\system32\12.exe
C:\WINDOWS\system32\4.exe
C:\WINDOWS\system32\73120.dat
到目前為止 (2008/2/12 @ 14:41),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
11[1].js:
[ HBEDV ], "HEUR/Exploit.HTML"
12.exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NML trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ eAladdin ], "Suspicious File [104]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
73120.dat:
[ IntelliTrap ], "PAK_Generic.005"
[ Kaspersky ], "PAK:NSPack"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan W32/Hupigon.gen67"
[ Ikarus ], "Backdoor.Win32.Agent.ahj"
[ eAladdin ], "Suspicious File [101]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Win32.NewMalware.MH!49939"
[ bitdefender ], "Trojan.PWS.OnlineGames.OQN"
jh[2].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
ppp.js:
[ HBEDV ], "HTML/Shellcode.Gen"
[ Norman ], "Trojan HTML/IFrameBof.A"
[ Ewido ], "Not-A-Virus.Exploit.HTML.IframeBof.d"
[ Authentium ], "HTML/IFrameBoF"
[ WebWasher ], "Script.Shellcode.Gen"
rl[1].js:
[ Sophos ], "Troj/Rexplo-A"
[ HBEDV ], "JS/Agent.ES"
[ Ikarus ], "Trojan-Downloader.JS.Agent.ol"
[ Grisoft ], "Virus found Exploit"
[ WebWasher ], "Script.Agent.ES"
[ bitdefender ], "Dropped:Trojan.Downloader.JS.Agent.OL"
tw[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ HBEDV ], "HEUR/Exploit.HTML"
[ Norman ], "Trojan HTML/Exploit!IFrame.G"
[ WebWasher ], "BlockReason.46 (suspicious)"
vccd[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Kaspersky ], "Trojan-Downloader.HTML.IFrame.ee"
[ Sophos ], "Mal/Iframe-A"
[ HBEDV ], "JS/Dldr.Age.GGG.167"
[ Norman ], "Trojan HTML/Exploit!IFrame.G"
[ WebWasher ], "Script.Dldr.Age.GGG.167"
xx[1].htm:
[ HBEDV ], "HTML/Dldr.aaa.330"
[ WebWasher ], "Script.Dldr.aaa.330"
down[1].exe:
[ Trend ], "TROJ_DLOADER.DXI"
HDDGuard.dll:
[ Trend ], "TROJ_AGENT.GES"
lssass.exe:
[ Trend ], "BKDR_HUPIGON.OHB"
lz.js:
[ Trend ], "JS_IFRAMEBO.AL"
MicroSofts.pif:
[ Trend ], "TROJ_DLOADER.DXI"
4.exe:
[ Trend ], "TROJ_SMALL.CAL"
太奇數位科技虛擬主機代管中心網站被值入惡意連結
注意:目前惡意連結已移除 (2008/2/15 @ 14:14)
太奇數位科技虛擬主機代管中心網站被值入惡意連結,此惡意程式為 BKDR_HUPIGON.FVR,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
解碼之後,惡意連結如下所示:
展示影片,請看這裡。
Google Search查詢的結果,如下所示:
執行之後,有下面的行為:
[Added process]
C:\Program Files\Internet Explorer\IEXPLORE.EXE (此為微軟ie,但惡意程式利用它,將它隱匿起來,並且,此執行程序會將system.exe鎖住)
[Added service]
NAME: Windows security service
DISPLAY: Windows security service
FILE: C:\Program Files\systeminfo1\system.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\g0ld.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\%73%79%73%2E%68%74%6D[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\last[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\sv[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\virtualhost[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\status[1].js
C:\jiji1.exe
C:\Program Files\systeminfo1\system.exe
到目前為止 (2008/2/12 @ 14:39),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
system.exe:
[ Trend ], "BKDR_HUPIGON.FVR"
%73%79%73%2E%68%74%6D[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
g0ld.com:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/sv.exe]:Trojan-Downloader.Win32.Agent.iph"
[ Sophos ], "[SfxArchiveData\sv.exe]:Mal/Behav-010"
[ Nod32 ], "[?CAB ?sv.exe]:a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
