大砲開講

部落格轉移公告

2008-04-09T13:51:00.002+08:00

此部落格 (rogerspeaking.blogspot.com) 已經移至 rogerspeaking.com，此部落格所有舊文章仍然可以瀏覽，但如果您想留言或瀏覽新文章的話，麻煩請至 rogerspeaking.com，謝謝。造成您的不便，深感抱歉。

曼秀雷敦網站被值入惡意連結

2008-03-25T11:46:00.004+08:00

曼秀雷敦網站被值入惡意連結，此惡意程式為 PWS:Win32/Gamania.gen!D，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

Google Search查詢的結果，如下圖所示：

執行之後，有下面的行為：

[DLL Injection]
C:\WINDOWS\Debug\0C9C4681802F.dll

[Added file]
C:\Documents and Settings\Administrator\Desktop\2.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\microsofts.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\js[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ms06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ma2[1].exe
C:\WINDOWS\Debug\0C9C4681802F.dll
C:\WINDOWS\Debug\0C9C4681802F.exe

[Added COM/BHO]
{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}-C:\WINDOWS\Debug\0C9C4681802F.dll

到目前為止 (2008/3/25 @ 11:)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

0C9C4681802F.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Gamania.gen!D"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.tdw"
[ Panda ], "Trj/Lineage.HTK"
[ Panda_Beta ], "Trj/Lineage.HTK"
[ Alwil ], "Win32:Gamania-EB [Trj]"
[ CAV ], "Win32/Lineage!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Online.tdw"
[ Norman ], "Trojan W32/OnLineGames.ALRD"
[ Rising ], "Trojan.PSW.Win32.QMOnline.gl"
[ Ikarus ], "Generic.Lineage"
[ quickheal ], "TrojanPSW.OnLineGames.rzt"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ WebWasher ], "Trojan.PSW.Online.tdw"
0C9C4681802F.exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Gamania.gen!D"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.spw"
[ McAfee ], "New Malware.x !!"
[ McAfee_Beta ], "New Malware.x !!"
[ Alwil ], "Win32:Gamania-EB [Trj]"
[ CAV ], "Win32/Lineage!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.spw"
[ Norman ], "Trojan W32/OnLineGames.ALND"
[ Rising ], "Trojan.Win32.Agent.zri"
[ Clamav ], "Trojan.Spy-26631"
[ Ikarus ], "Trojan-Spy.Win32.Delf.GI"
[ Grisoft ], "Trojan horse Generic9.BGHG"
[ quickheal ], "TrojanPSW.OnLineGames.spw"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ WebWasher ], "Trojan.PSW.OnlineGames.spw"
ma2[1].exe:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Gamania.gen!D"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.spw"
[ McAfee ], "New Malware.x !!"
[ McAfee_Beta ], "New Malware.x !!"
[ Alwil ], "Win32:Gamania-EB [Trj]"
[ CAV ], "Win32/Lineage!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.spw"
[ Norman ], "Trojan W32/OnLineGames.ALND"
[ Rising ], "Trojan.Win32.Agent.zri"
[ Clamav ], "Trojan.Spy-26631"
[ Ikarus ], "Trojan-Spy.Win32.Delf.GI"
[ Grisoft ], "Trojan horse Generic9.BGHG"
[ quickheal ], "TrojanPSW.OnLineGames.spw"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ WebWasher ], "Trojan.PSW.OnlineGames.spw"
ms06014[1].htm:
[ Microsoft ], "[->(SCRIPT0000)]:TrojanDownloader:VBS/Psyme.gen!D"
[ Kaspersky ], "Trojan-Downloader.VBS.Agent.lb"
[ Sophos ], "Mal/Psyme-A"
[ HBEDV ], "JS/Dldr.Noopt.1969"
[ Rising ], "Trojan.DL.Script.VBS.Small.fb"
[ Ikarus ], "JS.Downloader.Noopt.1969"
[ Ewido ], "Downloader.AniLoad.nae"
[ Grisoft ], "Virus found JS/Downloader.Agent"
[ WebWasher ], "Script.Dldr.Noopt.1969"

NAUTICA台灣網站被值入惡意連結

2008-02-25T16:08:00.008+08:00

注意：目前惡意連結已移除 (2008/2/25@16:14)
NAUTICA台灣網站被值入惡意連結，此惡意程式為 TROJ_DLOADER.EMD，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

展示影片，請看這裡。

Google Search查詢的結果，如下所示：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\System32\CcEvtSvc.exe

[Added service]
NAME: CcEvtSvc
DISPLAY: CcEvtSvc
FILE: C:\WINDOWS\System32\CcEvtSvc.exe -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\in[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\nautica-taiwan.com[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\stat[1].htm
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\CcEvtSvc.exe
C:\WINDOWS\system32\MI84.tmp
C:\WINDOWS\system32\reeppoor.tmp
C:\winzvdi.exe

到目前為止 (2008/2/22 @ 20:35)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

CcEvtSvc.exe:
[ Trend ], "TROJ_BMVD.A"
MI84.tmp:
[ Trend ], "TROJ_BMVD.A"
winzvdi.exe:
[ Trend ], "TROJ_DLOADER.EMD"
in[1].htm:
[ Kaspersky ], "Trojan-Downloader.JS.Zapchast.f"
[ HBEDV ], "HEUR/Exploit.HTML"
nautica-taiwan.com[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Sophos ], "Mal/Iframe-F"
[ HBEDV ], "HTML/Dldr.Iframe.U"
[ WebWasher ], "Script.Dldr.Iframe.U"
[ bitdefender ], "Trojan.IFrame.AK"
stat[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"

台中縣清水鎮公所被轉址與被入惡意連結

2008-02-25T15:38:00.010+08:00

注意：都已經N天了，目前惡意連結還在(2008/2/25@15:40)，無言...
台中縣清水鎮公所被轉址與被入惡意連結，此惡意程式為 TSPY_QQPASS.CH，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: 匿名網友)

當連上台中縣清水鎮公所網站後，馬上被轉址到下列網站：

該網頁原始碼，如下所示：

展示影片，請看這裡。

Google Search查詢的結果，沒發現任何異狀，如下所示：

執行之後，有下面的行為：

[Added process]
C:\Program Files\Common Files\svchost.exe

[DLL injection]
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\OnlO0r.dll
C:\WINDOWS\system32\fhdoor0.dll
C:\WINDOWS\system32\mndoor0.dll
C:\WINDOWS\system32\qhdoor0.dll
C:\WINDOWS\system32\qzdoor0.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\M1.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ss[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\addr[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\main[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\s[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\add_54738542[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ms[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\%46%41%51%2E%6A%73[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1542776[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\FAQ[1].htm
C:\Program Files\Common Files\fjOs0r.dll
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\OnlO0r.bak
C:\Program Files\Internet Explorer\OnlO0r.dll
C:\Program Files\Internet Explorer\OnlO0r.obk
C:\temp.exe
C:\WINDOWS\system32\fhdoor0.dll
C:\WINDOWS\system32\mndoor0.dll
C:\WINDOWS\system32\qhdoor0.dll
C:\WINDOWS\system32\qqdoor0.dll
C:\WINDOWS\system32\qsdoor0.dll
C:\WINDOWS\system32\qzdoor0.dll
C:\WINDOWS\~Temp358.tmp

[Added COM/BHO]
{49C496E9-732D-4F5D-BEE9-EC113FAA1C97}-C:\WINDOWS\system32\qzdoor0.dll
{61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28}-C:\WINDOWS\system32\mndoor0.dll
{6C7596CB-31CC-BBA3-BE51-2EEA62F9C51D}-C:\Program Files\Common Files\fjOs0r.dll
{80F15C30-5E9D-4CB9-BE85-F3D5564C6F83}-C:\WINDOWS\system32\fhdoor0.dll
{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}-C:\WINDOWS\system32\qhdoor0.dll
{C2626E66-D21B-E628-C1DF-1DACCFA36ED2}-C:\Program Files\Common Files\fjOs0r.dll
{C26A8AB5-B935-400C-A152-0488714725B1}-C:\WINDOWS\system32\qsdoor0.dll
{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}-C:\Program Files\Internet Explorer\OnlO0r.dll
{D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF}-C:\WINDOWS\system32\qqdoor0.dll

到目前為止 (2008/2/19 @ 01:31)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

qqdoor0.dll:
[ Trend ], "Possible_Strat-6"
qhdoor0.dll:
[ Trend ], "TSPY_QQPASS.CH"
mndoor0.dll:
[ Trend ], "Possible_Strat-6"
fhdoor0.dll:
[ Trend ], "TSPY_FRETHOG.WF"
svchost.exe:
[ Trend ], "TSPY_ONLINEG.BOM"
OnlO0r.bak:
[ Trend ], "TROJ_Generic.A"
s[1].exe:
[ Trend ], "TROJ_Generic.A"
~Temp358.tmp:
[ Trend ], "TROJ_Generic.A"
qzdoor0.dll:
[ Trend ], "TSPY_FRETHOG.WF"
qsdoor0.dll:
[ Trend ], "TSPY_FRETHOG.WF"
OnlO0r.obk:
[ Symantec ], "W32.Drom"
[ Microsoft ], "Worm:Win32/Rodvir.gen"
[ Kaspersky ], "Trojan-PSW.Win32.Delf.apc"
[ McAfee ], "PWS-QQPass"
[ McAfee_Beta ], "PWS-QQPass"
[ Sophos ], "Mal/PWS-K"
[ Alwil ], "Win32:AutoRun-U"
[ CAV ], "Win32/Rodvir.AJ"
[ Nod32 ], "Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/PSW.Delf.ifd.11"
[ Norman ], "Trojan W32/QQPass.HSC"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.lpg"
[ Grisoft ], "Trojan horse PSW.Generic5.AJLF"
[ quickheal ], "TrojanPSW.Delf.apc"
[ vba32 ], "Trojan-PSW.Win32.Delf.apc"
[ Authentium ], "W32/InfoStealer!Generic"
[ Sunbelt ], "Trojan-PWS.Delf.IFD"
[ WebWasher ], "Trojan.PSW.Delf.ifd.11"
[ bitdefender ], "Trojan.PWS.Delf.IFD"
temp.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Symantec ], "W32.Drom"
[ Microsoft ], "[->(UPX)]:Worm:Win32/Rodvir.gen"
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX"
[ McAfee ], "[0000d0f0.EXE]:PWS-QQPass"
[ McAfee_Beta ], "[GenUnp\0000d0f0.EXE]:PWS-QQPass"
[ Sophos ], "[FILE:0000]:Mal/PWS-K"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/Autorun.BK"
[ Ikarus ], "Trojan-PWS.Win32.Delf.aky"
[ Grisoft ], "Trojan horse PSW.OnlineGames.AEIB"
[ eAladdin ], "Suspicious File [101]"
[ WebWasher ], "Trojan.Autorun.BK"
[ bitdefender ], "Dropped:Trojan.PWS.Delf.IFD"
ss[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Symantec ], "W32.Drom"
[ Microsoft ], "[->(UPX)]:Worm:Win32/Rodvir.gen"
[ Kaspersky ], "PAK:PE_Patch.UPX, PAK:UPX"
[ McAfee ], "[0000d0f0.EXE]:PWS-QQPass"
[ McAfee_Beta ], "[GenUnp\0000d0f0.EXE]:PWS-QQPass"
[ Sophos ], "[FILE:0000]:Mal/PWS-K"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/Autorun.BK"
[ Ikarus ], "Trojan-PWS.Win32.Delf.aky"
[ Grisoft ], "Trojan horse PSW.OnlineGames.AEIB"
[ eAladdin ], "Suspicious File [101]"
[ WebWasher ], "Trojan.Autorun.BK"
[ bitdefender ], "Dropped:Trojan.PWS.Delf.IFD"
OnlO0r.dll:
[ Symantec ], "W32.Drom"
[ Microsoft ], "Worm:Win32/Rodvir.gen"
[ Kaspersky ], "Trojan-PSW.Win32.Delf.apx"
[ McAfee ], "PWS-QQPass"
[ McAfee_Beta ], "PWS-QQPass"
[ Sophos ], "Mal/PWS-K"
[ Alwil ], "Win32:AutoRun-U"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/PSW.Delf.ifd.12"
[ Ikarus ], "Trojan-PWS.Delf.IFD"
[ Grisoft ], "Trojan horse PSW.Generic5.AKDY"
[ Authentium ], "W32/InfoStealer!Generic"
[ WebWasher ], "Trojan.PSW.Delf.ifd.12"
[ bitdefender ], "Trojan.PWS.Delf.IFD"
fjOs0r.dll:
[ Symantec ], "W32.Drom"
[ Microsoft ], "Worm:Win32/Rodvir.gen"
[ Kaspersky ], "Trojan-PSW.Win32.Delf.apx"
[ McAfee ], "PWS-QQPass"
[ McAfee_Beta ], "PWS-QQPass"
[ Sophos ], "Mal/PWS-K"
[ Alwil ], "Win32:AutoRun-U"
[ CAV ], "Win32/Rodvir!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NBR trojan"
[ Fortinet ], "K!tr.pws"
[ HBEDV ], "TR/PSW.Delf.ifd.12"
[ Ikarus ], "Trojan-PWS.Delf.IFD"
[ Grisoft ], "Trojan horse PSW.Generic5.AKDY"
[ Authentium ], "W32/InfoStealer!Generic"
[ WebWasher ], "Trojan.PSW.Delf.ifd.12"
[ bitdefender ], "Trojan.PWS.Delf.IFD"
ms[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
FAQ[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
click[1].htm:
[ Sophos ], "Mal/Iframe-A"
addr[1].js:
[ Kaspersky ], "PAK:JSPack, Trojan-Downloader.JS.Small.kq"
[ Ikarus ], "Trojan-Downloader.JS.Small.kq"
add_54738542[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
%46%41%51%2E%6A%73[1]:
[ Sophos ], "Mal/Iframe-C"
[ Grisoft ], "Virus found HTML/Framer"
main[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"

協合國際法律事務所網站被值入惡意連結

2008-02-15T13:39:00.010+08:00

注意：目前惡意連結已移除 (2008/2/15 @ 14:14)
協合國際法律事務所網站被值入惡意連結，此惡意程式為 TROJ_DLOADER.DXI，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

展示影片，請看這裡。

Google Search查詢的結果，如下所示：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\system32\lssass.exe
C:\WINDOWS\system32\12.exe
C:\WINDOWS\system32\4.exe

[DLL injection]
C:\WINDOWS\system32\HDDGuard.dll

[Added service]
NAME: ATI2HDDSRV
DISPLAY: ATI2HDDSRV
FILE: \??\C:\WINDOWS\system32\drivers\ati32srv.sys

NAME: DeepFree Update
DISPLAY: DeepFree Update
FILE: \??\C:\WINDOWS\system32\drivers\pcihdd2.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\MicroSofts.pif
C:\Documents and Settings\Administrator\Local Settings\Temp\MicroSofts.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\11[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\985195[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\jh[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\tw[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\down[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\rl[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\vccd[1].htm
C:\WINDOWS\system32\HDDGuard.dll
C:\WINDOWS\system32\lssass.exe
C:\WINDOWS\system32\WIN.INI
C:\WINDOWS\system32\drivers\pcihdd2.sys
C:\WINDOWS\system32\drivers\ati32srv.sys
C:\WINDOWS\system32\12.exe
C:\WINDOWS\system32\4.exe
C:\WINDOWS\system32\73120.dat

到目前為止 (2008/2/12 @ 14:41)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

11[1].js:
[ HBEDV ], "HEUR/Exploit.HTML"
12.exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Tilcun!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NML trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ eAladdin ], "Suspicious File [104]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
73120.dat:
[ IntelliTrap ], "PAK_Generic.005"
[ Kaspersky ], "PAK:NSPack"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan W32/Hupigon.gen67"
[ Ikarus ], "Backdoor.Win32.Agent.ahj"
[ eAladdin ], "Suspicious File [101]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Win32.NewMalware.MH!49939"
[ bitdefender ], "Trojan.PWS.OnlineGames.OQN"
jh[2].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
ppp.js:
[ HBEDV ], "HTML/Shellcode.Gen"
[ Norman ], "Trojan HTML/IFrameBof.A"
[ Ewido ], "Not-A-Virus.Exploit.HTML.IframeBof.d"
[ Authentium ], "HTML/IFrameBoF"
[ WebWasher ], "Script.Shellcode.Gen"
rl[1].js:
[ Sophos ], "Troj/Rexplo-A"
[ HBEDV ], "JS/Agent.ES"
[ Ikarus ], "Trojan-Downloader.JS.Agent.ol"
[ Grisoft ], "Virus found Exploit"
[ WebWasher ], "Script.Agent.ES"
[ bitdefender ], "Dropped:Trojan.Downloader.JS.Agent.OL"
tw[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ HBEDV ], "HEUR/Exploit.HTML"
[ Norman ], "Trojan HTML/Exploit!IFrame.G"
[ WebWasher ], "BlockReason.46 (suspicious)"
vccd[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Kaspersky ], "Trojan-Downloader.HTML.IFrame.ee"
[ Sophos ], "Mal/Iframe-A"
[ HBEDV ], "JS/Dldr.Age.GGG.167"
[ Norman ], "Trojan HTML/Exploit!IFrame.G"
[ WebWasher ], "Script.Dldr.Age.GGG.167"
xx[1].htm:
[ HBEDV ], "HTML/Dldr.aaa.330"
[ WebWasher ], "Script.Dldr.aaa.330"
down[1].exe:
[ Trend ], "TROJ_DLOADER.DXI"
HDDGuard.dll:
[ Trend ], "TROJ_AGENT.GES"
lssass.exe:
[ Trend ], "BKDR_HUPIGON.OHB"
lz.js:
[ Trend ], "JS_IFRAMEBO.AL"
MicroSofts.pif:
[ Trend ], "TROJ_DLOADER.DXI"
4.exe:
[ Trend ], "TROJ_SMALL.CAL"

太奇數位科技虛擬主機代管中心網站被值入惡意連結

2008-02-15T13:21:00.008+08:00

注意：目前惡意連結已移除 (2008/2/15 @ 14:14)
太奇數位科技虛擬主機代管中心網站被值入惡意連結，此惡意程式為 BKDR_HUPIGON.FVR，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

解碼之後，惡意連結如下所示：

展示影片，請看這裡。

Google Search查詢的結果，如下所示：

執行之後，有下面的行為：

[Added process]
C:\Program Files\Internet Explorer\IEXPLORE.EXE (此為微軟ie，但惡意程式利用它，將它隱匿起來，並且，此執行程序會將system.exe鎖住)

[Added service]
NAME: Windows security service
DISPLAY: Windows security service
FILE: C:\Program Files\systeminfo1\system.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\g0ld.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\%73%79%73%2E%68%74%6D[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\last[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\sv[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\virtualhost[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\status[1].js
C:\jiji1.exe
C:\Program Files\systeminfo1\system.exe

到目前為止 (2008/2/12 @ 14:39)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

system.exe:
[ Trend ], "BKDR_HUPIGON.FVR"
%73%79%73%2E%68%74%6D[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
g0ld.com:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/sv.exe]:Trojan-Downloader.Win32.Agent.iph"
[ Sophos ], "[SfxArchiveData\sv.exe]:Mal/Behav-010"
[ Nod32 ], "[?CAB ?sv.exe]:a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
jiji1.exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/www.exe]:Backdoor.Win32.Hupigon.aubv"
[ McAfee ], "BackDoor-AWQ"
[ McAfee_Beta ], "BackDoor-AWQ"
[ Sophos ], "[SfxArchiveData\www.exe]:Mal/Behav-058"
[ Nod32 ], "[?CAB ?www.exe]:a variant of Win32/Hupigon trojan"
[ Fortinet ], "[www.exe]:W32/Hupigon.YQ!tr.bdr"
[ Norman ], "Trojan Hupigon.gen126.dropper"
[ Rising ], "[>>www.exe>>Aspack212r]:Backdoor.Gpigeon.GEN"
[ Ewido ], "[/www.exe]:Backdoor.Hupigon.awp, [/www.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\www.exe]:Trojan horse BackDoor.Small.52.BQ, Trojan horse BackDoor.Small.52.BQ"
[ quickheal ], "Win32.Backdoor.Hupigon.ngr3"
[ vba32 ], "BackDoor.Pigeon.6620"
[ WebWasher ], "Trojan.Backdoor.Hupigon.ami"
last[1].exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/www.exe]:Backdoor.Win32.Hupigon.aubv"
[ McAfee ], "BackDoor-AWQ"
[ McAfee_Beta ], "BackDoor-AWQ"
[ Sophos ], "[SfxArchiveData\www.exe]:Mal/Behav-058"
[ Nod32 ], "[?CAB ?www.exe]:a variant of Win32/Hupigon trojan"
[ Fortinet ], "[www.exe]:W32/Hupigon.YQ!tr.bdr"
[ Norman ], "Trojan Hupigon.gen126.dropper"
[ Rising ], "[>>www.exe>>Aspack212r]:Backdoor.Gpigeon.GEN"
[ Ewido ], "[/www.exe]:Backdoor.Hupigon.awp, [/www.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\www.exe]:Trojan horse BackDoor.Small.52.BQ, Trojan horse BackDoor.Small.52.BQ"
[ quickheal ], "Win32.Backdoor.Hupigon.ngr3"
[ vba32 ], "BackDoor.Pigeon.6620"
[ WebWasher ], "Trojan.Backdoor.Hupigon.ami"
sv[1].exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/sv.exe]:Trojan-Downloader.Win32.Agent.iph"
[ Sophos ], "[SfxArchiveData\sv.exe]:Mal/Behav-010"
[ Nod32 ], "[?CAB ?sv.exe]:a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"

電子情書夾帶風暴蠕蟲

2008-02-14T17:24:00.005+08:00

這幾天收到大量有關西洋情人節的電子郵件，內容都包含一個下載連結，開啟其中一個，電腦就叫個不停，發送大量的外部封包，喔，原來是風暴蠕蟲(Storm Worm)。如果各位收到類似的電子郵件，千萬別執行來路不明的連結，否則，就送您上天堂囉！

展示影片，請看這裡 (高解析度的AVI檔，請從這裡下載，影片解碼器，可以在VMWARE網站上下載)。

執行之後，有下面的行為(具有Rootkit行為)：

[Added service]
NAME: diperto1e9d-1b49
DISPLAY: diperto1e9d-1b49
FILE: \??\C:\WINDOWS\system32\diperto1e9d-1b49.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\valentine[1].exe
C:\WINDOWS\system32\diperto.ini
C:\WINDOWS\system32\diperto1e9d-1b49.sys

到目前為止 (2008/2/14 @ 16:25)，下面的防毒軟體(32家中，只有19家偵測到)可以偵測到這些惡意檔案 (僅提供參考)：

AhnLab-V3:
AntiVir: Worm/Zhelatin.pb
Authentium:
Avast:
AVG: I-Worm/Nuwar.N
BitDefender: Trojan.Peed.IWW
CAT-QuickHeal:
ClamAV: Trojan.Peed-103
DrWeb: Trojan.Packed.357
eSafe: Suspicious File
eTrust-Vet: Win32/Sintun!generic
EwidoL:
FileAdvisor:
Fortinet: W32/PackTibs.M
F-Prot: W32/Zhelatin.F.gen!Eldorado
F-Secure: Packed.Win32.Tibs.ic
Ikarus: Trojan.Peed.IWV
Kaspersky: Packed.Win32.Tibs.ic
McAfee: W32/Nuwar@MM
Microsoft: TrojanDropper:Win32/Nuwar.gen!B
NOD32v2: probably a variant of Win32/Nuwar.Gen
Norman:
Panda:
Prevx1:
Sophos: W32/Dorf-AW
Sunbelt:
Symantec: Trojan.Peacomm
TheHacker:
VBA32:
VirusBuster: Trojan.DR.Tibs.Gen!Pac.142
Webwasher-Gateway: Worm.Zhelatin.pb
Trend Micro: WORM_NUWAR.AR

