手機王網頁又被植入惡意連結。這已經是第三次,他們的網頁被植入惡意連結,
這是購物網站,真是不應該,而且,正逢過年期間,他們的網管應該也在休假,所以,我猜測中毒的網友應該不少 (
受害者可以索賠嗎?)。
請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (
此惡意程式會偷使用者帳號與密碼,很可能也會偷信用卡卡號,而且,有 Rootkit 的行為)。
**請幫忙通知他們,謝謝**
惡意連結是放置在 v7_index.js 檔案中:
上面的連結是在華視的網站上,華視的網站實在是太容易被入侵了,太令人失望了。
惡意程式碼的一部分為 (使用 malformed ascii bypassing 的技術,看起來像是毫無意義,實際上,它是可以被執行的):
執行之後,有下面的行為:
[Added hidden process] (隱藏執行程序)
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
[DLL injection]
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe (注入 svchost.exe)
C:\WINDOWS\Debug\UserMode\299E575.dll (注入某些執行程序如檔案總管等)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\CiKE.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\test[1].exe
C:\logex.txt
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eCompress.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eImgConverter.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eLIB.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\HideProc.dll
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\internet.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\krnln.fnr
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\Nhook.dll
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\shell.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
C:\WINDOWS\Debug\UserMode\299E575.dll
C:\WINDOWS\Debug\UserMode\299E575.exe
[Added COM/BHO]
{77D9BC5E-7942-499F-9AA0-D1BA226D2788}-C:\WINDOWS\debug\userMode\299E575.dll
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=svchost, Data=C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:
CiKE.exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ HBEDV ], "HEUR/Malware"
eCompress.fne:
[ Kaspersky ], "PAK:NSPack"
[ Fortinet ], "PossibleThreat!024073"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Trojan W32/PWStealer.gen1"
eImgConverter.fne:
[ Kaspersky ], "PAK:NSPack"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Trojan W32/PWStealer.gen1"
eLIB.fne:
[ Kaspersky ], "PAK:NSPack, Trojan.Win32.Agent.agf"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Trojan W32/PWStealer.gen1"
HideProc.dll:
[ Kaspersky ], "Trojan.Win32.Agent.agf"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/PWStealer.gen1"
internet.fne:
[ Kaspersky ], "PAK:NSPack, Trojan-Clicker.Win32.Flyst.d"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Trojan W32/PWStealer.gen1"
[ Ewido ], "Trojan.Lineage.alo"
krnln.fnr:
[ Kaspersky ], "PAK:NSPack"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Drop.Lmir.16.B"
[ Norman ], "Trojan W32/PWStealer.gen1"
Nhook.dll:
[ Kaspersky ], "PAK:NSPack, Trojan.Win32.Agent.agf"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"
[ Norman ], "Trojan W32/PWStealer.gen1"
shell.fne:
[ Kaspersky ], "PAK:NSPack"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Lmir.16"
[ Norman ], "Trojan W32/PWStealer.gen1"
svchost.exe:
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.bgz"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/PWStealer.gen1"
taskmgr.exe:
[ Alpha_Gen ], "TEST_Downloader1"
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.aqy"
[ Nod32 ], "a variant of Win32/Delf.AG worm"
[ Fortinet ], "W32/Agent.AQY!tr.dldr"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/PWStealer.gen1"
[ Ikarus ], "Backdoor.Win32.Hupigon.BV"
[ Grisoft ], "Trojan horse Generic3.AIS"
test[1].exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ HBEDV ], "HEUR/Malware"
299E575.dll:
[ Alpha_Gen ], "Possible_Lineage"
[ Beta_Gen ], "Possible_Lineage"
[ Symantec ], "Infostealer.Lineage"
[ Kaspersky ], "PAK:NSPack"
[ Nod32 ], "probably a variant of Win32/PSW.Lineage.DN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan W32/Hupigon.gen7"
[ Ikarus ], "Backdoor.Win32.PcClient.GV"
299E575.exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ HBEDV ], "HEUR/Malware"