國立教育資料館全球資訊網被植入惡意連結。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式會偷帳號與密碼)。(感謝 Jimau)
**請幫忙通知他們,謝謝**
新的網址應該在 hxxp://www.nioerar.edu.tw,真搞不到,難道是舊的網址嗎?
惡意連結是放置在首頁中:
惡意程式的一部份為:
執行之後,有下面的行為:
[Added process]
C:\Program Files\Windows Media Player\svchost.exe
[DLL injection]
C:\Program Files\Windows Media Player\svchost.exe (注入 svchost.exe 的執行程序)
C:\WINDOWS\system32\PDLL.dll (注入某些執行程序如瀏覽器等)
[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\lineage[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\lineage[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ttt1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ffg[1].exe
C:\pagefile.pif
C:\Program Files\ffg.exe
C:\Program Files\Windows Media Player\svchost.exe
C:\WINDOWS\kill.exe
C:\WINDOWS\system32\PDLL.dll
C:\WINDOWS\systemxz.dll
C:\WINDOWS\systemxz.exe
到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:
systemxz.exe:
[ Trend ], "TSPY_ONLINEGA.ZQ"
systemxz.dll:
[ Trend ], "TSPY_ONLINEGA.ZQ"
pagefile.pif:
[ Trend ], "TSPY_ONLINEGA.ZQ"
lineage[1].exe:
[ Trend ], "TSPY_ONLINEGA.ZQ"
PDLL.dll:
[ Trend ], "Possible_Lineage"
kill.exe:
[ Beta_Gen ], "TROJ_Generic.CON"
[ McAfee ], "ProcKill-KnlKillP"
[ Panda ], "Application/Pskill.S"
[ HBEDV ], "APPL/Tool.PsKill.W"
[ Ewido ], "Backdoor.PcClient.qh"
lineage[1].htm:
[ Sophos ], "VBS/Psyme-Fam"
[ HBEDV ], "VBS/Psyme.Fam.K"
[ Norman ], "Trojan VBS/Psyme.AK"
[ Rising ], "Trojan.DL.VBS.Agent.chn"
ffg[1].exe:
[ Kaspersky ], "PAK:PE_Patch, ARC:Embedded EXE, Trojan-PSW.Win32.Nilage.ajm"
[ McAfee ], "[0000a7e4.EXE]:corrupted"
[ Fortinet ], "suspicious"
ffg.exe:
[ Kaspersky ], "PAK:PE_Patch, ARC:Embedded EXE, Trojan-PSW.Win32.Nilage.ajm"
[ McAfee ], "[0000a7e4.EXE]:corrupted"
[ Fortinet ], "suspicious"
ttt1[1].exe:
[ Symantec ], "Infostealer"
[ Microsoft ], "PWS:Win32/Wowsteal.gen!A"
[ McAfee ], "New Malware.u !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/PSW.Lineage.AJP trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "DR/PSW.Lineage.U"
[ Ewido ], "Trojan.Nilage.awo"
[ Grisoft ], "Trojan horse PSW.Generic3.ITW"
svchost.exe:
[ Symantec ], "Infostealer"
[ Microsoft ], "PWS:Win32/Wowsteal.gen!A"
[ McAfee ], "New Malware.u !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/PSW.Lineage.AJP trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "DR/PSW.Lineage.U"
[ Ewido ], "Trojan.Nilage.awo"
[ Grisoft ], "Trojan horse PSW.Generic3.ITW"
autorun.inf:
[ McAfee ], "Downloader.inf"-----
**請幫忙通知他們,謝謝**
新的網址應該在 hxxp://www.nioerar.edu.tw,真搞不到,難道是舊的網址嗎?
惡意連結是放置在首頁中:
惡意程式的一部份為:
執行之後,有下面的行為:
[Added process]
C:\Program Files\Windows Media Player\svchost.exe
[DLL injection]
C:\Program Files\Windows Media Player\svchost.exe (注入 svchost.exe 的執行程序)
C:\WINDOWS\system32\PDLL.dll (注入某些執行程序如瀏覽器等)
[Added file]
C:\autorun.inf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\lineage[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\lineage[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ttt1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ffg[1].exe
C:\pagefile.pif
C:\Program Files\ffg.exe
C:\Program Files\Windows Media Player\svchost.exe
C:\WINDOWS\kill.exe
C:\WINDOWS\system32\PDLL.dll
C:\WINDOWS\systemxz.dll
C:\WINDOWS\systemxz.exe
到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:
systemxz.exe:
[ Trend ], "TSPY_ONLINEGA.ZQ"
systemxz.dll:
[ Trend ], "TSPY_ONLINEGA.ZQ"
pagefile.pif:
[ Trend ], "TSPY_ONLINEGA.ZQ"
lineage[1].exe:
[ Trend ], "TSPY_ONLINEGA.ZQ"
PDLL.dll:
[ Trend ], "Possible_Lineage"
kill.exe:
[ Beta_Gen ], "TROJ_Generic.CON"
[ McAfee ], "ProcKill-KnlKillP"
[ Panda ], "Application/Pskill.S"
[ HBEDV ], "APPL/Tool.PsKill.W"
[ Ewido ], "Backdoor.PcClient.qh"
lineage[1].htm:
[ Sophos ], "VBS/Psyme-Fam"
[ HBEDV ], "VBS/Psyme.Fam.K"
[ Norman ], "Trojan VBS/Psyme.AK"
[ Rising ], "Trojan.DL.VBS.Agent.chn"
ffg[1].exe:
[ Kaspersky ], "PAK:PE_Patch, ARC:Embedded EXE, Trojan-PSW.Win32.Nilage.ajm"
[ McAfee ], "[0000a7e4.EXE]:corrupted"
[ Fortinet ], "suspicious"
ffg.exe:
[ Kaspersky ], "PAK:PE_Patch, ARC:Embedded EXE, Trojan-PSW.Win32.Nilage.ajm"
[ McAfee ], "[0000a7e4.EXE]:corrupted"
[ Fortinet ], "suspicious"
ttt1[1].exe:
[ Symantec ], "Infostealer"
[ Microsoft ], "PWS:Win32/Wowsteal.gen!A"
[ McAfee ], "New Malware.u !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/PSW.Lineage.AJP trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "DR/PSW.Lineage.U"
[ Ewido ], "Trojan.Nilage.awo"
[ Grisoft ], "Trojan horse PSW.Generic3.ITW"
svchost.exe:
[ Symantec ], "Infostealer"
[ Microsoft ], "PWS:Win32/Wowsteal.gen!A"
[ McAfee ], "New Malware.u !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/PSW.Lineage.AJP trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "DR/PSW.Lineage.U"
[ Ewido ], "Trojan.Nilage.awo"
[ Grisoft ], "Trojan horse PSW.Generic3.ITW"
autorun.inf:
[ McAfee ], "Downloader.inf"-----