附加訊息
File size: 121857 bytes
MD5: a932b94554f91e4cbd24f204f8dfe577
SHA1: 5fdc1488dd85af9265e398fe4b402c87a845c17f
PEiD: MinGW GCC 3.x

詳細掃描結果，請參考這裡。

李玟箖飾品設計網站被值入惡意連結

2008-02-12T17:20:00.000+08:00

李玟箖飾品設計網站被值入惡意連結，此惡意程式為 BKDR_HUPIGON.FVR，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: 匿名網友)

當進入此網站，點擊進入Blog或飾品後，會被轉址到Yahoo的部落格(如下圖所示)，但此部落格目前沒有被值入惡意連結(留下空的iframe的痕跡)：

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

解碼之後，惡意連結如下所示：

展示影片，請看這裡 (高解析度的AVI檔，請從這裡下載)。

Google Search查詢的結果，如下所示：

執行之後，有下面的行為：

[Added process]
C:\Program Files\Internet Explorer\IEXPLORE.EXE (此為微軟ie，但惡意程式利用它，將它隱匿起來，並且，此執行程序會將system.exe鎖住)

[Added service]
NAME: Windows security service
DISPLAY: Windows security service
FILE: C:\Program Files\systeminfo1\system.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\g0ld.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\sv[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\accessory.com[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\last[2].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\%73%79%73%2E%68%74%6D[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\%73%79%73%2E%68%74%6D[2].htm
C:\jiji1.exe
C:\Program Files\systeminfo1\system.exe

到目前為止 (2008/2/12 @ 14:39)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

system.exe:
[ Trend ], "BKDR_HUPIGON.FVR"
%73%79%73%2E%68%74%6D[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
g0ld.com:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/sv.exe]:Trojan-Downloader.Win32.Agent.iph"
[ Sophos ], "[SfxArchiveData\sv.exe]:Mal/Behav-010"
[ Nod32 ], "[?CAB ?sv.exe]:a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
jiji1.exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/www.exe]:Backdoor.Win32.Hupigon.aubv"
[ McAfee ], "BackDoor-AWQ"
[ McAfee_Beta ], "BackDoor-AWQ"
[ Sophos ], "[SfxArchiveData\www.exe]:Mal/Behav-058"
[ Nod32 ], "[?CAB ?www.exe]:a variant of Win32/Hupigon trojan"
[ Fortinet ], "[www.exe]:W32/Hupigon.YQ!tr.bdr"
[ Norman ], "Trojan Hupigon.gen126.dropper"
[ Rising ], "[>>www.exe>>Aspack212r]:Backdoor.Gpigeon.GEN"
[ Ewido ], "[/www.exe]:Backdoor.Hupigon.awp, [/www.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\www.exe]:Trojan horse BackDoor.Small.52.BQ, Trojan horse BackDoor.Small.52.BQ"
[ quickheal ], "Win32.Backdoor.Hupigon.ngr3"
[ vba32 ], "BackDoor.Pigeon.6620"
[ WebWasher ], "Trojan.Backdoor.Hupigon.ami"
last[1].exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/www.exe]:Backdoor.Win32.Hupigon.aubv"
[ McAfee ], "BackDoor-AWQ"
[ McAfee_Beta ], "BackDoor-AWQ"
[ Sophos ], "[SfxArchiveData\www.exe]:Mal/Behav-058"
[ Nod32 ], "[?CAB ?www.exe]:a variant of Win32/Hupigon trojan"
[ Fortinet ], "[www.exe]:W32/Hupigon.YQ!tr.bdr"
[ Norman ], "Trojan Hupigon.gen126.dropper"
[ Rising ], "[>>www.exe>>Aspack212r]:Backdoor.Gpigeon.GEN"
[ Ewido ], "[/www.exe]:Backdoor.Hupigon.awp, [/www.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\www.exe]:Trojan horse BackDoor.Small.52.BQ, Trojan horse BackDoor.Small.52.BQ"
[ quickheal ], "Win32.Backdoor.Hupigon.ngr3"
[ vba32 ], "BackDoor.Pigeon.6620"
[ WebWasher ], "Trojan.Backdoor.Hupigon.ami"
sv[1].exe:
[ Alpha_Gen ], "Possible_TrojDAS"
[ Kaspersky ], "ARC:Rsrc-Package, ARC:[data0000.cab]:CAB, [data0000.cab/sv.exe]:Trojan-Downloader.Win32.Agent.iph"
[ Sophos ], "[SfxArchiveData\sv.exe]:Mal/Behav-010"
[ Nod32 ], "[?CAB ?sv.exe]:a variant of Win32/TrojanDownloader.Delf.NJH trojan"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"

聲寶公司網站遭駭且被值入惡意程式

2008-01-25T18:23:00.000+08:00

注意：目前此網站尚未修復 (2008/1/25 @ 18:28)

聲寶公司網站遭駭且被值入惡意程式，此惡意程式為 BKDR_JAVAKBD.A/TSPY_MPASS.A，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

展示影片，請看這裡。

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\Taskmanager.exe
C:\WINDOWS\Wintask.exe

[DLL injection]
C:\WINDOWS\system32\JDukeNative.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\index[10
C:\Documents and Settings\Administrator\Local Settings\Temp\JVM83.tmp
C:\WINDOWS\Function.zip
C:\WINDOWS\system32\JDukeNative.dll
C:\WINDOWS\system32\User_Info.exe
C:\WINDOWS\TaskManager.exe
C:\WINDOWS\Wintask.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Taskmanager
Data=C:\WINDOWS\TaskManager.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Wintask
Data=C:\WINDOWS\WinTask.exe

到目前為止 (2008/1/23 @ 23:41)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

[ Trend ], "BKDR_JAVAKBD.A"
Wintask.exe:
[ Trend ], "BKDR_JAVAKBD.A"
index[10:
[ Alpha_Gen ], "Heur_Infrm-1"
[ HBEDV ], "HTML/Infected.WebPage.Gen"
[ WebWasher ], "Script.Infected.WebPage.Gen"
User_Info.exe:
[ TMAS ], "CrackingApps_MPass"
[ Symantec ], "Hacktool.PassReminder"
[ Kaspersky ], "PAK:UPX"
[ McAfee ], "PWCrack-MPass"
[ McAfee_Beta ], "PWCrack-MPass"
[ Panda ], "HackTool/MSNpass.G"
[ Panda_Beta ], "HackTool/MSNpass.G"
[ Fortinet ], "HackerTool/MessenPass"
[ HBEDV ], "SPR/PSW.Messen.103.4"
[ Ewido ], "Not-A-Virus.PSWTool.Win32.Messen.102"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "Trojan.Horst.pp"
[ WebWasher ], "Riskware.PSW.Messen.103.4"
[ bitdefender ], "Application.Messenpass.B"
Function.zip/xynx.hex:
[ Ikarus ], "PSWTool.Win32.Messen.102"
[ Ewido ], "Not-A-Virus.PSWTool.Win32.Messen.102"
Function.zip/TaskManager.exe:
[ Alwil ], "JS:BackDoor-KBD-12"
[ Ikarus ], "Virus.JS.Backdoor.KBD.12"
Function.zip/Wintask.exe:
[ Alwil ], "JS:BackDoor-KBD-11"
[ Ikarus ], "Backdoor.Java.KBD"

全球華文行銷知識庫網站又被植入惡意連結

2008-01-24T22:52:00.001+08:00

全球華文行銷知識庫網站又被植入惡意連結，此惡意程式為 Infostealer.Lineage，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

展示影片，請看這裡。

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\pal32.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\22085.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\520[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\index[1].htm
C:\WINDOWS\pal32.dll
C:\WINDOWS\system32\winpal.exe

[Added COM/BHO]
{37A5702C-E1ED-4399-A40E-9D263EDC918A}-C:\WINDOWS\pal32.dll

到目前為止 (2008/1/23 @ 23:41)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

520[1].exe:
[ Trend ], "TSPY_LINEAGE.IB"
22085.com:
[ Trend ], "TSPY_LINEAGE.IB"
winpal.exe:
[ Trend ], "TSPY_LINEAGE.IB"
1[1].htm:
[ McAfee ], "Exploit-ObscuredHtml"
[ McAfee_Beta ], "Exploit-ObscuredHtml"
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ Norman ], "Trojan JS/Exploit!ADODB.Stream.B"
[ Rising ], "Trojan.DL.VBS.Agent.xhd"
[ Grisoft ], "Virus identified Exploit"
[ WebWasher ], "Script.ADODB.Exploit.Gen"
pal32.dll:
[ IntelliTrap ], "PAK_Generic.005"
[ Alpha_Gen ], "Possible_Lneage2"
[ Symantec ], "Infostealer.Lineage"
[ Microsoft ], "[->(NSPack)]:PWS:Win32/Lineage.gen!A"
[ Kaspersky ], "PAK:NSPack, Trojan-PSW.Win32.OnLineGames.odo"
[ McAfee ], "PWS-Lineage"
[ McAfee_Beta ], "PWS-Lineage"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/PSW.Lineage.DN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Lineage.7206F05E"
[ Norman ], "Backdoor W32/Lineage.AZWJ"
[ Ikarus ], "Trojan-PWS.Win32.Delf.hh"
[ Grisoft ], "Trojan horse PSW.Lineage.AHF"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "TrojanPSW.OnLineGames.odo"
[ vba32 ], "Trojan-PSW.Win32.OnLineGames.odo"
[ WebWasher ], "Trojan.Lineage.7206F05E"
[ bitdefender ], "Generic.Lineage.7206F05E"

「資安技術教育訓練」準備要開課了

2008-01-18T16:59:00.000+08:00

Malware-Test Lab將在今年二、三月舉辦「資安技術教育訓練」，名額有限，額滿不再招生，如果您有興趣的話，請盡速報名。

主辦單位：Malware-Test Lab
對象：對此有興趣之相關人員
地點：恆逸或資策會台北教育訓練中心
課程費用(課程費用包含稅、講義、茶點、午餐等費用)：

2008/1/31以前報名，每人每門課程，新台幣6000元
2008/1/31以後報名，每人每門課程，新台幣7000元
關於學生部分，每人每門課程，新台幣5000元

注意：三門課可以分開報名，你可以選擇你想上的課程報名。
============================================
報名方式：
請將課程費用匯入下列帳號，然後，將下列的資料寄到 service@malware-test.com：

您的姓名
您的手機號碼
您的公司名稱和公司統一編號
發票要開二聯式，還是三聯式(可以報公司帳)
您的轉帳帳號後六碼

轉帳資訊：

戶名：梅爾斯特系統有限公司
帳號：212-03-200119-7
銀行/分行：國泰世華銀行敦化分行
銀行代碼：013

聯絡方式：

電子郵件：service@malware-test.com
公司電話：02-22507096
手機號碼：0935-660646

============================================
課程名稱：OS Architecture and Internals (Windows作業系統架構與核心運作原理)
開課時間：2008年2月23日星期六 09:30~16:30
難易度：中高

課程內容 (如果有時間，會多講幾個主題)：
Introduction
System Architecture
　- Requirements and Design Goals
　- Operating System Model
　- Architecture Overview
　- Key System Components
System Mechanism
　- Trap Dispatching
　- Object Manager
　- Synchronization
　- System Worker Threads
　- Local Procedure Calls(LPCs)
　- Wow64
Process and Threads
　- Process Internals
　- Flow of CreateProcess
　- Thread Internals
　- Thread Scheduling
　- Job Objects

============================================
課程名稱：User-Mode Rootkit原理、防護與實作
開課時間：2008年3月1日星期六 09:30~16:30
難易度：中高

課程內容 (如果有時間，會多講 ernel-Mode Rootkit)：
What is a Rootkit?
What can Rootkits do?
User-Mode Rootkits techniques
　- Replace files
　- Hook DLL’s functions(IAT)
　- Modify DLL’s functions(Raw code change)
　- DLL injection
　...
Tools
Demo
Hands-on Exercises

============================================
課程名稱：Static Malware and Spyware Analysis (靜態惡意程式與間諜軟體分析)
開課時間：2008年3月8日星期六 09:30~16:30
難易度：中高

課程內容 (如果有時間，會多講幾個主題)：
Introduction to Assembly
Malware Overview
PE Format
Infection Techniques
Self-protection Techniques
Find API Addresses
DLL Patching
...

注意：

主辦單位保有改變課程時間與地點的權利。
報名繳費後，如果臨時有事，無法前來，概不退費。

ITinternals網站正式上線

2008-01-18T10:06:00.000+08:00

經過幾個禮拜的測試，ITternals網站正式上線了。這個網站主會專注在提供資安新聞、技術、評論及討論等議題，希望各位踴躍提供批評與建議。另外，我們現在正在招募有志一同、有熱情的義工(Volunteer)，幫忙撰寫、編輯各種資安新聞與技術，如果您有興趣，請聯絡我，我的電子郵件是 roger(at)malware-test.com。

義工條件有下列幾個(不是必要條件，有興趣者皆可)：

懂電腦相關技術
懂資安相關技術
懂Windows、Linux、Mac OS X等作業系統
懂英文
...

情人節未到，風暴蠕蟲先到

2008-01-16T14:54:00.000+08:00

情人節快要到了，風暴蠕蟲(Storm Worm)作者也跟著蠢蠢欲動。最近發現很多垃圾郵件中都包含風暴蠕蟲的下載連結，如果不小心點擊連結，那會很慘勒。

執行之後，有下面的行為：

[Added service]
NAME: burito33dc-bb
DISPLAY: burito33dc-bb
FILE: \??\C:\WINDOWS\system32\burito33dc-bb.sys

[Added file]
C:\Temp\withlove.exe
C:\WINDOWS\system32\burito33dc-bb.sys
C:\WINDOWS\system32\burito.ini

此惡意程式具有 Rootkit 的行為 (如下圖所示)，受害者將不知道系統中有此惡意程式：

到目前為止 (2008/1/16 @ 12:28)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

burito33dc-bb.sys:
[ Trend ], "TROJ_PEACOMM.BM"
with_love.exe:
[ McAfee ], "W32/Nuwar@MM"
[ McAfee_Beta ], "W32/Nuwar@MM"
[ Nod32 ], "a variant of Win32/Nuwar worm"
[ Fortinet ], "suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
withlove.exe:
[ McAfee ], "W32/Nuwar@MM"
[ McAfee_Beta ], "W32/Nuwar@MM"
[ Nod32 ], "a variant of Win32/Nuwar worm"
[ Fortinet ], "suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"

GSN 政府網際服務網被植入惡意連結

2008-01-16T10:40:00.000+08:00

更新資訊：目前已修復

GSN 政府網際服務網被植入惡意連結，此惡意程式為 Backdoor.Win32.Agent.ana，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在 04-03.html，但是指到 202(dot)39(dot)47(dot)197，這台主機應該被駭客完全控制了 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\drum[1].ani
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\update[1].exe
C:\Documents and Settings\All Users\Application Data\Microsoft\back1.reg
C:\Documents and Settings\All Users\Application Data\Microsoft\back2.reg
C:\Documents and Settings\All Users\Application Data\Microsoft\Comon\ctfmon.exe

到目前為止 (2008/1/15 @ 15:19)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

04-03[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
ctfmon.exe-:
[ Alpha_Gen ], "Possible_HUPIGON"
[ Kaspersky ], "Backdoor.Win32.Agent.ana"
[ Sophos ], "Mal/Dropper-G"
[ CAV ], "Win32/Lidoor.B"
[ Nod32 ], "Win32/Agent.ANA trojan"
[ HBEDV ], "BDS/Agent.bze"
[ Grisoft ], "Trojan horse BackDoor.Agent.GIX"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ Authentium ], "W32/Backdoor.ARVK"
[ WebWasher ], "Trojan.Backdoor.Agent.bze"
[ bitdefender ], "BehavesLike:Win32.ExplorerHijack"
drum[1].ani:
[ Symantec ], "Downloader"
[ Microsoft ], "Exploit:Win32/Anicmoo.A"
[ Kaspersky ], "Exploit.Win32.IMG-ANI.gen"
[ McAfee ], "Exploit-ANIfile.c"
[ McAfee_Beta ], "Exploit-ANIfile.c"
[ Alwil ], "CVE-2007-0038"
[ Nod32 ], "a variant of Win32/TrojanDownloader.Ani.Gen trojan"
[ Fortinet ], "W32/MalFormed_ANI.C"
[ HBEDV ], "EXP/Ani.Gen"
[ Rising ], "Hack.SuspiciousAni"
[ Grisoft ], "Virus found Exploit"
[ WebWasher ], "Exploit.Ani.Gen"
[ bitdefender ], "Exploit.Win32.MS05-002.Gen"
server_time[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
update[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_HUPIGON"
[ Symantec ], "Backdoor.Trojan"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ Sophos ], "[FILE:0000]:Mal/Dropper-G, Mal/Dropper-G"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ Nod32 ], "a variant of Win32/Agent.BZE trojan"
[ HBEDV ], "BDS/Agent.bze"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Backdoor.Agent.bze"
[ bitdefender ], "BehavesLike:Win32.ExplorerHijack"

台北市公寓大廈暨社區服務協會網站被植入惡意連結

2008-01-14T17:47:00.000+08:00

台北市公寓大廈暨社區服務協會網站被植入惡意連結，此惡意程式為 TSPY_ONLINEG.NSM，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: 匿名網友)

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\system32\gjcsczc.exe
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avwlist.exe
C:\WINDOWS\system32\mszxaab32.dll
C:\WINDOWS\Fonts\kawdjaz.exe
C:\WINDOWS\system32\rsjzasp.exe
C:\WINDOWS\Fonts\raqjltl.exe
C:\WINDOWS\Fonts\rsztosp.exe
C:\WINDOWS\system32\TxoMoU.Exe
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\Fonts\ratbttl.exe
C:\WINDOWS\system32\kvdxsmis.exe
c:\Program Files\lsasso.exe
C:\WINDOWS\system32\gjtmazc.exe
C:\WINDOWS\Fonts\rsjzbsp.exe
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\system32\swrcfac.exe
C:\WINDOWS\Fonts\avwgist.exe
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avwlist.exe
C:\WINDOWS\Fonts\kawdjaz.exe
C:\WINDOWS\Fonts\raqjltl.exe
C:\WINDOWS\system32\avzxmst.exe
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\Fonts\rsmyksp.exe
C:\WINDOWS\Fonts\jsqxbzc.exe
C:\WINDOWS\Fonts\jsqxbzc.exe
C:\WINDOWS\system32\swrcfac.exe
C:\WINDOWS\Fonts\jsqsczc.exe
C:\WINDOWS\Fonts\avwljst.exe
C:\WINDOWS\Fonts\wsmsfax.exe
C:\WINDOWS\system32\okmhdaz.exe
C:\WINDOWS\system32\jsqxazc.exe
C:\WINDOWS\Fonts\rarjftl.exe
C:\WINDOWS\Fonts\gjcsdzc.exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Program Files\Common Files\Microsoft Shared\MSInfo\System76.Ins
C:\Program Files\Common Files\Services\svchost.exe
C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys
C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
C:\WINDOWS\124327MM.DLL
C:\WINDOWS\124327WL.DLL
C:\WINDOWS\Fonts\avwgimn.dll
C:\WINDOWS\Fonts\avwljmn.dll
C:\WINDOWS\Fonts\gjcsdyc.dll
C:\WINDOWS\Fonts\jsqscyc.dll
C:\WINDOWS\Fonts\jsqxbyc.dll
C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\raqjlpi.dll
C:\WINDOWS\Fonts\rarjfpi.dll
C:\WINDOWS\Fonts\ratbtpi.dll
C:\WINDOWS\Fonts\rsjzbpm.dll
C:\WINDOWS\Fonts\rsmykpm.dll
C:\WINDOWS\Fonts\rsztopm.dll
C:\WINDOWS\Fonts\wsmsfzx.dll
C:\WINDOWS\system32\aimivc.dll
C:\WINDOWS\system32\anxitdnwow.dll
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwlimn.dll
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\avzxmmn.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\DirectX10.dll
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\gdmsi32.dll
C:\WINDOWS\system32\gdwli32.dll
C:\WINDOWS\system32\gjcscyc.dll
C:\WINDOWS\system32\gjtmayc.dll
C:\WINDOWS\system32\hrekfp.dll
C:\WINDOWS\system32\IGB_DJOL_1007.dll
C:\WINDOWS\system32\jdzctd.dll
C:\WINDOWS\system32\jsqxayc.dll
C:\WINDOWS\system32\kvdxsmma.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\kxhqcluzx.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\okmhdzy.dll
C:\WINDOWS\system32\oyhkmx.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\rcmwkscdj.dll
C:\WINDOWS\system32\rsjzapm.dll
C:\WINDOWS\system32\swrcfzc.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\whulgh.dll
C:\WINDOWS\system32\WinForm.dll
C:\WINDOWS\system32\wsmsezx.dll
C:\WINDOWS\system32\WSockDrv32.dll
C:\WINDOWS\system32\zeakpn.dll

[Added service]
NAME: PciHardDisk
DISPLAY: PciHardDisk
FILE: \??\C:\WINDOWS\system32\fat32.sys