jiji1.exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/www.exe]:Backdoor.Win32.Hupigon.aubv"
[ McAfee ], "BackDoor-AWQ"
[ McAfee_Beta ], "BackDoor-AWQ"
[ Sophos ], "[SfxArchiveData\www.exe]:Mal/Behav-058"
[ Nod32 ], "[?CAB ?www.exe]:a variant of Win32/Hupigon trojan"
[ Fortinet ], "[www.exe]:W32/Hupigon.YQ!tr.bdr"
[ Norman ], "Trojan Hupigon.gen126.dropper"
[ Rising ], "[>>www.exe>>Aspack212r]:Backdoor.Gpigeon.GEN"
[ Ewido ], "[/www.exe]:Backdoor.Hupigon.awp, [/www.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\www.exe]:Trojan horse BackDoor.Small.52.BQ, Trojan horse BackDoor.Small.52.BQ"
[ quickheal ], "Win32.Backdoor.Hupigon.ngr3"
[ vba32 ], "BackDoor.Pigeon.6620"
[ WebWasher ], "Trojan.Backdoor.Hupigon.ami"
last[1].exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/www.exe]:Backdoor.Win32.Hupigon.aubv"
[ McAfee ], "BackDoor-AWQ"
[ McAfee_Beta ], "BackDoor-AWQ"
[ Sophos ], "[SfxArchiveData\www.exe]:Mal/Behav-058"
[ Nod32 ], "[?CAB ?www.exe]:a variant of Win32/Hupigon trojan"
[ Fortinet ], "[www.exe]:W32/Hupigon.YQ!tr.bdr"
[ Norman ], "Trojan Hupigon.gen126.dropper"
[ Rising ], "[>>www.exe>>Aspack212r]:Backdoor.Gpigeon.GEN"
[ Ewido ], "[/www.exe]:Backdoor.Hupigon.awp, [/www.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\www.exe]:Trojan horse BackDoor.Small.52.BQ, Trojan horse BackDoor.Small.52.BQ"
[ quickheal ], "Win32.Backdoor.Hupigon.ngr3"
[ vba32 ], "BackDoor.Pigeon.6620"
[ WebWasher ], "Trojan.Backdoor.Hupigon.ami"
sv[1].exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/sv.exe]:Trojan-Downloader.Win32.Agent.iph"
[ Sophos ], "[SfxArchiveData\sv.exe]:Mal/Behav-010"
[ Nod32 ], "[?CAB ?sv.exe]:a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
2008年2月14日星期四
電子情書夾帶風暴蠕蟲
這幾天收到大量有關西洋情人節的電子郵件,內容都包含一個下載連結,開啟其中一個,電腦就叫個不停,發送大量的外部封包,喔,原來是風暴蠕蟲(Storm Worm)。如果各位收到類似的電子郵件,千萬別執行來路不明的連結,否則,就送您上天堂囉!
展示影片,請看這裡 (高解析度的AVI檔,請從這裡下載,影片解碼器,可以在VMWARE網站上下載)。
執行之後,有下面的行為(具有Rootkit行為):
[Added service]
NAME: diperto1e9d-1b49
DISPLAY: diperto1e9d-1b49
FILE: \??\C:\WINDOWS\system32\diperto1e9d-1b49.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\valentine[1].exe
C:\WINDOWS\system32\diperto.ini
C:\WINDOWS\system32\diperto1e9d-1b49.sys
到目前為止 (2008/2/14 @ 16:25),下面的防毒軟體(32家中,只有19家偵測到)可以偵測到這些惡意檔案 (僅提供參考):
AhnLab-V3:
AntiVir: Worm/Zhelatin.pb
Authentium:
Avast:
AVG: I-Worm/Nuwar.N
BitDefender: Trojan.Peed.IWW
CAT-QuickHeal:
ClamAV: Trojan.Peed-103
DrWeb: Trojan.Packed.357
eSafe: Suspicious File
eTrust-Vet: Win32/Sintun!generic
EwidoL:
FileAdvisor:
Fortinet: W32/PackTibs.M
F-Prot: W32/Zhelatin.F.gen!Eldorado
F-Secure: Packed.Win32.Tibs.ic
Ikarus: Trojan.Peed.IWV
Kaspersky: Packed.Win32.Tibs.ic
McAfee: W32/Nuwar@MM
Microsoft: TrojanDropper:Win32/Nuwar.gen!B
NOD32v2: probably a variant of Win32/Nuwar.Gen
Norman:
Panda:
Prevx1:
Sophos: W32/Dorf-AW
Sunbelt:
Symantec: Trojan.Peacomm
TheHacker:
VBA32:
VirusBuster: Trojan.DR.Tibs.Gen!Pac.142
Webwasher-Gateway: Worm.Zhelatin.pb
Trend Micro: WORM_NUWAR.AR
附加訊息
File size: 121857 bytes
MD5: a932b94554f91e4cbd24f204f8dfe577
SHA1: 5fdc1488dd85af9265e398fe4b402c87a845c17f
PEiD: MinGW GCC 3.x
詳細掃描結果,請參考這裡。
2008年2月12日星期二
李玟箖飾品設計網站被值入惡意連結
李玟箖飾品設計網站被值入惡意連結,此惡意程式為 BKDR_HUPIGON.FVR,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。(Credit: 匿名網友)
當進入此網站,點擊進入Blog或飾品後,會被轉址到Yahoo的部落格(如下圖所示),但此部落格目前沒有被值入惡意連結(留下空的iframe的痕跡):
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
