翠湖水草網站出現釣魚網站且有惡意連結。
有這方面需求且最近有瀏覽這個網頁的網友,應該要注意所輸入的網址。(Credit: PC-Zone 網友 DarkSkyline)
**請幫忙通知他們,謝謝**
真的翠湖水草網站首頁:
假的翠湖水草網站首頁 (釣魚網站):
翠湖水草網站發布的新聞:
此假的網站包含惡意連結:
惡意程式碼的一部份為:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\system32\mscc.dll (注入 Winlogon.exe 的執行程序)
[Added service]
NAME: Event Logger
DISPLAY: Event Logger
FILE: C:\WINDOWS\system32\ieum.exe
NAME: vsdat
DISPLAY: vsdat
FILE: \??\C:\WINDOWS\system32\vsdat.sys
[Added file]
C:\boot.bsr
C:\ccb.hta
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\alxea[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\o[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ps[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cjb[1].hta
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\click[1].htm
C:\WINDOWS\system32\ctfman.exe
C:\WINDOWS\system32\ieum.exe
C:\WINDOWS\system32\mscc.dll
C:\WINDOWS\system32\msdb.dll
C:\WINDOWS\system32\vsdat.sys
[Added COM/BHO]
{4860E4F8-BE58-4f73-96E4-98B2FCB21583}-C:\WINDOWS\system32\msdb.dll
{A529C586-6D68-4681-9107-AFE144A23755}
{267B1ED2-2C9E-4A3F-BE15-7AFC79403073}
{46A219CD-45C7-4E10-B408-216BE827DC01}
{80CC88FE-2567-42ED-A3AE-E397D2A12C52}
{21932AFA-3AD3-4C28-8D93-2AAE2BD043CB}
{5AB0D266-DD2B-4006-B9D6-A9145291BDD6}
{90143179-611B-4016-818E-676EAC6B3E2F}
到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:
mscc.dll:
[ HBEDV ], "HEUR/Malware"
ieum.exe:
[ HBEDV ], "HEUR/Malware"
[ Fprot ], "Infection: Possibly a new variant of W32/Downloader-WebExe-based!Maximus"
ctfman.exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPX"
o[1].exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPX"
[ Sophos ], "[FILE:0000]:Mal/Packer"
[ HBEDV ], "TR/HideRun.A.7"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Startpage.EGF.dropper"
click[1].htm:
[ Sophos ], "Mal/Psyme-A"
[ Norman ], "Trojan VBS/Psyme.AK"
ps[1].exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPX, Trojan-Downloader.Win32.Agent.bes"
[ HBEDV ], "HEUR/Malware"
[ Grisoft ], "Trojan horse Downloader.Agent.IQH"
[ Fprot ], "[->(UPX)]:Infection: Possibly a new variant of W32/Downloader-WebExe-based!Maximus"
alxea[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1"
msdb.dll:
[ Kaspersky ], "PAK:NSPack, PAK:UPX"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"-----