NAME: PciHdd
DISPLAY: PciHdd
FILE: \??\C:\WINDOWS\system32\drivers\pcihdd.sys

[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Local Settings\Temp\callrun.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\commomds.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\LYLOADER.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDEG32.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\OPE133.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPE98.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPE99.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPEC8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPEED.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPEF3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\OPEFA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\temp336.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp104.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp105.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp106.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp107.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp108.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp10B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp10D.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp10E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp110.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp111.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp113.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp115.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp117.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp118.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11A.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp11F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp120.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp121.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp124.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp125.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp126.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp128.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp129.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp12A.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp12B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp12C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp12E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp12F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp130.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp131.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp132.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpAA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpAB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpAC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpAD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpB9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpEA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpEB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpEC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpFD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\370[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a11[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a16[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a22[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a26[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ha[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\jh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\real[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\s28[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\shell[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\shell[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\shibie[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\vip[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\web[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\Zn3703[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\Zn3703[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\6681666[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a15[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a17[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a20[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a24[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\baidu[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\g15[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\g1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\gg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ha[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\s28[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\shell[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\shibie[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\web[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\xx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\101logo[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1531419[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\370[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a23[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a28[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\dm[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\g15[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\gg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ha[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\IENoRun[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ms[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\rl[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\shell[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\table[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\985195[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a21[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a25[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\dm[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\IE[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\mm_menu[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ms1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\s28[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\s[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\web[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\xx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\Zn3703[1].htm
C:\Documents and Settings\Administrator\ntuser.com
C:\pagefile.pif
C:\Program Files\Common Files\Microsoft Shared\MSInfo\System36.jup
C:\Program Files\Common Files\Microsoft Shared\MSInfo\System76.Ins
C:\Program Files\Common Files\Services\svchost.exe
C:\Program Files\ctfmond.exe
C:\Program Files\ctfmonf.exe
C:\Program Files\ctfmoni.exe
C:\Program Files\ctfmonj.exe
C:\Program Files\ctfmonk.exe
C:\Program Files\Internet Explorer\PLUGINS\anHVaZQ7.exe
C:\Program Files\Internet Explorer\PLUGINS\Bh6I6kyz.exe
C:\Program Files\Internet Explorer\PLUGINS\DV21yAp4.exe
C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys
C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Tao
C:\Program Files\Internet Explorer\PLUGINS\NvWin_5.Jmp
C:\Program Files\Internet Explorer\PLUGINS\Sy_Win7k.Jmp
C:\Program Files\Internet Explorer\PLUGINS\v7FOBoPh.exe
C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Tao
C:\Program Files\lsass6.exe
C:\Program Files\lsass7.exe
C:\Program Files\lsasso.exe
C:\soS.Exe
C:\WINDOWS\124327L.exe
C:\WINDOWS\124327M.exe
C:\WINDOWS\124327MM.DLL
C:\WINDOWS\124327WL.DLL
C:\WINDOWS\AVPSrv.exE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\Fonts\ardasbse.fon
C:\WINDOWS\Fonts\armebsea.fon
C:\WINDOWS\Fonts\avwghina.dll
C:\WINDOWS\Fonts\avwgiin.dll
C:\WINDOWS\Fonts\avwgimn.dll
C:\WINDOWS\Fonts\avwgist.exe
C:\WINDOWS\Fonts\avwliinc.dll
C:\WINDOWS\Fonts\avwljin.dll
C:\WINDOWS\Fonts\avwljmn.dll
C:\WINDOWS\Fonts\avwljst.exe
C:\WINDOWS\Fonts\avzxlin.dll
C:\WINDOWS\Fonts\avzxminc.dll
C:\WINDOWS\Fonts\chqibur.fon
C:\WINDOWS\Fonts\chrebur.fon
C:\WINDOWS\Fonts\chtibur.fon
C:\WINDOWS\Fonts\enwebfx.fon
C:\WINDOWS\Fonts\gejibnd.fon
C:\WINDOWS\Fonts\gemobnd.fon
C:\WINDOWS\Fonts\gezebnd.fon
C:\WINDOWS\Fonts\gjcscssb.dll
C:\WINDOWS\Fonts\gjcsdss.dll
C:\WINDOWS\Fonts\gjcsdyc.dll
C:\WINDOWS\Fonts\gjcsdzc.exe
C:\WINDOWS\Fonts\gjcubxw.fon
C:\WINDOWS\Fonts\gjtmass.dll
C:\WINDOWS\Fonts\gjtoaxw.fon
C:\WINDOWS\Fonts\jshubxw.fon
C:\WINDOWS\Fonts\jsqscss.dll
C:\WINDOWS\Fonts\jsqscyc.dll
C:\WINDOWS\Fonts\jsqsczc.exe
C:\WINDOWS\Fonts\jsqxassb.dll
C:\WINDOWS\Fonts\jsqxbss.dll
C:\WINDOWS\Fonts\jsqxbyc.dll
C:\WINDOWS\Fonts\jsqxbzc.exe
C:\WINDOWS\Fonts\jssgbxw.fon
C:\WINDOWS\Fonts\kawdjaz.exe
C:\WINDOWS\Fonts\kawdjcs.dll
C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\kvdxsmcfb.dll
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\msgubsd.fon
C:\WINDOWS\Fonts\mswubsd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\Fonts\mszhbsd.fon
C:\WINDOWS\Fonts\okmhdcsb.dll
C:\WINDOWS\Fonts\raqjlni.dll
C:\WINDOWS\Fonts\raqjlpi.dll
C:\WINDOWS\Fonts\raqjltl.exe
C:\WINDOWS\Fonts\rarjfni.dll
C:\WINDOWS\Fonts\rarjfpi.dll
C:\WINDOWS\Fonts\rarjftl.exe
C:\WINDOWS\Fonts\ratbtni.dll
C:\WINDOWS\Fonts\ratbtpi.dll
C:\WINDOWS\Fonts\ratbttl.exe
C:\WINDOWS\Fonts\rsjzafgb.dll
C:\WINDOWS\Fonts\rsjzbfg.dll
C:\WINDOWS\Fonts\rsjzbpm.dll
C:\WINDOWS\Fonts\rsjzbsp.exe
C:\WINDOWS\Fonts\rsmykfg.dll
C:\WINDOWS\Fonts\rsmykpm.dll
C:\WINDOWS\Fonts\rsmyksp.exe
C:\WINDOWS\Fonts\rsztofg.dll
C:\WINDOWS\Fonts\rsztopm.dll
C:\WINDOWS\Fonts\rsztosp.exe
C:\WINDOWS\Fonts\swrcfcsb.dll
C:\WINDOWS\Fonts\system\ati2evxx.exe
C:\WINDOWS\Fonts\wirebfw.fon
C:\WINDOWS\Fonts\wsmsecja.dll
C:\WINDOWS\Fonts\wsmsfax.exe
C:\WINDOWS\Fonts\wsmsfcj.dll
C:\WINDOWS\Fonts\wsmsfzx.dll
C:\WINDOWS\Fonts\wymoafz.fon
C:\WINDOWS\Fonts\wymobfz.fon
C:\WINDOWS\Kvsc3.exE
C:\WINDOWS\LotusHlp.exe
C:\WINDOWS\MsIMMs32.exE
C:\WINDOWS\MsPrint32D.exe
C:\WINDOWS\NVDispDRV.EXE
C:\WINDOWS\PTSShell.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\SHAProc.exe
C:\WINDOWS\system32\0SvTh.exe
C:\WINDOWS\system32\12SvTh.exe
C:\WINDOWS\system32\18SvTh.exe
C:\WINDOWS\system32\19SvTh.exe
C:\WINDOWS\system32\20SvTh.exe
C:\WINDOWS\system32\3SvTh.exe
C:\WINDOWS\system32\5SvTh.exe
C:\WINDOWS\system32\6SvTh.exe
C:\WINDOWS\system32\7SvTh.exe
C:\WINDOWS\system32\aimivc.dll
C:\WINDOWS\system32\anxitdnwow.dll
C:\WINDOWS\system32\Autorun.Inf
C:\WINDOWS\system32\AVPSrv.dll
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avwlimn.dll
C:\WINDOWS\system32\avwlist.exe
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\system32\avzxmmn.dll
C:\WINDOWS\system32\avzxmst.exe
C:\WINDOWS\system32\bgktyp.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\Com\comrepl32.exe
C:\WINDOWS\system32\config\AppEventw.cfg
C:\WINDOWS\system32\config\sysEventw.cfg
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\DirectX10.dll
C:\WINDOWS\system32\drivers\msconkt.sys
C:\WINDOWS\system32\drivers\pcibus.sys
C:\WINDOWS\system32\drivers\scvhost.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\elucgv.dll
C:\WINDOWS\system32\FTCCompress.dll
C:\WINDOWS\system32\FUEb.CoM
C:\WINDOWS\system32\FUEc.CoM
C:\WINDOWS\system32\FUEx.CoM
C:\WINDOWS\system32\gdmsi32.dll
C:\WINDOWS\system32\gdwli32.dll
C:\WINDOWS\system32\gjcscyc.dll
C:\WINDOWS\system32\gjcsczc.exe
C:\WINDOWS\system32\gjtmayc.dll
C:\WINDOWS\system32\gjtmazc.exe
C:\WINDOWS\system32\hrekfp.dll
C:\WINDOWS\system32\IGB_DJOL_1007.dll
C:\WINDOWS\system32\IGB_DJOL_1007.exe
C:\WINDOWS\system32\ixdttm.dll
C:\WINDOWS\system32\jdzctd.dll
C:\WINDOWS\system32\jsqxayc.dll
C:\WINDOWS\system32\jsqxazc.exe
C:\WINDOWS\system32\kvdxsmis.exe
C:\WINDOWS\system32\kvdxsmma.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\kxhqcluzx.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\mshmsdjs32.dll
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\mszxaab32.dll
C:\WINDOWS\system32\NVDispDrv.dll
C:\WINDOWS\system32\okmhdaz.exe
C:\WINDOWS\system32\okmhdzy.dll
C:\WINDOWS\system32\oyhkmx.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\rcmwkscdj.dll
C:\WINDOWS\system32\REGKEY.hiv
C:\WINDOWS\system32\rsjzapm.dll
C:\WINDOWS\system32\rsjzasp.exe
C:\WINDOWS\system32\sfkxrl.dll
C:\WINDOWS\system32\SHAProc.dll
C:\WINDOWS\system32\swrcfac.exe
C:\WINDOWS\system32\swrcfzc.dll
C:\WINDOWS\system32\taimpo.txt
C:\WINDOWS\system32\TxoMoU.Exe
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\whulgh.dll
C:\WINDOWS\system32\WinForm.dll
C:\WINDOWS\system32\wsmseax.exe
C:\WINDOWS\system32\wsmsezx.dll
C:\WINDOWS\system32\WSockDrv32.dll
C:\WINDOWS\system32\wsvzwl.dll
C:\WINDOWS\system32\wxptdi.sys
C:\WINDOWS\system32\xpsvde.dll
C:\WINDOWS\system32\zeakpn.dll
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\WinForm.exE
C:\WINDOWS\WSockDrv32.exe

[Added COM/BHO]
{12FAACDE-34DA-CCD4-AB4D-DA34485A3421}-C:\WINDOWS\system32\rsjzapm.dll
{1C098A56-F90F-A789-901F-8906546720C1}-C:\WINDOWS\system32\gjtmayc.dll
{1D098345-9012-8750-8910-9128098134D1}-C:\WINDOWS\system32\jsqxayc.dll
{22FAACDE-34DA-CCD4-AB4D-DA34485A3422}-C:\WINDOWS\Fonts\rsjzbpm.dll
{2D098345-9012-8750-8910-9128098134D2}-C:\WINDOWS\Fonts\jsqxbyc.dll
{3A098324-8631-9087-7650-8907643562A3}-C:\WINDOWS\Fonts\jsqscyc.dll
{3FA10261-B890-F432-A453-69F1023513F3}-C:\WINDOWS\system32\gjcscyc.dll
{471B15AD-7A9C-491D-9C19-4E15B12DCE00}-C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys
{4A57CAD1-412F-9547-713F-9641FA3FC7A4}-C:\WINDOWS\system32\okmhdzy.dll
{4bcb7a90-b0ab-498e-81ab-9c6f50f0d977}-IGB_DJOL_1007.dll
{4FA10261-B890-F432-A453-69F1023513F4}-C:\WINDOWS\Fonts\gjcsdyc.dll
{57650011-3344-6688-4899-345FABCD1575}-C:\WINDOWS\Fonts\ratbtpi.dll
{6598FF45-DA60-F48A-BC43-10AC47853D56}-C:\WINDOWS\Fonts\rarjfpi.dll
{778A7521-FA87-34AB-34C2-4893F3AD34C7}-C:\WINDOWS\system32\swrcfzc.dll
{792FADFA-BCDE-ACDF-CDEF-21054865CBA7}-C:\WINDOWS\system32\wsmsezx.dll
{892FADFA-BCDE-ACDF-CDEF-21054865CBA8}-C:\WINDOWS\Fonts\wsmsfzx.dll
{8A1247C1-53DA-FF43-ABD3-345F323A48D8}-C:\WINDOWS\system32\avwghmn.dll
{9960356A-458E-DE24-BD50-268F589A56A9}-C:\WINDOWS\system32\avwlimn.dll
{9963387B-212E-4643-B207-82DAEA0E713D}-C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
{9A1247C1-53DA-FF43-ABD3-345F323A48D9}-C:\WINDOWS\Fonts\avwgimn.dll
{A8907901-1416-3389-9981-37217856998A}-C:\WINDOWS\Fonts\kawdjzy.dll
{A960356A-458E-DE24-BD50-268F589A56AA}-C:\WINDOWS\Fonts\avwljmn.dll
{BE32FA58-3453-FA2D-BC49-F340348ACCEB}-C:\WINDOWS\Fonts\rsmykpm.dll
{C4783410-4F90-34A0-7820-3230ACD05F4C}-C:\WINDOWS\Fonts\raqjlpi.dll
{C859245F-345D-BC13-AC4F-145D47DA34FC}-C:\WINDOWS\system32\avzxlmn.dll
{D859245F-345D-BC13-AC4F-145D47DA34FD}-C:\WINDOWS\system32\avzxmmn.dll
{DD561258-45F3-A451-F908-A258458226DD}-C:\WINDOWS\system32\kvdxsmma.dll
{F34345F1-DACF-3452-CB7D-4620F34A153F}-C:\WINDOWS\Fonts\rsztopm.dll

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=crsss
Data=C:\WINDOWS\system32\TxoMoU.Exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinForm
Data=C:\WINDOWS\WinForm.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WSockDrv32
Data=C:\WINDOWS\WSockDrv32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=upxdnd
Data=C:\WINDOWS\upxdnd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsIMMs32
Data=C:\WINDOWS\MsIMMs32.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsPrint32D
Data=C:\WINDOWS\MsPrint32D.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=cmdbcs
Data=C:\WINDOWS\cmdbcs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=LotusHlp
Data=C:\WINDOWS\LotusHlp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=NVDispDrv
Data=C:\WINDOWS\NVDispDRV.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=AVPSrv
Data=C:\WINDOWS\AVPSrv.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=DbgHlp32
Data=C:\WINDOWS\DbgHlp32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=KVP
Data =C:\WINDOWS\system32\drivers\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\124327M.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysW
Data=C:\WINDOWS\124327L.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=
Data=C:\Program Files\Common Files\Services\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=PTSShell
Data=C:\WINDOWS\PTSShell.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Kvsc3
Data=C:\WINDOWS\Kvsc3.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SHAProc
Data=C:\WINDOWS\SHAProc.exe

HKCU\Software\Microsoft\Internet Explorer\Main
Value=Start Page
Data=http://ww.94ak.com

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Internet Explorer\Main
Value=Start Page
Data=http://ww.94ak.com

到目前為止 (2008/1/14 @ 18:13)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

稍後更新...

MSN病毒(Photos1-2008.zip)祝您新年快樂

2008-01-04T15:31:00.000+08:00

新一波的MSN病毒又開始到處流竄，最近各位的MSN可能會收到名為 Photos1-2008.zip、PrivatePhoto2008.zip 或 Dc6.zip 的檔案，壓縮檔中包含一個名為 photo151.JPEG_www.HappyNewYear.com 或 Image78145-2008.jpg_www.MsnMessenger.scr 的檔案，請各位千萬不要執行此檔案，否則，後果自行負責囉！

執行之後，有下面的行為：

第一種行為：
[Added process]
C:\WINDOWS\happy2008.exe
C:\WINDOWS\svchost.exe

[DLL injection]
C:\WINDOWS\svchost.exe

[Added file]
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc6.zip
C:\setup.exe
C:\WINDOWS\happy2008.exe
C:\WINDOWS\Photos1-2008.zip
C:\WINDOWS\PrivatePhoto2008.zip
C:\WINDOWS\svchost.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Windows svchost
Data=svchost.exe

第二種行為：
[Added process]
C:\WINDOWS\svchost.exe

[DLL injection]
C:\WINDOWS\svchost.exe

[Added file]
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc6.zip
C:\WINDOWS\PrivatePhoto2008.zip
C:\WINDOWS\svchost.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Windows svchost
Data=svchost.exe

到目前為止 (2008/1/4 @ 15:03)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

Dc6.zip/photo151.JPEG_www.HappyNewYear.com:
[ Trend ], "WORM_IRCBOT.EL"
happy2008.exe:
[ Trend ], "WORM_IRCBOT.EL"
Photos1-2008.zip/photo151.JPEG_www.HappyNewYear.com:
[ Trend ], "WORM_IRCBOT.EL"
PrivatePhoto2008.zip/Image78145-2008.jpg_www.MsnMessenger.scr:
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ WebWasher ], "BlockReason.46 (suspicious)"
setup.exe:
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ WebWasher ], "BlockReason.46 (suspicious)"
svchost.exe:
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ WebWasher ], "BlockReason.46 (suspicious)"

D-Link(友訊科技)網站被植入惡意連結

2007-12-31T10:17:00.000+08:00

注意：最近此網站上有「星光幫演唱會來囉」的訊息，不曉得有多少網友因為這個訊息，瀏覽此網站而中獎勒！

D-Link(友訊科技)網站被植入惡意連結，此惡意程式為 TSPY_ONLINEG.ISZ/TSPY_GAMPASS.AK/TSPY_LEGMIR.CSF，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: 匿名網友)

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

此惡意程式有一部分是利用RealPlayer的安全漏洞，詳細資訊，請參考 CVE-2007-5601。

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\system32\wszjdax.exe
C:\WINDOWS\system32\wsmseax.exe
C:\WINDOWS\system32\gjfhazc.exe
C:\WINDOWS\system32\kvdxlis.exe
C:\WINDOWS\system32\gjtmazc.exe
C:\WINDOWS\system32\kvdxslis.exe
C:\WINDOWS\system32\avwlhst.exe
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\system32\kafykaz.exe
C:\WINDOWS\system32\kapjgaz.exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\WINDOWS\136741MM.DLL
C:\WINDOWS\system32\AVPSrv.dll
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwlhmn.dll
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\gjfhayc.dll
C:\WINDOWS\system32\gjtmayc.dll
C:\WINDOWS\system32\kafykzy.dll
C:\WINDOWS\system32\kapjgzy.dll
C:\WINDOWS\system32\kvdxlma.dll
C:\WINDOWS\system32\kvdxslma.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\SSLDyn.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\wsmsezx.dll
C:\WINDOWS\system32\wszjdzx.dll

[Added service]
NAME: PciHardDisk
DISPLAY: PciHardDisk
FILE: \??\C:\WINDOWS\system32\fat32.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYLOADER.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDEG32.DLL
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\111[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\22[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\5[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\r[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1299644[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\16[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\20[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\24[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\4[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\Cip[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\dy[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\rl[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\11[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\23[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\6[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\9[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\new232[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\014[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\0[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\11[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\17[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\21[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\25[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\8[1].exe
C:\WINDOWS\136741L.exe
C:\WINDOWS\136741M.exe
C:\WINDOWS\136741MM.DLL
C:\WINDOWS\136741WL.DLL
C:\WINDOWS\AVPSrv.exE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\Fonts\ardaase.fon
C:\WINDOWS\Fonts\ardasbse.fon
C:\WINDOWS\Fonts\avwghinb.dll
C:\WINDOWS\Fonts\avwlhinb.dll
C:\WINDOWS\Fonts\avzxlin.dll
C:\WINDOWS\Fonts\enfeafx.fon
C:\WINDOWS\Fonts\enpobfx.fon
C:\WINDOWS\Fonts\gjfeaxw.fon
C:\WINDOWS\Fonts\gjfhass.dll
C:\WINDOWS\Fonts\gjtmass.dll
C:\WINDOWS\Fonts\gjtoaxw.fon
C:\WINDOWS\Fonts\kafykcsb.dll
C:\WINDOWS\Fonts\kapjgcsb.dll
C:\WINDOWS\Fonts\kvdxlcfb.dll
C:\WINDOWS\Fonts\kvdxslcfb.dll
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\Fonts\wsmsecjb.dll
C:\WINDOWS\Fonts\wszjdcj.dll
C:\WINDOWS\Fonts\wymoafz.fon
C:\WINDOWS\Fonts\wyzuafz.fon
C:\WINDOWS\Kvsc3.exE
C:\WINDOWS\LotusHlp.exe
C:\WINDOWS\MsIMMs32.exE
C:\WINDOWS\MsPrint32D.exe
C:\WINDOWS\PTSShell.exe
C:\WINDOWS\SSLDyn.exE
C:\WINDOWS\system32\AVPSrv.dll
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwghst.exe
C:\WINDOWS\system32\avwlhmn.dll
C:\WINDOWS\system32\avwlhst.exe
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\config\sysEventw.cfg
C:\WINDOWS\system32\gjfhayc.dll
C:\WINDOWS\system32\gjfhazc.exe
C:\WINDOWS\system32\gjtmayc.dll
C:\WINDOWS\system32\gjtmazc.exe
C:\WINDOWS\system32\kafykaz.exe
C:\WINDOWS\system32\kafykzy.dll
C:\WINDOWS\system32\kapjgaz.exe
C:\WINDOWS\system32\kapjgzy.dll
C:\WINDOWS\system32\kvdxlis.exe
C:\WINDOWS\system32\kvdxlma.dll
C:\WINDOWS\system32\kvdxslis.exe
C:\WINDOWS\system32\kvdxslma.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\REGKEY.hiv
C:\WINDOWS\system32\SSLDyn.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\wsmseax.exe
C:\WINDOWS\system32\wsmsezx.dll
C:\WINDOWS\system32\wszjdax.exe
C:\WINDOWS\system32\wszjdzx.dll
C:\WINDOWS\system32\wxptdi.sys
C:\WINDOWS\upxdnd.exe

[Added COM/BHO]
{1C098A56-F90F-A789-901F-8906546720C1}-C:\WINDOWS\system32\gjtmayc.dll
{1D908534-AD45-920F-AC89-4024FA9D26D1}-C:\WINDOWS\system32\gjfhayc.dll
{45679330-4034-9021-7012-909856721374}-C:\WINDOWS\system32\wszjdzx.dll
{792FADFA-BCDE-ACDF-CDEF-21054865CBA7}-C:\WINDOWS\system32\wsmsezx.dll
{7A321487-4977-D98A-C8D5-6488257545A7}-C:\WINDOWS\system32\kapjgzy.dll
{8960356A-458E-DE24-BD50-268F589A56A8}-C:\WINDOWS\system32\avwlhmn.dll
{8A1247C1-53DA-FF43-ABD3-345F323A48D8}-C:\WINDOWS\system32\avwghmn.dll
{BB681598-AD5F-BC8C-77DC-748FAC8D3FBB}-C:\WINDOWS\system32\kafykzy.dll
{C859245F-345D-BC13-AC4F-145D47DA34FC}-C:\WINDOWS\system32\avzxlmn.dll
{CC87A354-ABC3-DEDE-FF33-3213FD7447CC}-C:\WINDOWS\system32\kvdxlma.dll
{CD561258-45F3-A451-F908-A258458226DC}-C:\WINDOWS\system32\kvdxslma.dll

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SSLDyn
Data=C:\WINDOWS\SSLDyn.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=upxdnd
Data=C:\WINDOWS\upxdnd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=AVPSrv
Data=C:\WINDOWS\AVPSrv.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=cmdbcs
Data=C:\WINDOWS\cmdbcs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\136741M.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysW
Data=C:\WINDOWS\136741L.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Kvsc3
Data=C:\WINDOWS\Kvsc3.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsPrint32D
Data=C:\WINDOWS\MsPrint32D.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=PTSShell
Data=C:\WINDOWS\PTSShell.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=LotusHlp
Data=C:\WINDOWS\LotusHlp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsIMMs32
Data=C:\WINDOWS\MsIMMs32.exE

到目前為止 (2007/12/31 @ 10:39)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

稍後更新...