解碼之後,惡意連結如下所示:
展示影片,請看這裡 (高解析度的AVI檔,請從這裡下載)。
Google Search查詢的結果,如下所示:
執行之後,有下面的行為:
[Added process]
C:\Program Files\Internet Explorer\IEXPLORE.EXE (此為微軟ie,但惡意程式利用它,將它隱匿起來,並且,此執行程序會將system.exe鎖住)
[Added service]
NAME: Windows security service
DISPLAY: Windows security service
FILE: C:\Program Files\systeminfo1\system.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\g0ld.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\sv[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\accessory.com[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\last[2].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\%73%79%73%2E%68%74%6D[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\%73%79%73%2E%68%74%6D[2].htm
C:\jiji1.exe
C:\Program Files\systeminfo1\system.exe
到目前為止 (2008/2/12 @ 14:39),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
system.exe:
[ Trend ], "BKDR_HUPIGON.FVR"
%73%79%73%2E%68%74%6D[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
g0ld.com:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/sv.exe]:Trojan-Downloader.Win32.Agent.iph"
[ Sophos ], "[SfxArchiveData\sv.exe]:Mal/Behav-010"
[ Nod32 ], "[?CAB ?sv.exe]:a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
jiji1.exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/www.exe]:Backdoor.Win32.Hupigon.aubv"
[ McAfee ], "BackDoor-AWQ"
[ McAfee_Beta ], "BackDoor-AWQ"
[ Sophos ], "[SfxArchiveData\www.exe]:Mal/Behav-058"
[ Nod32 ], "[?CAB ?www.exe]:a variant of Win32/Hupigon trojan"
[ Fortinet ], "[www.exe]:W32/Hupigon.YQ!tr.bdr"
[ Norman ], "Trojan Hupigon.gen126.dropper"
[ Rising ], "[>>www.exe>>Aspack212r]:Backdoor.Gpigeon.GEN"
[ Ewido ], "[/www.exe]:Backdoor.Hupigon.awp, [/www.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\www.exe]:Trojan horse BackDoor.Small.52.BQ, Trojan horse BackDoor.Small.52.BQ"
[ quickheal ], "Win32.Backdoor.Hupigon.ngr3"
[ vba32 ], "BackDoor.Pigeon.6620"
[ WebWasher ], "Trojan.Backdoor.Hupigon.ami"
last[1].exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/www.exe]:Backdoor.Win32.Hupigon.aubv"
[ McAfee ], "BackDoor-AWQ"
[ McAfee_Beta ], "BackDoor-AWQ"
[ Sophos ], "[SfxArchiveData\www.exe]:Mal/Behav-058"
[ Nod32 ], "[?CAB ?www.exe]:a variant of Win32/Hupigon trojan"
[ Fortinet ], "[www.exe]:W32/Hupigon.YQ!tr.bdr"
[ Norman ], "Trojan Hupigon.gen126.dropper"
[ Rising ], "[>>www.exe>>Aspack212r]:Backdoor.Gpigeon.GEN"
[ Ewido ], "[/www.exe]:Backdoor.Hupigon.awp, [/www.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\www.exe]:Trojan horse BackDoor.Small.52.BQ, Trojan horse BackDoor.Small.52.BQ"
[ quickheal ], "Win32.Backdoor.Hupigon.ngr3"
[ vba32 ], "BackDoor.Pigeon.6620"
[ WebWasher ], "Trojan.Backdoor.Hupigon.ami"
sv[1].exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/sv.exe]:Trojan-Downloader.Win32.Agent.iph"
[ Sophos ], "[SfxArchiveData\sv.exe]:Mal/Behav-010"
[ Nod32 ], "[?CAB ?sv.exe]:a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
2008年1月25日星期五
聲寶公司網站遭駭且被值入惡意程式
注意:目前此網站尚未修復 (2008/1/25 @ 18:28)
聲寶公司網站遭駭且被值入惡意程式,此惡意程式為 BKDR_JAVAKBD.A/TSPY_MPASS.A,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
展示影片,請看這裡。
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\Taskmanager.exe
C:\WINDOWS\Wintask.exe
[DLL injection]
C:\WINDOWS\system32\JDukeNative.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\index[10