風暴蠕蟲新變種報到

2007-12-28T10:25:00.000+08:00

不到一天的時間，風暴蠕蟲的作者又改變惡意檔案下載網域名稱，繼續散播新變種的風暴蠕蟲，請各位小心。

郵件名稱 (Subject) 有下面幾種：

A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Happy New Year to You!
Happy New Year to
Lots of greetings on the new year
New Year wishes for You
Dance to the New 2008 Year tune

執行之後，有下面的行為 (具有隱匿行為)：

[Added service]
NAME: bldy1b60-7eb3
DISPLAY: bldy1b60-7eb3
FILE: \??\C:\WINDOWS\system32\bldy1b60-7eb3.sys

[Added file]
C:\Documents and Settings\Administrator\Desktop\happy-2008.exe
C:\WINDOWS\system32\bldy1b60-7eb3.sys
C:\WINDOWS\system32\bldy_sys.config

到目前為止 (2007/12/27 @ 22:02)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

bldy_sys.config:
[ Microsoft ], "Backdoor:Win32/Nuwar.B!ini"
happy-2008.exe:
[ Symantec ], "Trojan.Peacomm"
[ McAfee ], "W32/Nuwar@MM"
[ McAfee_Beta ], "W32/Nuwar@MM"
[ Sophos ], "Mal/Dorf-H"
[ Panda_Beta ], "W32/Nuwar.MS.worm"
[ Nod32 ], "Win32/Nuwar.BA worm"
[ Fortinet ], "W32/Tibs.G@mm"
[ HBEDV ], "TR/Crypt.XDR.Gen"
[ Authentium ], "W32/Dropper.gen6"
[ WebWasher ], "Trojan.Crypt.XDR.Gen"
bldy1b60-7eb3.sys:
[ Microsoft ], "Backdoor:WinNT/Nuwar.B!sys"
[ McAfee ], "Downloader-BAI.sys.gen.a"
[ McAfee_Beta ], "Downloader-BAI.sys.gen.a"
[ CAV ], "Win32/Sintun!generic"
[ Nod32 ], "Win32/Nuwar.BA worm"
[ HBEDV ], "TR/Rootkit.Gen"
[ quickheal ], "Backdoor.Agent.dln"
[ WebWasher ], "Trojan.Rootkit.Gen"

新年快樂病毒報到

2007-12-26T15:42:00.000+08:00

最近信箱收到一些垃圾郵件是有關新年快樂的訊息，但此信件中包含可下載風暴蠕蟲 (Storm Worm) 的連結，下載檔案名稱為 happy-2008.exe，可見此病毒的作者又開始利用「放年假的心態」，以散播新變種的風暴蠕蟲，請各位小心囉。

執行之後，有下面的行為 (具有隱匿行為)：

[Added service]
NAME: init_1c52-26ff
DISPLAY: init_1c52-26ff
FILE: \??\C:\WINDOWS\system32\init_1c52-26ff.sys (random file name)

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\happy-2008[1].exe
C:\WINDOWS\system32\init_1c52-26ff.sys

到目前為止 (2007/12/26 @ 14:41)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

init_1c52-26ff.sys:
[ Microsoft ], "Backdoor:WinNT/Nuwar.B!sys"
[ McAfee ], "Downloader-BAI.sys.gen.a"
[ McAfee_Beta ], "Downloader-BAI.sys.gen.a"
[ Alwil ], "Win32:Zhelatin-ASX [Wrm]"
[ Nod32 ], "probably a variant of Win32/Fuclip trojan"
[ HBEDV ], "TR/Rootkit.Gen"
[ Ikarus ], "Backdoor.Win32.Agent.amd"
[ WebWasher ], "Trojan.Rootkit.Gen"
init_sys_config:
[ Microsoft ], "Backdoor:Win32/Nuwar.B!ini"
[ Sophos ], "Troj/Dorfin-Fam"
happy-2008[1].exe:
[ Microsoft ], "Backdoor:WinNT/Nuwar.B!sys"
[ McAfee ], "W32/Nuwar@MM"
[ McAfee_Beta ], "W32/Nuwar@MM"
[ Alwil ], "Win32:Zhelatin-ASX [Wrm]"
[ Nod32 ], "probably a variant of Win32/Fuclip trojan"
[ HBEDV ], "TR/Rootkit.Gen"
[ Authentium ], "W32/StormWorm.Q"
[ WebWasher ], "Trojan.Rootkit.Gen"
[ bitdefender ], "DeepScan:Generic.Malware.FMH@mmign.893777D0"

聖誕節MSN病毒

2007-12-26T13:14:00.000+08:00

昨天收到從一個朋友的MSN傳送過來的一個樣本，名為「christmas-2007.zip」，壓縮檔中包含一個名為「img2007-12.JPEG.scr」的檔案，分析後，它具有惡意行為，請各位小心囉。

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\servidevice.exe

[Added file]
C:\WINDOWS\Chirstmas-2007.zip
C:\WINDOWS\servidevice.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=ryan1918
Data=servidevice.exe

到目前為止 (2007/12/25 @ 13:58)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

Chirstmas-2007.zip/img2007-12.JPEG.scr:
[ Nod32 ], "Win32/IRCBot.ABP trojan"
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ Ikarus ], "Trojan-Downloader.Win32.Banload.ams"
[ Authentium ], "W32/Document-disguised-based!Maximus"
[ WebWasher ], "BlockReason.46 (suspicious)"
servidevice.exe:
[ Nod32 ], "Win32/IRCBot.ABP trojan"
[ Fortinet ], "suspicious"
[ Rising ], "Backdoor.Win32.PBot.b"
[ Ikarus ], "Trojan-Downloader.Win32.Banload.ams"
[ Authentium ], "W32/Document-disguised-based!Maximus"
[ WebWasher ], "BlockReason.46 (suspicious)"

北軟股份有限公司網站被植入惡意連結

2007-12-26T10:25:00.000+08:00

注意：此惡意連結已經存在該公司網頁很多天了，都不見他們處理，想必有很多人中獎。

北軟股份有限公司網站被植入惡意連結，此惡意程式為 TROJ_SMALL.DXW，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: 匿名網友)

惡意連結/程式碼是放置在首頁 (其他頁面也有，可能要仔細檢查一下囉) 中的：

此惡意程式是利用RealPlayer的安全漏洞，詳細資訊，請參考 CVE-2007-5601。

到目前為止 (2007/12/24 @ 16:24)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

6.gif:
[ Trend ], "JS_REALPLAY.J"
ads.jpg.exe:
[ Trend ], "TROJ_SMALL.DXW"
web.exe:
[ Trend ], "TROJ_ALMANAHE.AC"
1.gif:
[ Trend ], "JS_AGENT.AEVS"

高雄市觀光協會網站被植入惡意連結

2007-12-12T17:33:00.000+08:00

高雄市觀光協會網站被植入惡意連結，此惡意程式為 PWS:Win32/Gamania.gen!B，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁和 index-down.asp (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\Help\9712499B91DB.DLL

[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Desktop\2.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\~s.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\m[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\gmsex[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\h[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\stat[1].htm
C:\shell.exe
C:\WINDOWS\Help\9712499B91DB.DLL
C:\WINDOWS\Help\9712499B91DB.EXE
C:\WINDOWS\Help\autorun.inf

[ Added COM/BHO ]
{6B12A5F5-CABF-41EE-B8B3-EC5D2AAFF132}-C:\WINDOWS\HELP\9712499B91DB.DLL

到目前為止 (2007/12/12 @ 16:04)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

9712499B91DB.DLL:
[ Trend ], "Possible_Infostl"
9712499B91DB.EXE:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Mlwr-13"
[ Microsoft ], "PWS:Win32/Gamania.gen!B"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE"
[ Sophos ], "[FILE:0000]:Mal/LineDLL-B, [FILE:0001]:Mal/LineDLL-B, Mal/EncPk-AP"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ HBEDV ], "DR/Delphi.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Delphi.Gen"
autorun.inf:
[ Beta_Gen ], "Possible_Otorun1"
[ Ikarus ], "Trojan-PWS.OnlineGames.NIT"
[ bitdefender ], "Trojan.PWS.OnLineGames.NIT"
gmsex[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Mlwr-13"
[ Microsoft ], "PWS:Win32/Gamania.gen!B"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE"
[ Sophos ], "[FILE:0000]:Mal/LineDLL-B, [FILE:0001]:Mal/LineDLL-B, Mal/EncPk-AP"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ HBEDV ], "DR/Delphi.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Delphi.Gen"
h[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Sophos ], "Mal/Iframe-A"
[ HBEDV ], "HEUR/Exploit.HTML"
[ Norman ], "Trojan HTML/Exploit!IFrame.G"
m[1].htm:
[ McAfee ], "Exploit-ObscuredHtml"
[ McAfee_Beta ], "Exploit-ObscuredHtml"
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ Grisoft ], "Virus found JS/Downloader.Agent"
[ WebWasher ], "Script.ADODB.Exploit.Gen"
shell.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Mlwr-13"
[ Microsoft ], "PWS:Win32/Gamania.gen!B"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE"
[ Sophos ], "[FILE:0000]:Mal/LineDLL-B, [FILE:0001]:Mal/LineDLL-B, Mal/EncPk-AP"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ HBEDV ], "DR/Delphi.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Delphi.Gen"

台安醫院網站又被植入惡意連結

2007-12-12T16:23:00.000+08:00

注意：此網站被植入惡意連結的時間已經很久了，都不見他們有改善的情形，如果各位還上此網站的話，後果自行負責。

台安醫院網站又被植入惡意連結，此惡意程式為 Trojan W32/Lineage.AYTD，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\Web\printers\images\ndmai.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\717[1].c
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\h[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\614003[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\614woai[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\717003[1].htm
C:\microsofts.vbs
C:\NTDETECT.EXE
C:\WINDOWS\Web\printers\images\ndmai.dll
C:\WINDOWS\Web\printers\images\ndmai.exe

[Added COM/BHO]
{7152C68A-D93C-49BF-AFEF-6B4576849A7E}-C:\WINDOWS\Web\printers\images\ndmai.dll

到目前為止 (2007/12/12 @ 12:38)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

717[1].c:
[ Trend ], "EXPL_ANICMOO.GEN"
ndmai.dll:
[ Trend ], "Possible_Infostl"
ndmai.dll:
[ Trend ], "Possible_Infostl"
614woai[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Mlwr-13"
[ Symantec ], "Infostealer.Lineage"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE"
[ Sophos ], "[FILE:0000]:Mal/LineDLL-B, Mal/EncPk-AP"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ HBEDV ], "TR/PSW.Lineage.UZH"
[ Norman ], "Trojan W32/Lineage.AYTD"
[ Grisoft ], "Trojan horse PSW.Lineage.AFS"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.Lineage.UZH"
614003[1].htm:
[ McAfee ], "Exploit-ObscuredHtml"
[ McAfee_Beta ], "Exploit-ObscuredHtml"
[ HBEDV ], "HEUR/Exploit.HTML"
[ Grisoft ], "Virus found JS/Downloader.Agent"
h[1].htm:
[ McAfee ], "ObfuscatedHtml"
[ McAfee_Beta ], "ObfuscatedHtml"
[ WebWasher ], "BlockReason.46 (suspicious)"
microsofts.vbs:
[ Microsoft ], "[->(UTF-16LE)]:Virus:VBS/VBSWGbased.gen"
ndmai.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Mlwr-13"
[ Symantec ], "Infostealer.Lineage"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.MaskPE"
[ Sophos ], "[FILE:0000]:Mal/LineDLL-B, Mal/EncPk-AP"
[ Nod32 ], "a variant of Win32/PSW.Lineage.ACN trojan"
[ HBEDV ], "TR/PSW.Lineage.UZH"
[ Norman ], "Trojan W32/Lineage.AYTD"
[ Grisoft ], "Trojan horse PSW.Lineage.AFS"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.Lineage.UZH"
NTDETECT.EXE:
[ Microsoft ], "[->(UTF-16LE)]:Virus:VBS/VBSWGbased.gen"

新竹市文化局網站被植入惡意連結

2007-11-30T11:06:00.000+08:00

新竹市文化局網站被植入惡意連結，此惡意程式為 Backdoor:Win32/PcClient，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: 匿名網友)

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\system32\ncepjn.dll

[Added service]
NAME: ymutexfy
DISPLAY: ymutexfy
FILE: \??\C:\WINDOWS\system32\drivers\ncepjn.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\g913995[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\mainpic02[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\cpro8[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ma[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\tengrui8[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1449166[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\14[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\8[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\hcccb.gov[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\huohu[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1026[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cpro1[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\g913995[1].htm
C:\WINDOWS\system32\000462c8.inf
C:\WINDOWS\system32\drivers\ncepjn.sys
C:\WINDOWS\system32\ncepjn.dll
C:\wwwcuteqqcn.pif

到目前為止 (2007/11/29 @ 16:01)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

14[1].htm:
[ McAfee ], "[00000060.js]:Obfuscated Script.d !!"
[ McAfee_Beta ], "[00000060.js]:Obfuscated Script.d !!"
[ HBEDV ], "JS/Dldr.Agent.afg"
[ Rising ], "Trojan.DL.Script.JS.Agent.lrx"
[ Grisoft ], "Virus found Downloader.Small"
[ Authentium ], "JS/IFrameBoF.H"
[ WebWasher ], "Script.Dldr.Agent.afg"
ncepjn.sys:
[ HBEDV ], "HEUR/Damaged"
[ Grisoft ], "Virus identified Obfustat.VXS"
[ WebWasher ], "BlockReason.46 (suspicious)"
ncepjn.dll:
[ Microsoft ], "Backdoor:Win32/PcClient"
[ Alwil ], "Win32:Agent-MDR [Trj]"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Ikarus ], "Backdoor.Win32.PcClient.LH"
[ WebWasher ], "BlockReason.46 (suspicious)"
wwwcuteqqcn.pif:
[ Alwil ], "Win32:Agent-EPC [Trj]"
[ Ikarus ], "Backdoor.Win32.PcClient.yw"
[ Grisoft ], "Virus found BackDoor.PcClient"
[ WebWasher ], "BlockReason.46 (suspicious)"
g913995[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
8[1].htm:
[ eAladdin ], "JS.Small.au (Non-Removable)"
[ WebWasher ], "BlockReason.46 (suspicious)"
1026[1].exe:
[ Alwil ], "Win32:Agent-EPC [Trj]"
[ Ikarus ], "Backdoor.Win32.PcClient.yw"
[ Grisoft ], "Virus found BackDoor.PcClient"
[ WebWasher ], "BlockReason.46 (suspicious)"
tengrui8[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Norman ], "Security Risk HTML/Exploit!IFrame.A"
[ WebWasher ], "BlockReason.46 (suspicious)"
ma[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ HBEDV ], "HEUR/Exploit.HTML"
[ Norman ], "Security Risk HTML/Exploit!IFrame.A"
[ WebWasher ], "BlockReason.46 (suspicious)"

元照網路書店網站被植入惡意連結

2007-11-30T10:49:00.000+08:00

元照網路書店網站被植入惡意連結，此惡意程式為 TROJ_HARNIG.CW，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: Jimau)

惡意連結/程式碼是放置在 index.asp (其他頁面可能要仔細檢查一下囉) 中的：

解碼後為：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\system32\com\SMSS.EXE
C:\WINDOWS\system32\com\LSASS.EXE
C:\WINDOWS\system32\drivers\alg.exe

[DLL injection]
C:\WINDOWS\system32\Com\LSASS.EXE
C:\WINDOWS\system32\Com\netcfg.dll
C:\WINDOWS\system32\Com\SMSS.EXE
C:\WINDOWS\system32\dnsq.dll

[Added file]
C:\AUTORUN.INF
C:\Documents and Settings\Administrator\Local Settings\Temp\tzgl.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~s.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1378348[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\468[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\468[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\goto[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\HOOK[1].dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\100932[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1388306[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\a9[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\dd[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\flash[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1492703[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\a5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\count[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\head[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\r[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\Stop[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a10[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a11[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\a7[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\svchost[1].exe
C:\pagefile.pif
C:\WINDOWS\system32\000.cfg0
C:\WINDOWS\system32\Com\LSASS.EXE
C:\WINDOWS\system32\Com\netcfg.000
C:\WINDOWS\system32\Com\netcfg.dll
C:\WINDOWS\system32\Com\SMSS.EXE
C:\WINDOWS\system32\dnsq.dll
C:\WINDOWS\system32\dnsq.dll.log
C:\WINDOWS\system32\drivers\alg.exe
C:\WINDOWS\system32\drivers\alg.exe.log
C:\WINDOWS\system32\drivers\npf.sys.log
C:\WINDOWS\system32\ntfsus.exe
C:\WINDOWS\system32\ntfsus.exe.log
C:\WINDOWS\system32\packet.dll.log
C:\WINDOWS\system32\pthreadVC.dll.log
C:\WINDOWS\system32\wpcap.dll.log

[Added COM/BHO]
{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}-C:\WINDOWS\system32\com\netcfg.dll
{D9901239-34A2-448D-A000-3705544ECE9D}-C:\WINDOWS\system32\com\netcfg.dll

到目前為止 (2007/11/29 @ 12:27)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

a4[1].htm:
[ Trend ], "EXPL_EXECOD.A."
a1[1].htm:
[ Trend ], "VBS_PSYME.BCC"
SMSS.EXE:
[ Trend ], "TROJ_HARNIG.CW"
a10[1].htm:
[ Trend ], "HTML_SHELLCOD.AV"
a6[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
a5[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
a2[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
TINTSETP.EXE:
[ WebWasher ], "BlockReason.46 (suspicious)"
ImScInst.exe:
[ WebWasher ], "BlockReason.46 (suspicious)"
Stop[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Trojan Harnig.gen1"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
ntfsus.log:
[ IntelliTrap ], "PAK_Generic.001"
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Trojan Harnig.gen1"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
ntfsus.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Trojan Harnig.gen1"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
HOOK[1].dll:
[ WebWasher ], "BlockReason.46 (suspicious)"
dnsq.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
dnsq.dll:
[ WebWasher ], "BlockReason.46 (suspicious)"
wpcap.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
svchost[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk Suspicious_F.gen"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
alg.exe.log:
[ IntelliTrap ], "PAK_Generic.001"
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk Suspicious_F.gen"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
alg.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk Suspicious_F.gen"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
pthreadVC.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
packet.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
npf.sys.log:
[ WebWasher ], "BlockReason.46 (suspicious)"
000.cfg0-pe
[ Sophos ], "[FILE:0001]:Mal/Packer"
[ Ikarus ], "Trojan.Win32.Agent.czg"
[ WebWasher ], "BlockReason.46 (suspicious)"
netcfg.dll:
[ Ikarus ], "Trojan.Win32.Agent.czh"
[ WebWasher ], "BlockReason.46 (suspicious)"
netcfg.000:
[ Ikarus ], "Trojan.Win32.Agent.czh"
[ WebWasher ], "BlockReason.46 (suspicious)"
r[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
tzgl.exe:
[ Sophos ], "[FILE:0001]:Mal/Packer"
[ Ikarus ], "Trojan.Win32.Agent.czg"
[ WebWasher ], "BlockReason.46 (suspicious)"
pagefile.pif:
[ Sophos ], "[FILE:0001]:Mal/Packer"
[ Ikarus ], "Trojan.Win32.Agent.czg"
[ WebWasher ], "BlockReason.46 (suspicious)"
LSASS.exe:
[ Sophos ], "[FILE:0001]:Mal/Packer"
[ Ikarus ], "Trojan.Win32.Agent.czg"
[ WebWasher ], "BlockReason.46 (suspicious)"
a11[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
a9[1].htm:
[ Alpha_Gen ], "Possible_Hifrm-3"
[ Microsoft ], "[->(SCRIPT0001)->(EmbeddedCode)]:Exploit:Win32/Senglot.A"
[ McAfee ], "JS/Exploit-BO.gen"
[ McAfee_Beta ], "JS/Exploit-BO.gen"
[ Sophos ], "Mal/JSShell-A"
[ HBEDV ], "HTML/Shellcode.Gen"
[ Norman ], "Trojan HTML/IFrameBof.A"
[ Ikarus ], "Exploit.HTML.IframeBof"
[ WebWasher ], "Script.Shellcode.Gen"
a7[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"

國立台灣師範大學國語教學中心網站遭駭且被植入惡意程式

2007-11-30T10:38:00.000+08:00

國立台灣師範大學國語教學中心網站遭駭且被植入惡意程式，不過，此惡意程式已經無法下載。在這裡要注意的是這個網站有可能被植入惡意連結或惡意程式碼，所以，他們的網管應該要找出系統或軟體的安全漏洞，然後，儘快修補這些漏洞，而不是只是移除/修改那些遭駭的檔案。

首頁：

遭駭之網頁：

Google Search的結果(遭駭次數蠻多，還不改善)：

惡意程式連結為(已失效，但原來之網址好像是正常網站)：

台北市雜誌商業同業公會又被植入惡意連結

2007-11-28T16:17:00.000+08:00

台北市雜誌商業同業公會又被植入惡意連結，此惡意程式為 W32/Lineage.GLV.worm，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: Kao)

惡意連結/程式碼是放置在首頁及中英文首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\WINDOWS\124327MM.DLL
C:\WINDOWS\124327WL.DLL
C:\WINDOWS\124327WO.DLL
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\gdchdi32.dll
C:\WINDOWS\system32\gddji32.dll
C:\WINDOWS\system32\gdfyi32.dll
C:\WINDOWS\system32\gdgji32.dll
C:\WINDOWS\system32\gdjzi32.dll
C:\WINDOWS\system32\gdqji32.dll
C:\WINDOWS\system32\gdqqhxi32.dll
C:\WINDOWS\system32\gdtli32.dll
C:\WINDOWS\system32\gdwdi32.dll
C:\WINDOWS\system32\gdwli32.dll
C:\WINDOWS\system32\gdxwtwi32.dll
C:\WINDOWS\system32\gdzxi32.dll
C:\WINDOWS\system32\GenProtect.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\NVDispDrv.dll
C:\WINDOWS\system32\videodevice.dll

[Added service]
NAME: PciHardDisk
DISPLAY: PciHardDisk
FILE: \??\C:\WINDOWS\system32\drivers\pcidisk.sys

NAME: comint32
DISPLAY: comint32
FILE: \??\C:\WINDOWS\system32\DRIVERS\comint32.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYLOADER.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDEG32.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp89.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp8C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp8D.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp98.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp9B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp9C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp9D.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpAD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\fy[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\jh[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\jz[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\mh[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\pps[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\wl[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\zx[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\cs[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\new05[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\tl[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\wm2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\xw[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\zt[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\014[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\11[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ch[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cq[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\d3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\hx[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\my2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\qj[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1299644[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\dh[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\dj[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\haha[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ki[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\wd1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\wow[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\zy[1].exe
C:\Program Files\conime0.exe
C:\WINDOWS\124327L.exe
C:\WINDOWS\124327M.exe
C:\WINDOWS\124327MM.DLL
C:\WINDOWS\124327W.exe
C:\WINDOWS\124327WL.DLL
C:\WINDOWS\124327WO.DLL
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\GenProtect.exE
C:\WINDOWS\LotusHlp.exe
C:\WINDOWS\NVDispDRV.EXE
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\Com\comrepl32.exe
C:\WINDOWS\system32\config\AppEventw.cfg
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\drivers\comint32.sys
C:\WINDOWS\system32\drivers\pcibus.sys
C:\WINDOWS\system32\gdchdi32.cfg
C:\WINDOWS\system32\gdchdi32.dll
C:\WINDOWS\system32\gddji32.cfg
C:\WINDOWS\system32\gddji32.dll
C:\WINDOWS\system32\gdfyi32.cfg
C:\WINDOWS\system32\gdfyi32.dll
C:\WINDOWS\system32\gdgji32.cfg
C:\WINDOWS\system32\gdgji32.dll
C:\WINDOWS\system32\gdjzi32.cfg
C:\WINDOWS\system32\gdjzi32.dll
C:\WINDOWS\system32\gdqji32.cfg
C:\WINDOWS\system32\gdqji32.dll
C:\WINDOWS\system32\gdqqhxi32.cfg
C:\WINDOWS\system32\gdqqhxi32.dll
C:\WINDOWS\system32\gdtli32.cfg
C:\WINDOWS\system32\gdtli32.dll
C:\WINDOWS\system32\gdwdi32.cfg
C:\WINDOWS\system32\gdwdi32.dll
C:\WINDOWS\system32\gdwli32.cfg
C:\WINDOWS\system32\gdwli32.dll
C:\WINDOWS\system32\gdxwtwi32.cfg
C:\WINDOWS\system32\gdxwtwi32.dll
C:\WINDOWS\system32\gdzhtui32.cfg
C:\WINDOWS\system32\gdzhtui32.dll
C:\WINDOWS\system32\gdzxi32.cfg
C:\WINDOWS\system32\gdzxi32.dll
C:\WINDOWS\system32\GenProtect.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\NVDispDrv.dll
C:\WINDOWS\system32\videodevice.dll

[Added LSP]
ID: 1016
NAME: MSAPI Tcpip [UDP/IP]

ID: 1017
NAME: MSAPI Tcpip [TCP/IP]

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=GenProtect
Data=C:\WINDOWS\GenProtect.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=cmdbcs
Data=C:\WINDOWS\cmdbcs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\124327M.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysW
Data=C:\WINDOWS\124327L.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSys
Data=C:\WINDOWS\124327W.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=NVDispDrv
Data=C:\WINDOWS\NVDispDRV.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=DbgHlp32
Data=C:\WINDOWS\DbgHlp32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=LotusHlp
Data=C:\WINDOWS\LotusHlp.exe

到目前為止 (2007/11/28 @ 02:35)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

pcibus.sys:
[ Symantec ], "W32.Fujacks.L"
[ Microsoft ], "Exploit:Win32/Siveras.E"
[ Sophos ], "[FILE:0000\FILE:0000]:Mal/Behav-160"
[ Panda ], "W32/Lineage.GLV.worm"
[ Panda_Beta ], "W32/Lineage.GLV.worm"
[ Nod32 ], "a variant of Win32/Jalous worm"
[ Fortinet ], "W32/DcomRpc.BK!worm"
[ HBEDV ], "TR/Dldr.Agent.45056"
[ Norman ], "Trojan W32/DLoader.EHRE"
[ Rising ], "Trojan.Win32.Mnless.znb"
[ Ikarus ], "Worm.Win32.Downloader.bk"
[ Grisoft ], "Trojan horse Dropper.Small.29.AR"
[ quickheal ], "Worm.Downloader.bk"
[ WebWasher ], "Trojan.Dldr.Agent.45056"
014[1].exe:
[ IntelliTrap ], "PAK_Generic.005"
[ Alpha_Gen ], "Possible_HUPIGON"
[ Symantec ], "W32.Fujacks.L"
[ Microsoft ], "[->(NSPack)]:Exploit:Win32/Siveras.E"
[ Kaspersky ], "PAK:NSPack"
[ McAfee ], "New Malware.aq !!"
[ McAfee_Beta ], "New Malware.aq !!"
[ Sophos ], "[FILE:0000\FILE:0000\FILE:0000]:Mal/Behav-160, Mal/Packer"
[ Nod32 ], "Win32/Jalous.O worm"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dldr.Agent.45056"
[ Norman ], "Security Risk W32/Suspicious_N.gen"
[ Ikarus ], "Packed.Win32.Klone.af"
[ Grisoft ], "Trojan horse Dropper.Generic.SIN"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "Worm.Downloader.bi"
[ vba32 ], "Worm.Win32.Downloader.bi"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dldr.Agent.45056"
pps[1].htm:
[ Alpha_Gen ], "Possible_EncScr"
[ Beta_Gen ], "Possible_EncScr"
[ HBEDV ], "EXP/RealPlay.B"
[ Rising ], "Hack.Exploit.Script.JS.Agent.bz"
[ Authentium ], "JS/RealPlay.B"
[ WebWasher ], "Exploit.RealPlay.B"
new05[1].htm:
[ Sophos ], "Mal/Iframe-A"
[ Rising ], "Trojan.DL.Script.JS.Agent.lst"
haha[1].htm:
[ Rising ], "Trojan.Script.JS.Agent.m"
[ WebWasher ], "BlockReason.46 (suspicious)"
11[1].js:
[ HBEDV ], "JS/Dldr.Agent.YA"
[ WebWasher ], "Script.Dldr.Agent.YA"
tmpAD.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.7"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.7"
gdfyi32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.r"
[ McAfee_Beta ], "PWS-OnlineGames.r"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Spy.Win32.Delf.uv"
[ Grisoft ], "Trojan horse PSW.Generic5.ZFW"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
gdchdi32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Spy.Win32.Delf.uv"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
fy[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Spy.Win32.Delf.uv"
[ Grisoft ], "Trojan horse SHeur.ADQI"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanPSW.OnLineGames.iub"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
comint32.sys:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "BlockReason.46 (suspicious)"
ch[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ Grisoft ], "Trojan horse SHeur.ADQG"
[ eAladdin ], "Suspicious File [104]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
gdjzi32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Symantec ], "Trojan Horse"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "W32/OnLineGames.NHF!tr.pws"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.CrashSystem.C"
NVDispDrv.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.ihi"
[ McAfee ], "PWS-Zhengtu.dll"
[ McAfee_Beta ], "PWS-Zhengtu.dll"
[ Panda ], "Trj/Lineage.GLX"
[ Panda_Beta ], "Trj/Lineage.GLX"
[ Alwil ], "Win32:OnLineGames-BHW [Trj]"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.HCV trojan"
[ Fortinet ], "W32/OnLineGames.IHI!tr.pws"
[ HBEDV ], "TR/PSW.OnlineGames.ihi"
[ Norman ], "Trojan W32/OnLineGames.WLG"
[ Rising ], "Trojan.PSW.Win32.GameOnline.akv"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TNE"
[ quickheal ], "TrojanPSW.OnLineGames.ihi"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12"
[ WebWasher ], "Trojan.PSW.OnlineGames.ihi"
[ bitdefender ], "Generic.Malware.PWS.7EF9E12D"
tmpA1.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "BlockReason.46 (suspicious)"
tmpA0.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.4"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.4"
tl[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse SHeur.ADQH"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
gdtli32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.r"
[ McAfee_Beta ], "PWS-OnlineGames.r"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.Generic5.ZFV"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
tmp9D.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "BlockReason.46 (suspicious)"
tmp9C.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.13"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.13"
tmp9B.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.4"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.4"
hx[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.7"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Rising ], "Trojan.PSW.Win32.QQHX.tsg"
[ Ikarus ], "Backdoor.Win32.Rbot.aeu"
[ Grisoft ], "Trojan horse SHeur.ADQJ"
[ eAladdin ], "Suspicious File [104]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.7"
gdqqhxi32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.r"
[ McAfee_Beta ], "PWS-OnlineGames.r"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.7"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.Generic5.ZFF"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.7"
wl[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSA"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.2"
tmp98.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "BlockReason.46 (suspicious)"
gdwli32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSD"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.2"
wm2[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer"
[ Microsoft ], "[->(Upack)]:PWS:Win32/OnLineGames.CPK"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "W32/OnLineGames.IQQ!tr.pws"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TND"
[ eAladdin ], "Suspicious File [104]"
[ quickheal ], "TrojanPSW.OnLineGames.fb"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.CrashSystem.C"
tmpA4.tmp:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Spibe!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "W32/OnlineGames.QSG!tr.pws"
[ HBEDV ], "TR/PSW.Wow.adu.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Dropper.Win32.Agent.ane"
[ Grisoft ], "Trojan horse PSW.OnlineGames.THU"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.Wow.adu.2"
gdgji32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Symantec ], "Trojan Horse"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.X.dll"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.j"
[ McAfee_Beta ], "PWS-OnlineGames.j"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "W32/OnLineGames.IKY!tr.pws"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.Generic5.YYY"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanPSW.OnLineGames.iqq"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.CrashSystem.C"
gddji32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.j"
[ McAfee_Beta ], "PWS-OnlineGames.j"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.Generic5.ZGF"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.CrashSystem.C"
dj[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ Grisoft ], "Trojan horse SHeur.ADQO"
[ eAladdin ], "Suspicious File [104]"
[ quickheal ], "TrojanDownloader.Zlob.gen"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.CrashSystem.C"
tmp8D.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.12"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.12"
tmp8C.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "BlockReason.46 (suspicious)"
qj[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Grisoft ], "Trojan horse SHeur.ADQK"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl"
gdqji32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.r"
[ McAfee_Beta ], "PWS-OnlineGames.r"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.Generic5.ZEY"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl"
zx[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.9"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSA"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.9"
tmp89.tmp:
[ Nod32 ], "Win32/PSW.OnLineGames.NIU trojan"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.12"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TSL"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.12"
gdzxi32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.9"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.9"
124327WO.dll:
[ Symantec ], "Infostealer.Gampass"
[ McAfee ], "New DLL-b !!"
[ McAfee_Beta ], "New DLL-b !!"
[ Sophos ], "Mal/Behav-010"
[ Panda ], "Trj/Legmir.ATW"
[ Panda_Beta ], "Trj/Legmir.ATW"
[ Alwil ], "Win32:Lmir-OK [Trj]"
[ Nod32 ], "a variant of Win32/PSW.Legendmir.NFF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "Trojan W32/DLoader.EGIF"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.hlu"
[ Grisoft ], "Virus found PSW.OnlineGames"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
124327W.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Kaspersky ], "Trojan-PSW.Win32.Lmir.boy"
[ McAfee ], "[000056d4.EXE]:New DLL-b !!"
[ McAfee_Beta ], "[000056d4.EXE]:New DLL-b !!"
[ Sophos ], "[FILE:0000]:Mal/Behav-010"
[ Panda ], "Trj/Wow.RN"
[ Panda_Beta ], "Trj/Wow.RN"
[ Alwil ], "Win32:Lmir-OK [Trj]"
[ CAV ], "Win32/Zuten.AO"
[ Nod32 ], "Win32/PSW.WOW.WU trojan"
[ Fortinet ], "W32/OnLineGames.IOY!tr.pws"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ Rising ], "Trojan.PSW.Win32.LMir.yys"
[ Ikarus ], "Trojan-PWS.Win32.WOW.vd"
[ Ewido ], "Trojan.Lmir.boy"
[ Grisoft ], "Trojan horse PSW.Generic5.XIC"
[ quickheal ], "TrojanPSW.Lmir.boy"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.16"
[ virusbuster ], "Trojan.DR.Lmir.Gen.4"
[ Authentium ], "W32/Blocker-based!Maximus"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
[ bitdefender ], "Trojan.PWS.Lmir.ULP"
124327MM.dll:
[ Symantec ], "Infostealer.Lemir.G"
[ Microsoft ], "PWS:Win32/Lmir.BMO"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.ieg"
[ McAfee ], "PWS-LegMir"
[ McAfee_Beta ], "PWS-LegMir"
[ Sophos ], "Mal/Behav-010"
[ Panda ], "Trj/Legmir.ATU"
[ Panda_Beta ], "Trj/Legmir.ATU"
[ Alwil ], "Win32:Lmir-OK [Trj]"
[ Nod32 ], "Win32/PSW.Legendmir.NFF trojan"
[ Fortinet ], "W32/OnLineGames.IEG!tr.pws"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "Trojan W32/DLoader.EGES"
[ Rising ], "Trojan.PSW.Win32.LMir.yyy"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.ieg"
[ Grisoft ], "Trojan horse PSW.Legendmir.IXE"
[ quickheal ], "TrojanPSW.OnLineGames.ieg"
[ vba32 ], "Trojan-PSW.Win32.OnLineGames.ieg"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
124327M.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Symantec ], "Infostealer.Lemir.G"
[ Kaspersky ], "Trojan-PSW.Win32.Lmir.boy"
[ McAfee ], "[000056d4.EXE]:PWS-LegMir"
[ McAfee_Beta ], "[000056d4.EXE]:PWS-LegMir"
[ Sophos ], "[FILE:0000]:Mal/Behav-010"
[ Panda ], "Trj/Legmir.ATU"
[ Panda_Beta ], "Trj/Legmir.ATU"
[ Alwil ], "Win32:Lmir-OK [Trj]"
[ CAV ], "Win32/Zuten.AO"
[ Nod32 ], "Win32/PSW.WOW.WU trojan"
[ Fortinet ], "W32/OnLineGames.IOY!tr.pws"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ Rising ], "Trojan.PSW.Win32.LMir.yys"
[ Ikarus ], "Trojan-PWS.Win32.WOW.vd"
[ Ewido ], "Trojan.Lmir.boy"
[ Grisoft ], "Trojan horse PSW.Generic5.XIC"
[ quickheal ], "TrojanPSW.Lmir.boy"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.16"
[ virusbuster ], "Trojan.DR.Lmir.Gen.4"
[ Authentium ], "W32/Blocker-based!Maximus"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
[ bitdefender ], "Trojan.PWS.Lmir.ULP"
cmdbcs.dll:
[ Alwil ], "Win32:OnLineGames-BHW [Trj]"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnLineGames.NFL!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.amm"
[ Ikarus ], "Virus.Win32.OnLineGames.BHW"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TTF"
[ quickheal ], "TrojanPSW.OnLineGames.inw"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12"
[ virusbuster ], "Trojan.OnlineGames.Gen.43"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.6CE89BFA"
jh[1].exe:
[ IntelliTrap ], "PAK_Generic.005"
[ Kaspersky ], "PAK:NSPack, PAK:PE_Patch"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnLineGames.INW!tr.pws"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_N.gen"
[ Ikarus ], "Packed.Win32.Klone.af"
[ eAladdin ], "Suspicious File [101]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.6545F469"
cmdbcs.exe:
[ IntelliTrap ], "PAK_Generic.005"
[ Kaspersky ], "PAK:NSPack, PAK:PE_Patch"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnLineGames.INW!tr.pws"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_N.gen"
[ Ikarus ], "Packed.Win32.Klone.af"
[ eAladdin ], "Suspicious File [101]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.6545F469"
wd1[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ Grisoft ], "Trojan horse SHeur.ADQR"
[ eAladdin ], "Suspicious File [104]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
gdwdi32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.r"
[ McAfee_Beta ], "PWS-OnlineGames.r"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.Generic5.ZGI"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
zt[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)->[RSRCEmb]]:VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.12"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TTI"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.12"
gdzhtui32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.ivl.12"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TTJ"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.ivl.12"
my2[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Lmir.BMQ"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Trj/Lineage.GMN"
[ Panda_Beta ], "Trj/Lineage.GMN"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TOL"
[ eAladdin ], "Suspicious File [104]"
[ quickheal ], "TrojanPSW.OnLineGames.isb"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "Trojan-PWS.Games.4"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.F769E0BB"
GenProtect.exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Lmir.BMQ"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Trj/Lineage.GMN"
[ Panda_Beta ], "Trj/Lineage.GMN"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TOL"
[ eAladdin ], "Suspicious File [104]"
[ quickheal ], "TrojanPSW.OnLineGames.isb"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "Trojan-PWS.Games.4"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.F769E0BB"
GenProtect.dll:
[ Microsoft ], "PWS:Win32/Lmir.BMQ"
[ Panda ], "Trj/Lineage.GMN"
[ Panda_Beta ], "Trj/Lineage.GMN"
[ Alwil ], "Win32:OnLineGames-BHW [Trj]"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.HCV trojan"
[ Fortinet ], "W32/OnLineGames.IQW!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aqc"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ Grisoft ], "Trojan horse PSW.OnlineGames.TOM"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
LYMANGR.DLL:
[ Trend ], "TSPY_ONLINEG.LYE"
LYLOADER.EXE:
[ Trend ], "TSPY_ONLINEG.LYE"

台灣安全設備與服務產業協會網站被植入惡意連結

2007-11-27T12:53:00.000+08:00

台灣安全設備與服務產業協會網站被植入惡意連結，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在 news01.asp (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\Help\F3A94B4F83BD.DLL

[Added file]
C:\Documents and Settings\Administrator\Desktop\2.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\m[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\h[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\news01[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gmsex[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\main[1].js
C:\WINDOWS\Help\F3A94B4F83BD.DLL
C:\WINDOWS\Help\F3A94B4F83BD.EXE

[Added COM/BHO]
{2B5174CE-5BFF-4FC3-B9BD-34EF88004AB1}-C:\WINDOWS\HELP\F3A94B4F83BD.DLL

到目前為止 (2007/11/28 @ 02:04)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

F3A94B4F83BD.DLL:
[ Trend ], "TROJ_AGENT.AGAC"
F3A94B4F83BD.DLL:
[ Trend ], "Possible_Infostl"
F3A94B4F83BD.EXE:
[ Trend ], "TROJ_AGENT.AGAC"
gmsex[1].exe:
[ Trend ], "ROJ_AGENT.AGAC"
m[1].htm:
[ Trend ], "VBS_PSYME.AXC"
h[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Sophos ], "Mal/Iframe-A"
[ Norman ], "Security Risk HTML/Exploit!IFrame.A"
news01[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
yahoo.js:
[ HBEDV ], "JS/Agent.acg"
[ vba32 ], "Exploit.HTML.Ashell.a"
[ WebWasher ], "Script.Agent.acg"

高雄縣政府水利局網站被植入惡意連結

2007-11-26T13:04:00.000+08:00

高雄縣政府水利局網站被植入惡意連結，最近有瀏覽這個網頁的網友 (最好認真檢查，因為它植入很多惡意檔案)，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

注意：此惡意程式執行後，會產生很多惡意的執行程序，很容易造成系統當機。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後的畫面為 (現在好像不能執行，不知為什麼？)：

女人國女性購物社群入口網站又被植入惡意連結

2007-11-26T12:55:00.000+08:00

女人國女性購物社群入口網站又被植入惡意連結，此惡意程式為 Trojan-PSW.Win32.OnLineGames

.dr

，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的 (放置在她們自己的網站中)：

執行之後，有下面的行為：

[Added service]
NAME: Winsysser
DISPLAY: WindowsServer
FILE: C:\WINDOWS\system32\ddos.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\~V5SFDYCLNTKs.ExE
C:\Documents and Settings\Administrator\Local Settings\Temp\~V5SFDYCLNTKs.VbS
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\bot[1].exe
C:\WINDOWS\system32\ddos.exe

到目前為止 (2007/11/23 @ 17:28)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

bo0k.htm:
[ Alpha_Gen ], "Possible_EncScr"
[ Beta_Gen ], "Possible_EncScr"
[ McAfee ], "[0000001a.vbs]:VBS/Psyme"
[ McAfee_Beta ], "[0000001a.vbs]:VBS/Psyme"
[ HBEDV ], "HEUR/Exploit.HTML"
[ WebWasher ], "BlockReason.46 (suspicious)"
bot[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "Possible_HUPIGON"
[ Microsoft ], "[->(Upack)]:VirTool:Win32/DelfInject.gen!L"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.dr"
[ McAfee ], "BackDoor-ALC"
[ McAfee_Beta ], "BackDoor-ALC"
[ Sophos ], "Mal/Behav-058"
[ Panda ], "Bck/Antilam.AN"
[ Panda_Beta ], "Bck/Antilam.AN"
[ Nod32 ], "Win32/Delf.NEA trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.CFI.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Spy.Win32.Banker.ahy"
[ Ewido ], "Backdoor.Delf.aow"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Crypt.CFI.Gen"
[ bitdefender ], "Backdoor.Delf.HAR"
ddos.exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "Possible_HUPIGON"
[ Microsoft ], "[->(Upack)]:VirTool:Win32/DelfInject.gen!L"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.dr"
[ McAfee ], "BackDoor-ALC"
[ McAfee_Beta ], "BackDoor-ALC"
[ Sophos ], "Mal/Behav-058"
[ Panda ], "Bck/Antilam.AN"
[ Panda_Beta ], "Bck/Antilam.AN"
[ Nod32 ], "Win32/Delf.NEA trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.CFI.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Spy.Win32.Banker.ahy"
[ Ewido ], "Backdoor.Delf.aow"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.14"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Crypt.CFI.Gen"
[ bitdefender ], "Backdoor.Delf.HAR"

台灣小冠鸚鵡俱樂部被植入惡意連結

2007-11-26T12:46:00.000+08:00

台灣小冠鸚鵡俱樂部被植入惡意連結，此惡意程式為 TSPY_LINEAGE.GLP，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\WINDOWS\Web\printers\images\ndmai.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\614001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\g[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\2004[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\717001[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ah[1].c
C:\WINDOWS\Web\printers\images\ndmai.dll
C:\WINDOWS\Web\printers\images\ndmai.exe

[Added COM/BHO]
{7152C68A-D93C-49BF-AFEF-6B4576849A7E}-C:\WINDOWS\Web\printers\images\ndmai.dll

到目前為止 (2007/11/23 @ 17:30)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

717001[1].htm:
[ Trend ]: "JS_AGENT.AAJP"
ah[1].c:
[ Trend ]: "EXPL_ANICMOO.GEN"
ndmai.dll:
[ Trend ]: "Possible_Infostl"
ndmai.exe:
[ Trend ]: "TSPY_LINEAGE.GLP"
svchost.exe:
[ Trend ]: "TSPY_LINEAGE.GLP"
2004[1].exe:
[ Trend ]: "SPY_LINEAGE.GLP"
614001[1].htm:
[ Kaspersky ], "Trojan-Downloader.JS.Psyme.ub"
[ McAfee ], "VBS/Psyme"
[ McAfee_Beta ], "VBS/Psyme"
[ Sophos ], "Mal/Psyme-A"
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ Rising ], "Trojan.DL.Script.VBS.Agent.xiz"
[ WebWasher ], "Script.ADODB.Exploit.Gen"
[ bitdefender ], "Generic.XPL.ADODB.8324063C"
g[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ WebWasher ], "BlockReason.46 (suspicious)"
g[1].htm:
[ McAfee ], "ObfuscatedHtml"
[ McAfee_Beta ], "ObfuscatedHtml"
[ WebWasher ], "BlockReason.46 (suspicious)"
11181239.rar:
[ Alpha_Gen ], "Possible_Hifrm"
[ Beta_Gen ], "Possible_Hifrm"
[ Sophos ], "Mal/Iframe-C"

新都里餐廳網站遭駭

2007-11-23T17:29:00.000+08:00

新都里餐廳網站遭駭，在這裡要注意的是這個網站有可能被植入惡意連結或惡意程式碼，所以，他們的網管應該要找出系統或軟體的安全漏洞，然後，儘快修補這些漏洞，而不是只是移除/修改那些遭駭的檔案。