C:\Documents and Settings\Administrator\Local Settings\Temp\JVM83.tmp
C:\WINDOWS\Function.zip
C:\WINDOWS\system32\JDukeNative.dll
C:\WINDOWS\system32\User_Info.exe
C:\WINDOWS\TaskManager.exe
C:\WINDOWS\Wintask.exe
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Taskmanager
Data=C:\WINDOWS\TaskManager.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Wintask
Data=C:\WINDOWS\WinTask.exe
到目前為止 (2008/1/23 @ 23:41),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
[ Trend ], "BKDR_JAVAKBD.A"
Wintask.exe:
[ Trend ], "BKDR_JAVAKBD.A"
index[10:
[ Alpha_Gen ], "Heur_Infrm-1"
[ HBEDV ], "HTML/Infected.WebPage.Gen"
[ WebWasher ], "Script.Infected.WebPage.Gen"
User_Info.exe:
[ TMAS ], "CrackingApps_MPass"
[ Symantec ], "Hacktool.PassReminder"
[ Kaspersky ], "PAK:UPX"
[ McAfee ], "PWCrack-MPass"
[ McAfee_Beta ], "PWCrack-MPass"
[ Panda ], "HackTool/MSNpass.G"
[ Panda_Beta ], "HackTool/MSNpass.G"
[ Fortinet ], "HackerTool/MessenPass"
[ HBEDV ], "SPR/PSW.Messen.103.4"
[ Ewido ], "Not-A-Virus.PSWTool.Win32.Messen.102"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "Trojan.Horst.pp"
[ WebWasher ], "Riskware.PSW.Messen.103.4"
[ bitdefender ], "Application.Messenpass.B"
Function.zip/xynx.hex:
[ Ikarus ], "PSWTool.Win32.Messen.102"
[ Ewido ], "Not-A-Virus.PSWTool.Win32.Messen.102"
Function.zip/TaskManager.exe:
[ Alwil ], "JS:BackDoor-KBD-12"
[ Ikarus ], "Virus.JS.Backdoor.KBD.12"
Function.zip/Wintask.exe:
[ Alwil ], "JS:BackDoor-KBD-11"
[ Ikarus ], "Backdoor.Java.KBD"
2008年1月24日星期四
全球華文行銷知識庫網站又被植入惡意連結
全球華文行銷知識庫網站又被植入惡意連結,此惡意程式為 Infostealer.Lineage,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒。
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
展示影片,請看這裡。
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\pal32.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\22085.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\520[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\index[1].htm
C:\WINDOWS\pal32.dll
C:\WINDOWS\system32\winpal.exe
[Added COM/BHO]
{37A5702C-E1ED-4399-A40E-9D263EDC918A}-C:\WINDOWS\pal32.dll
到目前為止 (2008/1/23 @ 23:41),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
520[1].exe:
[ Trend ], "TSPY_LINEAGE.IB"
22085.com:
[ Trend ], "TSPY_LINEAGE.IB"
winpal.exe:
[ Trend ], "TSPY_LINEAGE.IB"
1[1].htm:
[ McAfee ], "Exploit-ObscuredHtml"
[ McAfee_Beta ], "Exploit-ObscuredHtml"
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ Norman ], "Trojan JS/Exploit!ADODB.Stream.B"
[ Rising ], "Trojan.DL.VBS.Agent.xhd"
[ Grisoft ], "Virus identified Exploit"
[ WebWasher ], "Script.ADODB.Exploit.Gen"
pal32.dll:
[ IntelliTrap ], "PAK_Generic.005"
[ Alpha_Gen ], "Possible_Lneage2"
[ Symantec ], "Infostealer.Lineage"
[ Microsoft ], "[->(NSPack)]:PWS:Win32/Lineage.gen!A"
[ Kaspersky ], "PAK:NSPack, Trojan-PSW.Win32.OnLineGames.odo"
[ McAfee ], "PWS-Lineage"
[ McAfee_Beta ], "PWS-Lineage"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/PSW.Lineage.DN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Lineage.7206F05E"
[ Norman ], "Backdoor W32/Lineage.AZWJ"
[ Ikarus ], "Trojan-PWS.Win32.Delf.hh"
[ Grisoft ], "Trojan horse PSW.Lineage.AHF"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "TrojanPSW.OnLineGames.odo"
[ vba32 ], "Trojan-PSW.Win32.OnLineGames.odo"
[ WebWasher ], "Trojan.Lineage.7206F05E"
[ bitdefender ], "Generic.Lineage.7206F05E"
訂閱:
文章 (Atom)