遭駭前首頁：

遭駭後首頁：

至於詳細的資訊，請參考 Turk-h。

政大統計系系友會網站被植入惡意連結

2007-11-20T09:24:00.000+08:00

政大統計系系友會網站被植入惡意連結，此惡意程式為 Infostealer.Gampass，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在 news.asp (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added process]
C:\Program Files\4.exe
C:\Program Files\6.exe
C:\Program Files\10.exe
C:\WINDOWS\124327L.exe
C:\WINDOWS\Logo1_.exe
C:\Program Files\2.exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll
C:\Program Files\Internet Explorer\PLUGINS\NvSys_54.Sys
C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
C:\WINDOWS\system32\avwgemn.dll
C:\WINDOWS\system32\avzxfmn.dll
C:\WINDOWS\system32\csavpw0.dll
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\DVBBack01.dll
C:\WINDOWS\system32\DVBBack02.dll
C:\WINDOWS\system32\DVBBack03.dll
C:\WINDOWS\system32\DVBBack04.dll
C:\WINDOWS\system32\DVBBack05.dll
C:\WINDOWS\system32\DVBBack06.dll
C:\WINDOWS\system32\DVBBack07.dll
C:\WINDOWS\system32\DVBBack08.dll
C:\WINDOWS\system32\gdwli32.dll
C:\WINDOWS\system32\gdwmi32.dll
C:\WINDOWS\system32\gdzxi32.dll
C:\WINDOWS\system32\kaqhizy.dll
C:\WINDOWS\system32\kawdczy.dll
C:\WINDOWS\system32\KVBatch01.dll
C:\WINDOWS\system32\KVBatch03.dll
C:\WINDOWS\system32\KVBatch04.dll
C:\WINDOWS\system32\KVBatch05.dll
C:\WINDOWS\system32\KVBatch06.dll
C:\WINDOWS\system32\KVBatch07.dll
C:\WINDOWS\system32\kvdxjma.dll
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\naktcmvdmv.dll
C:\WINDOWS\system32\ProcSvr01.dll
C:\WINDOWS\system32\ProcSvr02.dll
C:\WINDOWS\system32\ProcSvr03.dll
C:\WINDOWS\system32\ProcSvr04.dll
C:\WINDOWS\system32\ProcSvr05.dll
C:\WINDOWS\system32\ProcSvr06.dll
C:\WINDOWS\system32\ProcSvr07.dll
C:\WINDOWS\system32\qqhxatl.dll
C:\WINDOWS\system32\qqsgatl.dll
C:\WINDOWS\system32\ratbjpi.dll
C:\WINDOWS\system32\rsmyhpm.dll
C:\WINDOWS\system32\sidjdzy.dll
C:\WINDOWS\system32\SQLLink01.dll
C:\WINDOWS\system32\SQLLink02.dll
C:\WINDOWS\system32\SQLLink03.dll
C:\WINDOWS\system32\SQLLink04.dll
C:\WINDOWS\system32\SQLLink05.dll
C:\WINDOWS\system32\SQLLink06.dll
C:\WINDOWS\system32\SQLLink07.dll
C:\WINDOWS\system32\SQLLink08.dll
C:\WINDOWS\system32\sqmapi32.dll
C:\WINDOWS\system32\SVCCtrl01.dll
C:\WINDOWS\system32\SVCCtrl02.dll
C:\WINDOWS\system32\SVCCtrl03.dll
C:\WINDOWS\system32\SVCCtrl04.dll
C:\WINDOWS\system32\SVCCtrl05.dll
C:\WINDOWS\system32\SVCCtrl06.dll
C:\WINDOWS\system32\SVCCtrl07.dll
C:\WINDOWS\system32\SVCCtrl08.dll
C:\WINDOWS\system32\SVCCtrl09.dll
C:\WINDOWS\system32\SVCCtrl10.dll
C:\WINDOWS\system32\videodevice.dll
C:\WINDOWS\system32\WinForm.dll
C:\WINDOWS\system32\ymveoxgpyi.dll

[Added service]
NAME: PciHardDisk
DISPLAY: PciHardDisk
FILE: \??\C:\WINDOWS\system32\drivers\pcidisk.sys-1

[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Local Settings\Temp\$$aAA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$$aAB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$$aAC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$$aAD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$$aAE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$$aAF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$$aFF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\1a5e_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\3762C5.dmp
C:\Documents and Settings\Administrator\Local Settings\Temp\37A9E0.dmp
C:\Documents and Settings\Administrator\Local Settings\Temp\382C3F.dmp
C:\Documents and Settings\Administrator\Local Settings\Temp\3848FF.dmp
C:\Documents and Settings\Administrator\Local Settings\Temp\3853FB.dmp
C:\Documents and Settings\Administrator\Local Settings\Temp\3857E3.dmp
C:\Documents and Settings\Administrator\Local Settings\Temp\38591C.dmp
C:\Documents and Settings\Administrator\Local Settings\Temp\920e_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\a1.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\a15.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\a18.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\a20.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\a4.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\a6.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\a7.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\c798_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\d487_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\d5cc_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\d849_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\dcb2_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\LYLOADER.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDEG32.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp9F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpA6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpBF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpC9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpCD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpD9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpDE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpE9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpEA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpED.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmpF9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\_uninsep.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1153797[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1299644[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\17[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\21[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\4[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\88[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ad[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\bb[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\g3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\htm[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\sha1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft02[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft03[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft04[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft09[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft10[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft15[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\soft20[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\web.2008yi[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xx.9365[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\014[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\014[2].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1358616[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\881[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\884[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\8[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\boc.sbb22[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ms33[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\new82[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\old[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\pps[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft01[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft01[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft03[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft06[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft07[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft09[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft11[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft17[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft19[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\soft20[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\web[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\x[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\zs[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\zu[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\014[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1428891[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\5[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\8819[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\882[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\883[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\9[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\bf[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\newbala[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\news[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\sha1[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\soft10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\zu[3].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\11[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1402795[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\6619038[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\6[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\882[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\888down[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ac[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\du66[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\dyy[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\g14[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\haha[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\nn[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\soft00[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\soft05[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\soft07[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\soft08[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\soft12[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\soft13[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\soft15[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\soft18[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\soft19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\text[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\web.2008yi[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\xx.9365[1].htm
C:\PegeFile.pif
C:\Program Files\10.exe
C:\Program Files\12.exe
C:\Program Files\19.exe
C:\Program Files\2.exe
C:\Program Files\21.exe
C:\Program Files\3.exe
C:\Program Files\4.exe
C:\Program Files\6.exe
C:\Program Files\7.exeCC:\Program Files\8.exe
C:\Program Files\Internet Explorer\10Sy.exe
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.bak
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.bkk
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll
C:\Program Files\Internet Explorer\PLUGINS\NvSys_54.Sys
C:\Program Files\Internet Explorer\PLUGINS\NvSys_54.Tao
C:\Program Files\Internet Explorer\PLUGINS\NvWin_5.Jmp
C:\Program Files\Internet Explorer\PLUGINS\SysWin7k.Jmp
C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Tao
C:\WINDOWS\124327L.exe
C:\WINDOWS\124327M.exe
C:\WINDOWS\124327MM.DLL
C:\WINDOWS\124327WL.DLL
C:\WINDOWS\555888
C:\WINDOWS\AVPSrv.exE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\Dll.dll
C:\WINDOWS\Fonts\ardaase.fon
C:\WINDOWS\Fonts\avzxfin.dll
C:\WINDOWS\Fonts\cadaafx.fon
C:\WINDOWS\Fonts\chtiaur.fon
C:\WINDOWS\Fonts\enhuafx.fon
C:\WINDOWS\Fonts\enweafx.fon
C:\WINDOWS\Fonts\gemoand.fon
C:\WINDOWS\Fonts\kvdxjcf.dll
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\Fonts\ratbjni.dll
C:\WINDOWS\Fonts\sidjdcs.dll
C:\WINDOWS\GenProtect.exe
C:\WINDOWS\Kvsc3.exE
C:\WINDOWS\llllllab
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\mppds.exe
C:\WINDOWS\MsIMMs32.exE
C:\WINDOWS\MsPrint32D.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\system32\asview32.dll
C:\WINDOWS\system32\asvliuliu32.dll
C:\WINDOWS\system32\AVPSrv.dll
C:\WINDOWS\system32\avwgein.dll
C:\WINDOWS\system32\avwgemn.dll
C:\WINDOWS\system32\avwgest.exe
C:\WINDOWS\system32\avwldin.dll
C:\WINDOWS\system32\avwldmn.dll
C:\WINDOWS\system32\avwldst.exe
C:\WINDOWS\system32\avzxfmn.dll
C:\WINDOWS\system32\avzxfst.exe
C:\WINDOWS\system32\bpfuxa.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\Com\comrepl32.exe
C:\WINDOWS\system32\config\AppEventw.cfg
C:\WINDOWS\system32\csavpw0.dll
C:\WINDOWS\system32\cselnf.dll
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\djatl.dll
C:\WINDOWS\system32\drivers\8761CCDC.sys
C:\WINDOWS\system32\drivers\pcibus.sys
C:\WINDOWS\system32\drivers\scvhost.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\DVBBack01.dll
C:\WINDOWS\system32\DVBBack02.dll
C:\WINDOWS\system32\DVBBack03.dll
C:\WINDOWS\system32\DVBBack04.dll
C:\WINDOWS\system32\DVBBack05.dll
C:\WINDOWS\system32\DVBBack06.dll
C:\WINDOWS\system32\DVBBack07.dll
C:\WINDOWS\system32\DVBBack08.dll
C:\WINDOWS\system32\ewgqyirajt.dll
C:\WINDOWS\system32\feibgp.dll
C:\WINDOWS\system32\fngvgs.dll
C:\WINDOWS\system32\gdwli32.dll
C:\WINDOWS\system32\gdwmi32.dll
C:\WINDOWS\system32\gdzxi32.dll
C:\WINDOWS\system32\GenProtect.dll
C:\WINDOWS\system32\gzvjnw.dll
C:\WINDOWS\system32\iqxxie.dll
C:\WINDOWS\system32\kaqhiaz.exe
C:\WINDOWS\system32\kaqhics.dll
C:\WINDOWS\system32\kaqhizy.dll
C:\WINDOWS\system32\kawdczy.dll
C:\WINDOWS\system32\KVBatch01.dll
C:\WINDOWS\system32\KVBatch02.dll
C:\WINDOWS\system32\KVBatch03.dll
C:\WINDOWS\system32\KVBatch04.dll
C:\WINDOWS\system32\KVBatch05.dll
C:\WINDOWS\system32\KVBatch06.dll
C:\WINDOWS\system32\KVBatch07.dll
C:\WINDOWS\system32\kvdxjis.exe
C:\WINDOWS\system32\kvdxjma.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\myirclucmv.dll
C:\WINDOWS\system32\naktcmvdmv.dll
C:\WINDOWS\system32\nslkupi.exe
C:\WINDOWS\system32\ntsokele.exe
C:\WINDOWS\system32\ProcSvr01.dll
C:\WINDOWS\system32\ProcSvr02.dll
C:\WINDOWS\system32\ProcSvr03.dll
C:\WINDOWS\system32\ProcSvr04.dll
C:\WINDOWS\system32\ProcSvr05.dll
C:\WINDOWS\system32\ProcSvr06.dll
C:\WINDOWS\system32\ProcSvr07.dll
C:\WINDOWS\system32\qqhxatl.dll
C:\WINDOWS\system32\qqsgatl.dll
C:\WINDOWS\system32\ratbjpi.dll
C:\WINDOWS\system32\ratbjtl.exe
C:\WINDOWS\system32\rsmyhfg.dll
C:\WINDOWS\system32\rsmyhpm.dll
C:\WINDOWS\system32\rsmyhsp.exe
C:\WINDOWS\system32\sidjdaz.exe
C:\WINDOWS\system32\sidjdzy.dll
C:\WINDOWS\system32\SQLLink01.dll
C:\WINDOWS\system32\SQLLink02.dll
C:\WINDOWS\system32\SQLLink03.dll
C:\WINDOWS\system32\SQLLink04.dll
C:\WINDOWS\system32\SQLLink05.dll
C:\WINDOWS\system32\SQLLink06.dll
C:\WINDOWS\system32\SQLLink07.dll
C:\WINDOWS\system32\SQLLink08.dll
C:\WINDOWS\system32\sqmapi32.dll
C:\WINDOWS\system32\SVCCtrl01.dll
C:\WINDOWS\system32\SVCCtrl02.dll
C:\WINDOWS\system32\SVCCtrl03.dll
C:\WINDOWS\system32\SVCCtrl04.dll
C:\WINDOWS\system32\SVCCtrl05.dll
C:\WINDOWS\system32\SVCCtrl06.dll
C:\WINDOWS\system32\SVCCtrl07.dll
C:\WINDOWS\system32\SVCCtrl08.dll
C:\WINDOWS\system32\SVCCtrl09.dll
C:\WINDOWS\system32\SVCCtrl10.dll
C:\WINDOWS\system32\sysbl.exe
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\videodevice.dll
C:\WINDOWS\system32\vktcmvenwf.dll
C:\WINDOWS\system32\WinForm.dll
C:\WINDOWS\system32\winsock32.dll
C:\WINDOWS\system32\xywsfu.dll
C:\WINDOWS\system32\ymveoxgpyi.dll
C:\WINDOWS\system32\yoyhrajsbk.dll
C:\WINDOWS\system32\yzbhjx.dll
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\WinForm.exE
C:\WINDOWS\~tmp2896.exe
C:\WINDOWS\~tmp5936.exe
C:\WINDOWS\~tmp786.exe
C:\WINDOWS\~tmp9464.exe
C:\WINDOWS\~tmp9792.exe

[Added LSP]
ID: 1025
NAME: MSAPI Tcpip [TCP/IP]

ID: 1029
NAME: MSAPI Tcpip [UDP/IP]

ID: 1030
NAME: MSAPI Tcpip [TCP/IP]

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={0EA66AD2-CF26-2E23-532B-B292E22F3266}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={8E32FA58-3453-FA2D-BC49-F340348ACCE8}
Data=rsmyhpm.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={6C8BC750-B3E7-4B4A-AC7A-454E6FB9770A}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={A87755CE-D2D1-4580-8A99-ECCCFC9F5CC9}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={AC87A354-ABC3-DEDE-FF33-3213FD7447CA}
Data =kvdxjma.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={4960356A-458E-DE24-BD50-268F589A56A4}
Data=avwldmn.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={5A1247C1-53DA-FF43-ABD3-345F323A48D5}
Data=avwgemn.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={A6650011-3344-6688-4899-345FABCD156A}
Data=ratbjpi.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={38907901-1416-3389-9981-372178569983}
Data=kawdczy.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={97D81718-1314-5200-2597-587901018079}
Data=kaqhizy.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={48847374-8323-FADC-B443-4732ABCD3784}
Data=sidjdzy.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={6859245F-345D-BC13-AC4F-145D47DA34F6}
Data=avzxfmn.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={8DFA2904-9664-43AE-8929-4347554D24B6}
Data=Extr rising hook CS

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={B0E4D1E9-3CE5-48A1-8DF0-6463E046E7EF}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={A12C8D43-AC10-4C17-9136-E3E2FC9B3D21}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value={A2AC7E3B-30BE-466f-8BAB-1FF9DADD8C7D}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=upxdnd
Data=C:\WINDOWS\upxdnd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=mppds
Data=C:\WINDOWS\mppds.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=cmdbcs
Data=C:\WINDOWS\cmdbcs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\124327M.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=KVP
Data=C:\WINDOWS\system32\drivers\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=GenProtect
Data=C:\WINDOWS\GenProtect.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=DbgHlp32
Data=C:\WINDOWS\DbgHlp32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsPrint32D
Data=C:\WINDOWS\MsPrint32D.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysW
Data=C:\WINDOWS\swchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=MsIMMs32
Data=C:\WINDOWS\MsIMMs32.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=Kvsc3
Data=C:\WINDOWS\Kvsc3.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=AVPSrv
Data=C:\WINDOWS\AVPSrv.exE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinForm
Data=C:\WINDOWS\WinForm.exE

到目前為止 (2007/11/19 @ 14:14)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

xx.9365[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
xywsfu.dll:
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.iax"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnlineGames.SUM!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aha"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.C1B879DE"
[ CAV Beta ], "Win32/Frethog!generic"
ymveoxgpyi.dll:
[ IntelliTrap ], "PAK_Generic.006"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/OnLineGames.CPH"
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE, Trojan-PSW.Win32.OnLineGames.hnt"
[ McAfee ], "PWS-OnlineGames.p"
[ McAfee_Beta ], "PWS-OnlineGames.p"
[ Sophos ], "Mal/Behav-160"
[ CAV ], "Win32/Dowque.TE"
[ Nod32 ], "Win32/PSW.OnLineGames.GJV trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.hnt"
[ Norman ], "Trojan W32/Smalltroj.BNNK"
[ Ikarus ], "Trojan-PWS.Win32.Agent.jp"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanPSW.OnLineGames.hnt"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ Authentium ], "W32/Threat-SysVenFakU-based!Maximus"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.PWS.WoW.3D61ACDF"
[ CAV Beta ], "Win32/Dowque.TE"
yoyhrajsbk.dll:
[ IntelliTrap ], "PAK_Generic.006"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/OnLineGames.CPH"
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE, Trojan-PSW.Win32.OnLineGames.hnt"
[ McAfee ], "PWS-OnlineGames.p"
[ McAfee_Beta ], "PWS-OnlineGames.p"
[ Sophos ], "Mal/Behav-160"
[ CAV ], "Win32/Dowque.TE"
[ Nod32 ], "Win32/PSW.OnLineGames.GJV trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.hnt"
[ Norman ], "Trojan W32/Smalltroj.BNNK"
[ Ikarus ], "Trojan-PWS.Win32.Agent.jp"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanPSW.OnLineGames.hnt"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ Authentium ], "W32/Threat-SysVenFakU-based!Maximus"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.PWS.WoW.3D61ACDF"
[ CAV Beta ], "Win32/Dowque.TE"
yzbhjx.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.gsx"
[ McAfee ], "PWS-Zhengtu.gen"
[ McAfee_Beta ], "PWS-Zhengtu.gen"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.tw"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.gsx"
[ Ewido ], "Trojan.OnLineGames.gsx"
[ quickheal ], "TrojanPSW.OnLineGames.gsx"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.B5204919"
[ CAV Beta ], "Win32/Frethog!generic"
zu[3].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
_uninsep.bat:
[ Alpha_Gen ], "AP_DELME"
[ Beta_Gen ], "AP_DELME"
1[1].htm:
[ McAfee ], "VBS/Psyme"
[ McAfee_Beta ], "VBS/Psyme"
[ Sophos ], "Mal/Psyme-A"
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.XPL.ADODB.E9AD757A"
1[2].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ McAfee ], "VBS/Psyme"
[ McAfee_Beta ], "VBS/Psyme"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ Rising ], "Trojan.DL.Ieframe.co"
[ Authentium ], "HTML/IFrame"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.XPL.ADODB.CFD45297"
[ CAV Beta ], "HTML/Sauratol.B virus. "
2[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Beta_Gen ], "Possible_Hifrm"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
3[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ Authentium ], "HTML/IFrame"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
4[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
10Sy.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Shelx"
[ Symantec ], "W32.Gammima.AG"
[ Kaspersky ], "PAK:UPX, Trojan-PSW.Win32.QQPass.alx"
[ McAfee ], "[0000a4f8.EXE]:PWS-QQGame"
[ McAfee_Beta ], "[0000a4f8.EXE]:PWS-QQGame"
[ CAV ], "Win32/QQPass!generic"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ HBEDV ], "DR/Delphi.Gen"
[ Ikarus ], "Trojan-PWS.Win32.Nilage.bga"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "Win32.Trojan-PSW.QQPass.wm"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ WebWasher ], "Trojan.Delphi.Gen"
[ bitdefender ], "Generic.PWStealer.8FAD2DC8"
[ CAV Beta ], "Win32/QQPass!generic"
11[1].js:
[ HBEDV ], "JS/Dldr.Agent.YA"
014[1].js:
[ Alpha_Gen ], "Possible_EncScr"
[ Beta_Gen ], "Possible_EncScr"
88[1].js:
[ Alpha_Gen ], "Possible_EncScr"
[ Beta_Gen ], "Possible_EncScr"
881[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ McAfee ], "VBS/Psyme"
[ McAfee_Beta ], "VBS/Psyme"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ Rising ], "Trojan.DL.Ieframe.co"
[ Authentium ], "HTML/IFrame"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.XPL.ADODB.E127D904"
[ CAV Beta ], "HTML/Sauratol.B virus. "
882[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, PAK:PE_Patch, Trojan-PSW.Win32.OnLineGames.idg"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.D673289C"
[ CAV Beta ], "Win32/Frethog!generic"
882[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
8819[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.7B745937"
[ CAV Beta ], "Win32/Frethog!generic"
124327M.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Kaspersky ], "Trojan-PSW.Win32.Lmir.boy"
[ McAfee ], "[000056d4.EXE]:PWS-LegMir"
[ McAfee_Beta ], "[000056d4.EXE]:PWS-LegMir"
[ Sophos ], "[FILE:0000]:Mal/Behav-010"
[ Nod32 ], "probably a variant of Win32/PSW.WOW.WU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ Rising ], "Trojan.PSW.Win32.LMir.yys"
[ Ikarus ], "Trojan-PWS.Win32.WOW.vd"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.16"
[ Authentium ], "W32/Blocker-based!Maximus"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
[ bitdefender ], "BehavesLike:Win32.ExplorerHijack"
124327MM.dll:
[ Symantec ], "Infostealer.Lemir.G"
[ Microsoft ], "PWS:Win32/Lmir.BMR"
[ Kaspersky ], "Trojan-PSW.Win32.Lmir.boy"
[ McAfee ], "PWS-LegMir"
[ McAfee_Beta ], "PWS-LegMir"
[ Sophos ], "Mal/Behav-010"
[ Nod32 ], "a variant of Win32/PSW.Legendmir.NFF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Rising ], "Trojan.PSW.Win32.LMir.yys"
[ Ikarus ], "Virus.Win32.Lmir.OK"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
555888:
[ Symantec ], "Infostealer.Lemir.G"
[ Microsoft ], "PWS:Win32/Lmir.BMR"
[ Kaspersky ], "Trojan-PSW.Win32.Lmir.boy"
[ McAfee ], "PWS-LegMir"
[ McAfee_Beta ], "PWS-LegMir"
[ Sophos ], "Mal/Behav-010"
[ Nod32 ], "a variant of Win32/PSW.Legendmir.NFF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Rising ], "Trojan.PSW.Win32.LMir.yys"
[ Ikarus ], "Virus.Win32.Lmir.OK"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
1358616[1].js:
[ HBEDV ], "JS/Iframe.B"
6619038[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ Rising ], "Trojan.DL.Ieframe.co"
[ Authentium ], "HTML/IFrame"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
a1.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Microsoft ], "[->(FSG-v2.0)]:Trojan:Win32/Anomaly.gen!B"
[ Kaspersky ], "PAK:FSG, PAK:PEPatch"
[ Sophos ], "Mal/EncPk-AP"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Agent.43569"
[ Norman ], "Security Risk Suspicious_F.gen"
[ Ikarus ], "Virus.Win32.Delf.CSK"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
a4.exe:
[ Alpha_Gen ], "BASE_BANLOAD-A2"
[ Beta_Gen ], "AP_Banld-1"
[ Kaspersky ], "Trojan-Downloader.Win32.Delf.aas"
[ McAfee ], "Generic Downloader.c"
[ McAfee_Beta ], "Generic Downloader.c"
[ CAV ], "Win32/Kemdorm.B"
[ Nod32 ], "Win32/TrojanDownloader.SMW.A trojan"
[ Fortinet ], "W32/Delf.AAS!tr.dldr"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/FileInfector"
[ Rising ], "Trojan.DL.Delf.xxb"
[ Ikarus ], "Trojan-Downloader.Win32.Delf.aas"
[ eAladdin ], "Win32.Agent.xi"
[ quickheal ], "TrojanDownloader.Delf.vw"
[ Authentium ], "W32/NewMalware-LSU-based!Maximus"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
[ bitdefender ], "Trojan.Downloader.OH"
[ CAV Beta ], "Win32/Kemdorm.B"
a6.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Shelx"
[ Symantec ], "W32.Gammima.AG"
[ Kaspersky ], "PAK:UPX, Trojan-PSW.Win32.QQPass.alx"
[ McAfee ], "[0000a4f8.EXE]:PWS-QQGame"
[ McAfee_Beta ], "[0000a4f8.EXE]:PWS-QQGame"
[ CAV ], "Win32/QQPass!generic"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ HBEDV ], "DR/Delphi.Gen"
[ Ikarus ], "Trojan-PWS.Win32.Nilage.bga"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "Win32.Trojan-PSW.QQPass.wm"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ WebWasher ], "Trojan.Delphi.Gen"
[ bitdefender ], "Generic.PWStealer.8FAD2DC8"
[ CAV Beta ], "Win32/QQPass!generic"
ac[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
autorun.inf:
[ Alpha_Gen ], "Possible_Otorun1"
[ Beta_Gen ], "Possible_Otorun1"
[ McAfee ], "Generic!atr"
[ McAfee_Beta ], "Generic!atr"
[ CAV ], "INF/Rodvir.Y"
[ Nod32 ], "Win32/AutoRun.NAB virus"
[ Ikarus ], "Trojan.Autorun.F"
[ bitdefender ], "Trojan.Autorun.F"
[ CAV Beta ], "INF/Rodvir.Y"
AVPSrv.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hhn"
[ Panda ], "Trj/Lineage.GGK"
[ Panda_Beta ], "Trj/Lineage.GGK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnlineGames.SUM!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.SO2Game.d"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ Ewido ], "Trojan.OnLineGames.hhn"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanPSW.OnLineGames.hhn"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.CD352155"
[ CAV Beta ], "Win32/Frethog!generic"
avwgemn.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "Trojan:Win32/Delf.AT!dll"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.icf"
[ McAfee ], "PWS-OnlineGames.a.dll"
[ McAfee_Beta ], "PWS-OnlineGames.a.dll"
[ Sophos ], "Mal/Gampass-A"
[ CAV ], "Win32/Storark!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.FDY trojan"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan OnLineGames.gen34"
[ Ikarus ], "BehavesLikeTrojan.WUDisable"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "BehavesLike:Trojan.WUDisable"
[ CAV Beta ], "Win32/Storark!generic"
avwgest.exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:Trojan:Win32/SystemHijack.gen"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.icf"
[ McAfee ], "New Malware.n !!"
[ McAfee_Beta ], "New Malware.n !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Storark!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.FDY trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Spy.Win32.Delf.uv"
[ Ewido ], "Trojan.OnLineGames.eza"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "Win32.Trojan-PSW.OnLineGames.gux"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.Malware.SBdldg.C2F0B86A"
[ CAV Beta ], "Win32/Storark!generic"
avzxfmn.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "Trojan:Win32/Delf.AT!dll"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hcx"
[ McAfee ], "PWS-OnlineGames.i"
[ McAfee_Beta ], "PWS-OnlineGames.i"
[ Sophos ], "Mal/Gampass-A"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Storark!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.FDY trojan"
[ HBEDV ], "TR/PSW.OnLineGa.gcp"
[ Norman ], "Trojan W32/Smalltroj.BMYL"
[ Rising ], "Trojan.PSW.Win32.GameOnline.wh"
[ Ikarus ], "BehavesLikeTrojan.WUDisable"
[ Ewido ], "Trojan.OnLineGames.hcx"
[ quickheal ], "TrojanPSW.OnLineGames.hcx"
[ vba32 ], "Trojan-PSW.Win32.OnLineGames.hcx"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.PWS.OnlineGames.NMT"
[ CAV Beta ], "Win32/Storark!generic"
bf[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
boc.sbb22[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
bpfuxa.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.iai"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aht"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.ibz"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Frethog!generic"
cmdbcs.dll:
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.73006256"
[ CAV Beta ], "Win32/Frethog!generic"
comrepl32.exe:
[ Kaspersky ], "Worm.Win32.Downloader.at"
[ Panda ], "Trj/Downloader.RER"
[ Panda_Beta ], "Trj/Downloader.RER"
[ Nod32 ], "Win32/Jalous.M worm"
[ Rising ], "Trojan.Win32.Agent.zzl"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.Inject.ES"
cselnf.dll:
[ Microsoft ], "PWS:Win32/Lmir.BMQ"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.icp"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "TR/PSW.OnlineGames.icp"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aiz"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Frethog!generic"
DbgHlp32.dll:
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnlineGames.SUM!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.9F7D5E5E"
[ CAV Beta ], "Win32/Frethog!generic"
DbgHlp32.exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.7B745937"
[ CAV Beta ], "Win32/Frethog!generic"
djatl.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.r"
[ McAfee_Beta ], "PWS-OnlineGames.r"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Zuten!generic"
du66[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Beta_Gen ], "Possible_Hifrm"
[ Symantec ], "Downloader"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ Rising ], "Trojan.DL.Ieframe.co"
[ Authentium ], "HTML/IFrame"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
DVBBack01.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyf"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJD"
[ Panda_Beta ], "Trj/Lineage.GJD"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeo"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.979D208E"
[ CAV Beta ], "Win32/Frethog!generic"
DVBBack02.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyf"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJD"
[ Panda_Beta ], "Trj/Lineage.GJD"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeo"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.979D208E"
[ CAV Beta ], "Win32/Frethog!generic"
DVBBack03.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyf"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJD"
[ Panda_Beta ], "Trj/Lineage.GJD"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeo"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.979D208E"
[ CAV Beta ], "Win32/Frethog!generic"
DVBBack04.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyf"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJD"
[ Panda_Beta ], "Trj/Lineage.GJD"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeo"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.979D208E"
[ CAV Beta ], "Win32/Frethog!generic"
DVBBack05.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyf"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJD"
[ Panda_Beta ], "Trj/Lineage.GJD"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeo"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.979D208E"
[ CAV Beta ], "Win32/Frethog!generic"
DVBBack06.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyf"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJD"
[ Panda_Beta ], "Trj/Lineage.GJD"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeo"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.979D208E"
[ CAV Beta ], "Win32/Frethog!generic"
DVBBack07.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyf"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJD"
[ Panda_Beta ], "Trj/Lineage.GJD"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeo"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.979D208E"
[ CAV Beta ], "Win32/Frethog!generic"
DVBBack08.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyf"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJD"
[ Panda_Beta ], "Trj/Lineage.GJD"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeo"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.979D208E"
[ CAV Beta ], "Win32/Frethog!generic"
dyy[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ Rising ], "Trojan.DL.Ieframe.co"
[ Authentium ], "HTML/IFrame"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
ewgqyirajt.dll:
[ IntelliTrap ], "PAK_Generic.006"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/OnLineGames.CPH"
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE, Trojan-PSW.Win32.OnLineGames.hnt"
[ McAfee ], "PWS-OnlineGames.p"
[ McAfee_Beta ], "PWS-OnlineGames.p"
[ Sophos ], "Mal/Behav-160"
[ CAV ], "Win32/Dowque.TE"
[ Nod32 ], "Win32/PSW.OnLineGames.GJV trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.hnt"
[ Norman ], "Trojan W32/Smalltroj.BNNK"
[ Ikarus ], "Trojan-PWS.Win32.Agent.jp"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanPSW.OnLineGames.hnt"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ Authentium ], "W32/Threat-SysVenFakU-based!Maximus"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.PWS.WoW.3D61ACDF"
[ CAV Beta ], "Win32/Dowque.TE"
feibgp.dll:
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnlineGames.SUM!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.9F7D5E5E"
[ CAV Beta ], "Win32/Frethog!generic"
fngvgs.dll:
[ Microsoft ], "PWS:Win32/Lmir.BMQ"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.icp"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "TR/PSW.OnlineGames.icp"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aiz"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Frethog!generic"
g3[1].htm:-escape
[ Alpha_Gen ], "Heur_Infrm-2"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
gdwli32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Zuten!generic"
gdwmi32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Zuten!generic"
gdzxi32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.j"
[ McAfee_Beta ], "PWS-OnlineGames.j"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Zuten!generic"
GenProtect.dll:
[ Microsoft ], "PWS:Win32/Lmir.BMQ"
[ Panda ], "Trj/Lineage.GJL"
[ Panda_Beta ], "Trj/Lineage.GJL"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.ahc"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ quickheal ], "TrojanPWS.OnLineGames.gen"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.PWS.OnLineGames.NHL"
[ CAV Beta ], "Win32/Frethog!generic"
go[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ Authentium ], "HTML/IFrame"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
gzvjnw.dll:
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.iax"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnlineGames.SUM!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aha"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.C1B879DE"
[ CAV Beta ], "Win32/Frethog!generic"
haha[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
htm[2].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ Rising ], "Trojan.DL.Ieframe.co"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
iqxxie.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.idg"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "TR/Spy.Gen"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.ibz"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Frethog!generic"
kaqhizy.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "Trojan:Win32/Delf.AT!dll"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.idb"
[ McAfee ], "PWS-OnlineGames.q"
[ McAfee_Beta ], "PWS-OnlineGames.q"
[ CAV ], "Win32/Storark!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.FDY trojan"
[ Norman ], "Trojan OnLineGames.gen34"
[ Ikarus ], "BehavesLikeTrojan.WUDisable"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Dld.Agent.3ED364A8"
[ CAV Beta ], "Win32/Storark!generic"
KVBatch01.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.Nilage.bue"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJC"
[ Panda_Beta ], "Trj/Lineage.GJC"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NII trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aem"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ quickheal ], "TrojanPSW.Nilage.bty"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.4.8785A033"
[ CAV Beta ], "Win32/Frethog!generic"
KVBatch02.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.Nilage.bue"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJC"
[ Panda_Beta ], "Trj/Lineage.GJC"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NII trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aem"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ quickheal ], "TrojanPSW.Nilage.bty"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.4.8785A033"
[ CAV Beta ], "Win32/Frethog!generic"
KVBatch03.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.Nilage.bue"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJC"
[ Panda_Beta ], "Trj/Lineage.GJC"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NII trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aem"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ quickheal ], "TrojanPSW.Nilage.bty"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.4.8785A033"
[ CAV Beta ], "Win32/Frethog!generic"
KVBatch04.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.Nilage.bue"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJC"
[ Panda_Beta ], "Trj/Lineage.GJC"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NII trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aem"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ quickheal ], "TrojanPSW.Nilage.bty"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.4.8785A033"
[ CAV Beta ], "Win32/Frethog!generic"
KVBatch05.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.Nilage.bue"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJC"
[ Panda_Beta ], "Trj/Lineage.GJC"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NII trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aem"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ quickheal ], "TrojanPSW.Nilage.bty"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.4.8785A033"
[ CAV Beta ], "Win32/Frethog!generic"
KVBatch06.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.Nilage.bue"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJC"
[ Panda_Beta ], "Trj/Lineage.GJC"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NII trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aem"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ quickheal ], "TrojanPSW.Nilage.bty"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.4.8785A033"
[ CAV Beta ], "Win32/Frethog!generic"
KVBatch07.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.Nilage.bue"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJC"
[ Panda_Beta ], "Trj/Lineage.GJC"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NII trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aem"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ quickheal ], "TrojanPSW.Nilage.bty"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.4.8785A033"
[ CAV Beta ], "Win32/Frethog!generic"
kvdxjma.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "Trojan:Win32/Delf.AT!dll"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.idh"
[ McAfee ], "PWS-OnlineGames.i"
[ McAfee_Beta ], "PWS-OnlineGames.i"
[ CAV ], "Win32/Storark!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.FDY trojan"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan OnLineGames.gen34"
[ Ikarus ], "BehavesLikeTrojan.WUDisable"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "BehavesLike:Trojan.WUDisable"
[ CAV Beta ], "Win32/Storark!generic"
llllllab:
[ IntelliTrap ], "PAK_Generic.001"
[ Microsoft ], "[->(Aspack v2.12)]:Trojan:Win32/SystemHijack.gen"
[ Kaspersky ], "PAK:ASPack, Trojan-PSW.Win32.Lmir.boy"
[ McAfee ], "[0000b6d4.EXE]:PWS-LegMir"
[ McAfee_Beta ], "[0000b6d4.EXE]:PWS-LegMir"
[ Sophos ], "[FILE:0000]:Mal/Behav-010"
[ Nod32 ], "probably a variant of Win32/PSW.WOW.WU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Malware"
[ Ikarus ], "Trojan-PWS.Win32.WOW.vd"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.16"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
[ bitdefender ], "DeepScan:Generic.PWS.Games.4.6590ADAF"
mppds.dll:
[ Microsoft ], "PWS:Win32/Wowsteal.XQ"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.iaf"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.GameOnline.ahq"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.es"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.3CF9FCB6"
[ CAV Beta ], "Win32/Frethog!generic"
mppds.exe:
[ Microsoft ], "Trojan:Win32/Frethog.V"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.iat"
[ Sophos ], "Mal/Dropper-P"
[ Panda ], "Trj/Lineage.FWB"
[ Panda_Beta ], "Trj/Lineage.FWB"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.GameOnline.ahw"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.DEC6BA02"
[ CAV Beta ], "Win32/Frethog!generic"
ms33[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ Rising ], "Trojan.DL.Ieframe.co"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
MSDEG32.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.hpp"
[ McAfee ], "PWS-LegMir.dll"
[ McAfee_Beta ], "PWS-LegMir.dll"
[ Sophos ], "Mal/Packer"
[ Panda ], "Trj/Lineage.GJM"
[ Panda_Beta ], "Trj/Lineage.GJM"
[ CAV ], "Win32/Lolyda!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.DVV trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Online.gyo.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Generic.PWS.Games.3"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanPSW.OnLineGames.hpp"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.PWS.Games.3.BFA150F9"
[ CAV Beta ], "Win32/Lolyda!generic"
MsPrint32D.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hcv"
[ Panda ], "Trj/Lineage.GGK"
[ Panda_Beta ], "Trj/Lineage.GGK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.HCV trojan"
[ Fortinet ], "W32/OnLineGames.HCV!tr.pws"
[ HBEDV ], "TR/PSW.OnLineGa.hcv"
[ Rising ], "Trojan.PSW.Win32.QQSG.z"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.hcv"
[ Ewido ], "Trojan.OnLineGames.hcv"
[ quickheal ], "TrojanPSW.OnLineGames.hcv"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.Malware.dldPWS.BA9B9194"
[ CAV Beta ], "Win32/Frethog!generic"
myirclucmv.dll:
[ IntelliTrap ], "PAK_Generic.006"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/OnLineGames.CPH"
[ Kaspersky ], "PAK:UPack, PAK:PE_Patch.MaskPE, Trojan-PSW.Win32.OnLineGames.hnt"
[ McAfee ], "PWS-OnlineGames.p"
[ McAfee_Beta ], "PWS-OnlineGames.p"
[ Sophos ], "Mal/Behav-160"
[ CAV ], "Win32/Dowque.TE"
[ Nod32 ], "Win32/PSW.OnLineGames.GJV trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.hnt"
[ Norman ], "Trojan W32/Smalltroj.BNNK"
[ Ikarus ], "Trojan-PWS.Win32.Agent.jp"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanPSW.OnLineGames.hnt"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ Authentium ], "W32/Threat-SysVenFakU-based!Maximus"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.PWS.WoW.3D61ACDF"
[ CAV Beta ], "Win32/Dowque.TE"
naktcmvdmv.dll:
[ IntelliTrap ], "PAK_Generic.006"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/OnLineGames.CPH"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.iab"
[ Sophos ], "Mal/Behav-160"
[ Nod32 ], "Win32/PSW.OnLineGames.GJV trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.iab"
[ Norman ], "Trojan W32/OnLineGames.VFL"
[ Ikarus ], "Trojan-PWS.Win32.Agent.jp"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ Authentium ], "W32/Threat-SysVenFakU-based!Maximus"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.PWS.WoW.02019683"
new82[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Sophos ], "Mal/Iframe-A"
[ HBEDV ], "HEUR/Exploit.HTML"
newbala[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Beta_Gen ], "Possible_Hifrm"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ Rising ], "Trojan.DL.Ieframe.co"
[ Authentium ], "HTML/IFrame"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
nn[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
NvSys_54.Sys:
[ Microsoft ], "PWS:Win32/QQGame.B.dll"
[ Kaspersky ], "Trojan-PSW.Win32.QQPass.alx"
[ McAfee ], "PWS-QQGame"
[ McAfee_Beta ], "PWS-QQGame"
[ CAV ], "Win32/QQPass!generic"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan W32/QQPass.gen5"
[ Rising ], "Worm.Win32.PaBug.dt"
[ Ikarus ], "Trojan-PWS.Win32.Nilage.bga"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ Authentium ], "W32/InfoStealer!Generic"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.PWStealer.D5472FD3"
[ CAV Beta ], "Win32/QQPass!generic"
NvSys_54.Tao
[ Microsoft ], "PWS:Win32/QQGame.B.dll"
[ Kaspersky ], "Trojan-PSW.Win32.QQPass.alx"
[ McAfee ], "PWS-QQGame"
[ McAfee_Beta ], "PWS-QQGame"
[ CAV ], "Win32/QQPass!generic"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan W32/QQPass.gen5"
[ Rising ], "Worm.Win32.PaBug.dt"
[ Ikarus ], "Trojan-PWS.Win32.Nilage.bga"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ Authentium ], "W32/InfoStealer!Generic"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.PWStealer.D5472FD3"
[ CAV Beta ], "Win32/QQPass!generic"
NvWin_5.Jmp
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Shelx"
[ Symantec ], "W32.Gammima.AG"
[ Kaspersky ], "PAK:UPX, Trojan-PSW.Win32.QQPass.alx"
[ McAfee ], "[0000a4f8.EXE]:PWS-QQGame"
[ McAfee_Beta ], "[0000a4f8.EXE]:PWS-QQGame"
[ CAV ], "Win32/QQPass!generic"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ HBEDV ], "DR/Delphi.Gen"
[ Ikarus ], "Trojan-PWS.Win32.Nilage.bga"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "Win32.Trojan-PSW.QQPass.wm"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ WebWasher ], "Trojan.Delphi.Gen"
[ bitdefender ], "Generic.PWStealer.8FAD2DC8"
[ CAV Beta ], "Win32/QQPass!generic"
old[1].js:
[ Alpha_Gen ], "Possible_EncScr"
[ Beta_Gen ], "Possible_EncScr"
[ Kaspersky ], "PAK:JSPack, PAK:JSPack, unknown format."
pcibus.sys:
[ Symantec ], "W32.Fujacks.L"
[ Kaspersky ], "Worm.Win32.Downloader.aw"
[ Sophos ], "[FILE:0000\FILE:0000]:Mal/Behav-160"
[ Panda ], "Trj/Downloader.RER"
[ Panda_Beta ], "Trj/Downloader.RER"
[ Nod32 ], "Win32/Jalous.M worm"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dldr.Agent.45056"
[ Norman ], "Trojan W32/Malware.BGGP"
[ Rising ], "Trojan.Win32.Mnless.zjb"
[ Ikarus ], "Worm.Win32.Downloader.aw"
[ quickheal ], "Worm.Downloader.aw"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.Exploit.Dcomrpc.AW"
pps[1].htm:-eval
[ Alpha_Gen ], "Heur_Infrm-1"
[ Beta_Gen ], "Possible_EncScr"
[ Microsoft ], "[->(IframeRefI)]:Exploit:HTML/IframeRef.gen"
[ Kaspersky ], "Trojan-Clicker.HTML.IFrame.cw"
[ Sophos ], "Troj/Fujif-Gen"
[ CAV ], "HTML/Sauratol.B virus. "
[ HBEDV ], "HEUR/Exploit.HTML"
[ Rising ], "Trojan.DL.Ieframe.co"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.IFrame.W"
[ CAV Beta ], "HTML/Sauratol.B virus. "
ProcSvr01.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyi"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GIS"
[ Panda_Beta ], "Trj/Lineage.GIS"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.afs"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.E8CA9FC5"
[ CAV Beta ], "Win32/Frethog!generic"
ProcSvr02.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyi"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GIS"
[ Panda_Beta ], "Trj/Lineage.GIS"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.afs"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.E8CA9FC5"
[ CAV Beta ], "Win32/Frethog!generic"
ProcSvr03.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyi"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GIS"
[ Panda_Beta ], "Trj/Lineage.GIS"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.afs"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.E8CA9FC5"
[ CAV Beta ], "Win32/Frethog!generic"
ProcSvr04.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyi"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GIS"
[ Panda_Beta ], "Trj/Lineage.GIS"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.afs"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.E8CA9FC5"
[ CAV Beta ], "Win32/Frethog!generic"
ProcSvr05.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyi"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GIS"
[ Panda_Beta ], "Trj/Lineage.GIS"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.afs"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.E8CA9FC5"
[ CAV Beta ], "Win32/Frethog!generic"
ProcSvr06.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyi"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GIS"
[ Panda_Beta ], "Trj/Lineage.GIS"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.afs"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.E8CA9FC5"
[ CAV Beta ], "Win32/Frethog!generic"
ProcSvr07.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyi"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GIS"
[ Panda_Beta ], "Trj/Lineage.GIS"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.afs"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.E8CA9FC5"
[ CAV Beta ], "Win32/Frethog!generic"
qqhxatl.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "PWS-OnlineGames.r"
[ McAfee_Beta ], "PWS-OnlineGames.r"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.Generic.64525"
[ CAV Beta ], "Win32/Zuten!generic"
qqsgatl.dll:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Crypt-6"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.hkz"
[ McAfee ], "PWS-OnlineGames.r"
[ McAfee_Beta ], "PWS-OnlineGames.r"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "W32/OnLineGames.HKZ!tr.pws"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "TrojanPSW.OnLineGames.hkz"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.Generic.72308"
[ CAV Beta ], "Win32/Zuten!generic"
sha1[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ WebWasher ], "BlockReason.46 (suspicious)"
soft01[1].exe:
[ Microsoft ], "Trojan:Win32/Frethog.V"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.iat"
[ Sophos ], "Mal/Dropper-P"
[ Panda ], "Trj/Lineage.FWB"
[ Panda_Beta ], "Trj/Lineage.FWB"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "TR/Spy.Gen"
[ Rising ], "Trojan.PSW.Win32.GameOnline.ahw"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.DEC6BA02"
[ CAV Beta ], "Win32/Frethog!generic"
soft03[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Lmir.BMQ"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.iap"
[ Sophos ], "Mal/Packer"
[ Panda ], "Trj/Lineage.GJP"
[ Panda_Beta ], "Trj/Lineage.GJP"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.YA trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Virus W32/Viking.EQ"
[ Ikarus ], "Trojan-Spy.Win32.Agent.hz"
[ eAladdin ], "Suspicious File [108]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.BE33B294"
[ CAV Beta ], "Win32/Frethog!generic"
soft06[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, PAK:PE_Patch, Trojan-PSW.Win32.OnLineGames.gti"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GDZ"
[ Panda_Beta ], "Trj/Lineage.GDZ"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Trojan W32/Zlob.ASQV"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ quickheal ], "TrojanPSW.OnLineGames.gti"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.495BF3B4"
[ CAV Beta ], "Win32/Frethog!generic"
soft07[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/OnLineGames.CPK"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hqh"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Pux.d"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.AVKill.AR"
[ CAV Beta ], "Win32/Zuten!generic"
soft09[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, PAK:PE_Patch, Trojan-PSW.Win32.OnLineGames.iau"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.4E40F482"
[ CAV Beta ], "Win32/Frethog!generic"
soft10[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "Possible_Shelx"
[ Symantec ], "W32.Gammima.AG"
[ Kaspersky ], "PAK:UPX, Trojan-PSW.Win32.QQPass.alx"
[ McAfee ], "[0000a4f8.EXE]:PWS-QQGame"
[ McAfee_Beta ], "[0000a4f8.EXE]:PWS-QQGame"
[ CAV ], "Win32/QQPass!generic"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ HBEDV ], "DR/Delphi.Gen"
[ Ikarus ], "Trojan-PWS.Win32.Nilage.bga"
[ eAladdin ], "Suspicious File [101]"
[ quickheal ], "Win32.Trojan-PSW.QQPass.wm"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.7"
[ WebWasher ], "Trojan.Delphi.Gen"
[ bitdefender ], "Generic.PWStealer.8FAD2DC8"
[ CAV Beta ], "Win32/QQPass!generic"
soft13[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Lmir.BMO"
[ Kaspersky ], "PAK:UPack, Trojan-Downloader.Win32.Delf.axx"
[ McAfee ], "New Malware.n !!"
[ McAfee_Beta ], "New Malware.n !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/PSW.WOW.WU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Dropper.Win32.Agent.ane"
[ eAladdin ], "Suspicious File [100]"
[ quickheal ], "Win32.Trojan-PSW.QQPass.xw"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.16"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Delphi.Downloader.Gen"
[ bitdefender ], "DeepScan:Generic.PWS.Games.4.D58E055D"
soft14[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/OnLineGames.CPK"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hqh"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Onlineg.KC.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Pux.d"
[ eAladdin ], "Suspicious File [100]"
[ vba32 ], "Trojan-PSW.Win32.OnLineGames.hqh"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.AVKill.AR"
[ CAV Beta ], "Win32/Zuten!generic"
soft15[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:PWS:Win32/OnLineGames.CPK"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hqh"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Spy.Win32.Delf.PD"
[ eAladdin ], "Suspicious File [100]"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Trojan.AVKill.AR"
[ CAV Beta ], "Win32/Zuten!generic"
SQLLink01.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyr"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeq"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.666E4001"
[ CAV Beta ], "Win32/Frethog!generic"
SQLLink02.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyr"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeq"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.666E4001"
[ CAV Beta ], "Win32/Frethog!generic"
SQLLink03.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyr"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeq"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.666E4001"
[ CAV Beta ], "Win32/Frethog!generic"
SQLLink04.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyr"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeq"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.666E4001"
[ CAV Beta ], "Win32/Frethog!generic"
SQLLink05.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyr"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeq"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.666E4001"
[ CAV Beta ], "Win32/Frethog!generic"
SQLLink06.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyr"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeq"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.666E4001"
[ CAV Beta ], "Win32/Frethog!generic"
SQLLink07.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyr"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeq"
[ Ikarus ], "Virus.Win32.Nilage.JY"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.Onlinegames.2.666E4001"
[ CAV Beta ], "Win32/Frethog!generic"
SQLLink08.dll:
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.hyr"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Trj/Lineage.GJK"
[ Panda_Beta ], "Trj/Lineage.GJK"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "Win32/PSW.OnLineGames.NFL trojan"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.PSW.Win32.GameOnline.aeq"
[ Ikarus ], "Virus.Win32.Nilage.JY"

僑光應用華語文系網站被植入惡意連結

2007-11-20T09:11:00.000+08:00

僑光應用華語文系網站被植入惡意連結，此惡意程式為 Trojan-PSW.Win32.OnLineGames

.idg，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\upxdnd.dll

[Added service]
NAME: PciHardDisk
DISPLAY: PciHardDisk
FILE: \??\C:\WINDOWS\system32\drivers\pcidisk.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\e19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ee1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ee2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\go[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\sa[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xm22[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\4[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\eeecom[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\mianeeecom[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\psasnbf[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1364595[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ac[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\bb[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cj[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\e2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\e[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\login[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1358616[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\7[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\bf[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\common[1].htm
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\system32\Com\comrepl32.exe
C:\WINDOWS\system32\CRYPSERV.EXE
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\drivers\pcibus.sys
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\~tmp9493.exe
C:\WINDOWS\~tmp9591.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=upxdnd
Data=C:\WINDOWS\upxdnd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=DbgHlp32
Data=C:\WINDOWS\DbgHlp32.exe

到目前為止 (2007/11/19 @ 13:50)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

e[1].js:
[ Kaspersky ], "Trojan-Downloader.JS.Small.ie"
ee1[1].htm:
[ McAfee ], "VBS/Psyme"
[ McAfee_Beta ], "VBS/Psyme"
[ Sophos ], "Mal/Psyme-A"
[ HBEDV ], "HTML/ADODB.Exploit.Gen"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Generic.XPL.ADODB.D6239DC6"
ee2[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
Microsoft.vbs:
[ Kaspersky ], "Trojan.VBS.Runner.o"
[ HBEDV ], "VBS/Runner.O.3"
[ Ewido ], "Trojan.Runner.o"
[ vba32 ], "Trojan.VBS.Runner.o"
[ Authentium ], "VBS/WSRunner.I"
[ WebWasher ], "Script.Runner.O.3"
pcibus.sys:
[ Symantec ], "W32.Fujacks.L"
[ Microsoft ], "Exploit:Win32/Siveras.E"
[ Kaspersky ], "Worm.Win32.Downloader.ay"
[ Sophos ], "[FILE:0000\FILE:0000]:Mal/Behav-160"
[ Nod32 ], "a variant of Win32/Jalous worm"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dldr.Agent.45056"
[ Rising ], "Trojan.Win32.Mnless.zjf"
[ Ikarus ], "Worm.Win32.Downloader.ay"
[ WebWasher ], "BlockReason.46 (suspicious)"
upxdnd.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.idg"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.HCV trojan"
[ HBEDV ], "TR/Spy.Gen"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.ibz"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.12"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ CAV Beta ], "Win32/Frethog!generic"
upxdnd.exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, PAK:PE_Patch, Trojan-PSW.Win32.OnLineGames.idg"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.D673289C"
[ CAV Beta ], "Win32/Frethog!generic"
xm22[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ WebWasher ], "BlockReason.46 (suspicious)"
5[1].htm:
[ Ewido ], "Trojan.Concon.b"
[ WebWasher ], "BlockReason.46 (suspicious)"
7[1].htm:
[ WebWasher ], "BlockReason.46 (suspicious)"
1358616[1].js:
[ HBEDV ], "JS/Iframe.B"
ac[1].htm:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Beta_Gen ], "Possible_Hifrm"
[ WebWasher ], "BlockReason.46 (suspicious)"
bb[1].js:
[ HBEDV ], "JS/Iframe.894"
bf[1].htm:
[ Kaspersky ], "Trojan-Downloader.JS.Agent.aec"
[ WebWasher ], "BlockReason.46 (suspicious)"
click[1].htm:
[ Sophos ], "Mal/Iframe-A"
common[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
[ Sophos ], "Mal/Iframe-A"
[ HBEDV ], "HEUR/Exploit.HTML"
comrepl32.exe:
[ Kaspersky ], "Worm.Win32.Downloader.ay"
[ Nod32 ], "a variant of Win32/Jalous worm"
[ Rising ], "Trojan.Win32.Mnless.zjg"
[ WebWasher ], "BlockReason.46 (suspicious)"
DbgHlp32.dll:
[ Microsoft ], "PWS:Win32/Frethog.gen!B"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "W32/OnlineGames.SUM!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.1"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "DeepScan:Generic.PWS.Games.1.9F7D5E5E"
[ CAV Beta ], "Win32/Frethog!generic"
DbgHlp32.exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.7B745937"
[ CAV Beta ], "Win32/Frethog!generic"
e2[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, PAK:PE_Patch, Trojan-PSW.Win32.OnLineGames.idg"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.D673289C"
[ CAV Beta ], "Win32/Frethog!generic"
e19[1].exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Frethog.gen!D"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Behav-156"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/Frethog!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFL trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Dropper.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ikarus ], "Trojan-Downloader.Win32.Zlob.and"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "MalwareScope.Trojan-PSW.Game.3"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Dropper.Gen"
[ bitdefender ], "Generic.PWS.Games.4.7B745937"
[ CAV Beta ], "Win32/Frethog!generic"
eeecom[1].exe:
[ Trend ], "WORM_DLOADER.QFD"
mianeeecom[1].exe:
[ Trend ], "WORM_DLOADER.QFD"
svchost.exe:
[ Trend ], "WORM_DLOADER.QFD"
~tmp9493.exe:
[ Trend ], "WORM_DLOADER.QFD"
~tmp9591.exe:
[ Trend ], "WORM_DLOADER.QFD"
1[1].htm:
[ Trend ], "HTML_DLOADER.RUD"
2[1].htm:
[ Trend ], "JS_PSYME.BBA"
4[1].htm:
[ Trend ], "HTML_DLOADER.QZC"
6[1].htm:
[ Trend ], "VBS_PSYME.BAZ"
cj[1].exe:
[ Trend ], "Possible_Mlwr-15"
CRYPSERV.EXE:
[ Trend ], "ossible_Mlwr-15"

中國國民黨網站又被植入惡意連結 :-(

2007-11-14T09:05:00.000+08:00

注意：此惡意檔案放置在國民黨網站中，所以，『網站信譽評等技術』有可能失效。

中國國民黨網站又被植入惡意連結，此惡意程式為 Backdoor.Win32.PcClient.bal 或 Rootkit/PcClient.FK，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結/程式碼是放置在 main.asp (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\system32\clrptm.dll

[Added service]
NAME: yysjstwz
DISPLAY: yysjstwz
FILE: \??\C:\WINDOWS\system32\drivers\clrptm.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\temp003[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\category1_1_1_4_3[1].htm
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\WINDOWS\system32\clrptm.dll
C:\WINDOWS\system32\drivers\clrptm.sys

到目前為止 (2007/11/14 @ 09:00)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

clrptm.dll:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, Backdoor.Win32.PcClient.bal"
[ Sophos ], "Mal/Behav-024"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ vba32 ], "Trojan-Downloader.Win32.Delf.ain"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Backdoor.Agent.YYF"
clrptm.sys:
[ Alpha_Gen ], "Possible_Rootkit"
[ Kaspersky ], "Rootkit.Win32.Agent.iz"
[ McAfee ], "New Malware.an !!"
[ McAfee_Beta ], "New Malware.an !!"
[ Panda ], "Rootkit/PcClient.FK"
[ Panda_Beta ], "Rootkit/PcClient.FK"
[ Nod32 ], "probably unknown NewHeur_PE virus [7]"
[ HBEDV ], "TR/Rootkit.Gen"
[ Rising ], "RootKit.Win32.Agent.nhx"
[ quickheal ], "Rootkit.Agent.iz"
[ WebWasher ], "Trojan.Rootkit.Gen"
temp003[1].jpg:
[ IntelliTrap ], "PAK_Generic.001"
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, Backdoor.Win32.PcClient.aid"
[ Ikarus ], "Backdoor.Win32.PcClient.yw"
[ vba32 ], "Trojan.Win32.Agent.ckf"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "BlockReason.46 (suspicious)"
[ bitdefender ], "Backdoor.Generic.25313"
category1_1_1_4_3[1].htm:
[ Alpha_Gen ], "Possible_EncScr"
[ Beta_Gen ], "Possible_EncScr"
[ Microsoft ], "[->(SCRIPT0001)]:Worm:VBS/VBSWG.gen"
[ HBEDV ], "HEUR/Exploit.HTML"
[ WebWasher ], "BlockReason.46 (suspicious)"

幸運草網站又被植入惡意連結

2007-11-12T23:21:00.000+08:00

幸運草網站又被植入惡意連結，此惡意程式為 TROJ_GENETIK.GM，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。

惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[DLL injection]
C:\WINDOWS\system32\msavpw0.dll

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\cn_Ajax[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cn[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cn[1].exe
C:\WINDOWS\system32\msavpw0.dll

[ Added COM/BHO ]
{86AAC8D7-BA19-48AC-9269-3C76A52642EC}-C:\WINDOWS\system32\msavpw0.dll

到目前為止 (2007/11/08 @ 13:39)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

msavpw0.dll:
[ Trend ], "Possible_Strat-6"
cn[1].exe:
[ Trend ], "TROJ_GENETIK.GM"
cn_Ajax[1].htm:
[ Microsoft ], "[->(SCRIPT0000)->(EmbeddedCode)->(SCRIPT0000)]:TrojanDownloader:VBS/Agent.EI"
[ Fortinet ], "VBS/Small.DR!tr.dldr"
[ HBEDV ], "HEUR/Exploit.HTML"
[ Ewido ], "Downloader.Agent.m"

心態不改難保不會再被入侵

2007-11-08T10:31:00.000+08:00

這則新聞說明了現在大部分遭入侵企業的心態：

此則新聞部分內容：
〔記者吳幸樺／台南報導〕
[...] 成大表示，由於這兩天圖書館進行評鑑，暫時將防火牆鬆綁，才會被駭客入侵，幸好駭客的目的只是惡作劇，並未損及電腦資料庫。

成功大學表示，這兩天學校在辦評鑑，地點就在圖書館，必須接收大批資料，將防火牆暫時鬆綁，沒想到竟給了駭客入侵的機會。

成大表示，[...]，幸好只是無傷的惡作劇，未造成資料被盜或系統受損。

黑手遮天、粉飾太平：因為某種原因，所以，導致被入侵。意思是說，那些被入侵的企業根本沒有建立『資安事件標準處理程序』。
使用者的資料沒有被竊取：誰可以驗證他們所說的話呢？最好能立法強制企業須接受有能力之公正單位檢視，並公佈結果。
很少檢視系統有安全漏洞：根本沒有能力調查到底系統是如何被入侵？
我們已經安裝了相關的資安軟體：關鍵的問題不在到底安裝了多少資安軟體，而是在於會不會使用這些資安軟體，或是會不會分析這些資安軟體所產生的記錄檔。
...

尖端科技軍事雜誌網站被植入惡意連結

2007-11-08T09:39:00.000+08:00

尖端科技軍事雜誌網站被植入惡意連結，此惡意程式為 Trojan-PSW.Win32.OnLineGames

.guz

，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦，請各位暫時不要瀏覽這個網站，以免中毒。(Credit: Jimau)

惡意連結是放置在 index.asp (其他頁面可能要仔細檢查一下囉) 中的：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\system32\kawdcaz.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\IGM.exe
C:\WINDOWS\IGW.exe
C:\WINDOWS\system32\avzxest.exe
C:\WINDOWS\system32\kapjdaz.exe
C:\WINDOWS\system32\raqjdtl.exe
C:\WINDOWS\system32\avwldst.exe
C:\WINDOWS\system32\ratbgtl.exe
C:\WINDOWS\system32\avwgest.exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\WINDOWS\system32\avwgemn.dll
C:\WINDOWS\system32\avwldmn.dll
C:\WINDOWS\system32\avzxemn.dll
C:\WINDOWS\system32\dh3atl.dll
C:\WINDOWS\system32\dhatl.dll
C:\WINDOWS\system32\djatl.dll
C:\WINDOWS\system32\jzatl.dll
C:\WINDOWS\system32\kapjdzy.dll
C:\WINDOWS\system32\kawdczy.dll
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\myatl.dll
C:\WINDOWS\system32\qqhxatl.dll
C:\WINDOWS\system32\raqjdpi.dll
C:\WINDOWS\system32\raqjdtl.exe
C:\WINDOWS\system32\ratbgpi.dll
C:\WINDOWS\system32\ratbgtl.exe
C:\WINDOWS\system32\rxjhatl.dll
C:\WINDOWS\system32\sqmapi32.dll

[Added service]
NAME: WS2IFSL (正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

NAME: Wdswsdewn
DISPLAY: Telephotsgoogle
FILE: C:\WINDOWS\system32\serdst.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\LYLOADER.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\LYMANGR.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDEG32.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp87.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\014[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\11[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\15[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\19[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\13[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\17[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\5[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\9[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\0[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\16[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\4[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\8[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1299644[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\14[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\18[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\6[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ki[1].htm
C:\WINDOWS\136741MM.DLL
C:\WINDOWS\136741WL.DLL
C:\WINDOWS\136741WO.DLL
C:\WINDOWS\Fonts\chqiaur.fon
C:\WINDOWS\Fonts\chtiaur.fon
C:\WINDOWS\Fonts\enpoafx.fon
C:\WINDOWS\Fonts\enweafx.fon
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\IGM.exe
C:\WINDOWS\IGW.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\system32\0.exe
C:\WINDOWS\system32\avwgein.dll
C:\WINDOWS\system32\avwgemn.dll
C:\WINDOWS\system32\avwgest.exe
C:\WINDOWS\system32\avwldin.dll
C:\WINDOWS\system32\avwldmn.dll
C:\WINDOWS\system32\avwldst.exe
C:\WINDOWS\system32\avzxein.dll
C:\WINDOWS\system32\avzxemn.dll
C:\WINDOWS\system32\avzxest.exe
C:\WINDOWS\system32\dh3atl.dll
C:\WINDOWS\system32\dhatl.dll
C:\WINDOWS\system32\djatl.dll
C:\WINDOWS\system32\jzatl.dll
C:\WINDOWS\system32\kapjdaz.exe
C:\WINDOWS\system32\kapjdcs.dll
C:\WINDOWS\system32\kapjdzy.dll
C:\WINDOWS\system32\kawdcaz.exe
C:\WINDOWS\system32\kawdccs.dll
C:\WINDOWS\system32\kawdczy.dll
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\mseam.sys
C:\WINDOWS\system32\myatl.dll
C:\WINDOWS\system32\qqhxatl.dll
C:\WINDOWS\system32\raqjdni.dll
C:\WINDOWS\system32\raqjdpi.dll
C:\WINDOWS\system32\raqjdtl.exe
C:\WINDOWS\system32\ratbgni.dll
C:\WINDOWS\system32\ratbgpi.dll
C:\WINDOWS\system32\ratbgtl.exe
C:\WINDOWS\system32\rxjhatl.dll
C:\WINDOWS\system32\serdst.exe
C:\WINDOWS\system32\sqmapi32.dll
C:\WINDOWS\system32\zhtuatl.dll

[Added LSP]
ID: 1026
NAME: MSAPI Tcpip [UDP/IP] (C:\WINDOWS\system32\sqmapi32.dll)

ID: 1027
NAME: MSAPI Tcpip [TCP/IP] (C:\WINDOWS\system32\sqmapi32.dll)

[Added COM/BHO]
{38907901-1416-3389-9981-372178569983}-C:\WINDOWS\system32\kawdczy.dll
{44783410-4F90-34A0-7820-3230ACD05F44}-C:\WINDOWS\system32\raqjdpi.dll
{4960356A-458E-DE24-BD50-268F589A56A4}-C:\WINDOWS\system32\avwldmn.dll
{4A321487-4977-D98A-C8D5-6488257545A4}-C:\WINDOWS\system32\kapjdzy.dll
{5859245F-345D-BC13-AC4F-145D47DA34F5}-C:\WINDOWS\system32\avzxemn.dll
{5A1247C1-53DA-FF43-ABD3-345F323A48D5}-C:\WINDOWS\system32\avwgemn.dll
{76650011-3344-6688-4899-345FABCD1567}-C:\WINDOWS\system32\ratbgpi.dll

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\IGM.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysW
Data=C:\WINDOWS\swchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSys
Data=C:\WINDOWS\IGW.exe

到目前為止 (2007/11/07 @ 13:35)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

mseam.sys:
[ Symantec ], "Infostealer"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NFC trojan"
sqmapi32.dll:
[ IntelliTrap ], "PAK_Generic.006"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.guz"
[ McAfee ], "PWS-OnlineGames.j"
[ McAfee_Beta ], "PWS-OnlineGames.j"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ CAV ], "Win32/Spibe!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
[ CAV Beta ], "Win32/Spibe!generic"
tmp87.tmp:
[ IntelliTrap ], "PAK_Generic.006"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.WOW.adu"
[ McAfee ], "PWS-OnlineGames.j"
[ McAfee_Beta ], "PWS-OnlineGames.j"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ CAV ], "Win32/Spibe!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.NHF trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Wow.adu"
[ Norman ], "Trojan W32/Agent.DASF"
[ Sunbelt ], "VIPRE.Suspicious"
[ CAV Beta ], "Win32/Spibe!generic"
2[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.WOW.adu"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "[FILE:0000]:Mal/Packer, Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
3[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "[FILE:0000]:Mal/Packer, Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Onlineg.KC.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
5[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
12[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.gyu"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "[FILE:0000]:Mal/Packer, Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Onlineg.KC.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
14[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "[FILE:0000]:Mal/Packer, Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Onlineg.KC.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
17[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Trojan W32/Delf.AYPE"
[ Sunbelt ], "VIPRE.Suspicious"
18[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "[FILE:0000]:Mal/Packer, Mal/Packer"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Onlineg.KC.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
19[1].exe:
[ IntelliTrap ], "PAK_Generic.001"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "[FILE:0000]:Mal/Packer, Mal/Packer"
[ CAV ], "Win32/Zuten!generic"
[ Nod32 ], "probably a variant of Win32/PSW.OnLineGames.NGU trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/CrashSystem.C"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
LYLOADER.exe:
[ IntelliTrap ], "PAK_Generic.006"
[ Alpha_Gen ], "AP_MALPK-2"
[ Beta_Gen ], "AP_MALPK-2"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "[->(Upack)]:TrojanSpy:Win32/Agent.HZ"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.gym"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Trj/Lineage.gen"
[ Panda_Beta ], "Trj/Lineage.gen"
[ CAV ], "Win32/Lolyda!generic"
[ Nod32 ], "a variant of Win32/PSW.Agent.NEC trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Online.agb.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
[ CAV Beta ], "Win32/Lolyda!generic"
LYMANGR.DLL:
[ IntelliTrap ], "PAK_Generic.001"
[ Beta_Gen ], "Possible_Crypt-6"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.gyn"
[ McAfee ], "Generic PWS.j"
[ McAfee_Beta ], "Generic PWS.j"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Lolyda!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.DTR trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.Online.agb.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
[ CAV Beta ], "Win32/Lolyda!generic"
MSDEG32.DLL:
[ IntelliTrap ], "PAK_Generic.001"
[ Beta_Gen ], "Possible_Crypt-6"
[ Microsoft ], "VirTool:Win32/Obfuscator.C"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.gyo"
[ Sophos ], "Mal/Packer"
[ CAV ], "Win32/Lolyda!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.DVV trojan"
[ Fortinet ], "suspicious"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Sunbelt ], "VIPRE.Suspicious"
[ CAV Beta ], "Win32/Lolyda!generic"