今天在台灣論壇上,看見另一個網友 (傻气≠朱哥) 張貼了一個疑似即時通訊惡意程式,各位可以參考一下他們的對話 (如下圖所示)。還是老生常談的一句話
「不要亂執行來路不明的連結」。
惡意連結為:
惡意程式碼的一部分為:
執行之後,有下面的行為:
[Added process]
C:\Program Files\Internet Explorer\SVCHOST.EXE
C:\Program Files\Internet Explorer\SMSS.EXE
C:\Program Files\Internet Explorer\SERVICES.EXE
C:\Program Files\Internet Explorer\9Sy.exe
C:\Program Files\Internet Explorer\WINLOGON.EXE
C:\Program Files\Internet Explorer\LSASS.EXE
[DLL injection]
C:\Program Files\Internet Explorer\SVCHOST.EXE (注入 svchost.exe 的執行程序)
C:\Program Files\Internet Explorer\WINLOGON.EXE (注入 winlogon.exe 的執行程序)
C:\Program Files\Windows Media Player\svchost.exe (注入 svchost.exe 的執行程序)
C:\WINDOWS\system32\dllf.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\dllran.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\msndll.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\PDLL.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\qmdll.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\xgdll.dll (注入某些執行程序如檔案總管等)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\$$a1C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Ding.com
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\run[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\tt1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\z4[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\qm[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\fg[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\xg[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\mf[1].exe
C:\Program Files\Internet Explorer\9Sy.exe
C:\Program Files\Internet Explorer\LSASS.EXE
C:\Program Files\Internet Explorer\SERVICES.EXE
C:\Program Files\Internet Explorer\SMSS.EXE
C:\Program Files\Internet Explorer\SVCHOST.EXE
C:\Program Files\Internet Explorer\WINLOGON.EXE
C:\Program Files\Microsoft\svhost32.exe
C:\Program Files\svhost32.exe
C:\Program Files\Windows Media Player\svchost.exe
C:\WINDOWS\$hf_mig$\svhost32.exe
C:\WINDOWS\Config\svhost32.exe
C:\WINDOWS\Help\rundll32.exe
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\RichDll.dll
C:\WINDOWS\system32\dllf.dll
C:\WINDOWS\system32\dllran.dll
C:\WINDOWS\system32\msndll.dll
C:\WINDOWS\system32\PDLL.dll
C:\WINDOWS\system32\qmdll.dll
C:\WINDOWS\system32\xgdll.dll
C:\WINDOWS\uninstall\rundl132.exe
C:\_desktop.ini
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=load,Data=C:\WINDOWS\uninstall\rundl132.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=qm,Data=C:\Program Files\Microsoft\svhost32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=fzg,Data=C:\WINDOWS\Config\svhost32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=xg,Data=C:\Program Files\svhost32.exe
到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:
svhost32.exe:
[ Trend ], "PE_LOOKED.SI"
svhost32.exe:
[ Trend ], "PE_LOOKED.SI"
tt1[1].exe:
[ Trend ], "TSPY_LINEAGE.EKJ"
xg[1].exe:
[ Trend ], "TSPY_LINEAGE.DNH"
xgdll.dll:
[ Trend ], "TSPY_LINEAGE.ELM"
z4[1].exe:
[ Trend ], "PE_LOOKED.SI-O"
Ding.com:
[ Trend ], "PE_LOOKED.SI-O"
Logo1_.exe:
[ Trend ], "PE_LOOKED.SI-O"
msndll.dll:
[ Trend ], "TSPY_LINEAGE.EHS"
rundl132.exe:
[ Trend ], "PE_LOOKED.SI-O"
SMSS.exe:
[ Trend ], "TSPY_LINEAGE.EKJ"
svchost.exe:
[ Trend ], "TSPY_LINEAGE.EKJ"
svhost32.exe:
[ Alpha_Gen ], "Possible_MLWR.01"
[ Beta_Gen ], "Possible_MLWR-1"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
WINLOGON.exe:
[ Alpha_Gen ], "Possible_MLWR.01"
[ Beta_Gen ], "Possible_MLWR-1"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
9Sy.exe:
[ Alpha_Gen ], "Possible_MLWR.01"
[ Beta_Gen ], "Possible_MLWR-1"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
dllf.dll:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3"
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ McAfee ], "New Malware.w !!"
[ Nod32 ], "Win32/PSW.Lineage.NDI trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
dllran.dll:
[ Alpha_Gen ], "Possible_MLWR.01"
[ Beta_Gen ], "Possible_MLWR-1"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
fg[1].exe:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3"
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ Nod32 ], "Win32/PSW.Lineage.NDI trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
[ Grisoft ], "Trojan horse Generic3.VZ"
LSASS.exe:
[ Kaspersky ], "PAK:PE_Patch"
[ McAfee ], "New Malware.w !!"
[ Panda ], "Trj/Lineage.CFA"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Grisoft ], "Trojan horse PSW.Generic3.DQP"
mf[1].exe:
[ Alpha_Gen ], "Possible_MLWR.01"
[ Beta_Gen ], "Possible_MLWR-1"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
PDLL.dll:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3"
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ McAfee ], "PWS-Gamania.dll"
[ Nod32 ], "Win32/PSW.Lineage.DN trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
qm[1].exe:
[ Alpha_Gen ], "Possible_MLWR.01"
[ Beta_Gen ], "Possible_MLWR-1"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
qmdll.dll:
[ Alpha_Gen ], "Possible_Infostl"
[ Beta_Gen ], "Possible_Infostl"
[ McAfee ], "PWS-Lineage.dll"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
RichDll.dll:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3"
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ Kaspersky ], "Worm.Win32.Viking.gb"
[ McAfee ], "New Malware.w !!"
[ Panda ], "W32/Viking.GZ.drp"
[ Nod32 ], "Win32/Viking.CN virus"
[ Fortinet ], "W32/Viking.GB"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
[ Grisoft ], "Virus identified Worm/Delf.ARI"
run[1].exe:
[ Alpha_Gen ], "Possible_MLWR.01"
[ Beta_Gen ], "Possible_MLWR-1"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
rundll32.exe:
[ Alpha_Gen ], "Possible_MLWR.01"
[ Beta_Gen ], "Possible_MLWR-1"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
SERVICES.exe:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3"
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ Nod32 ], "Win32/PSW.Lineage.NDI trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
[ Grisoft ], "Trojan horse Generic3.VZ"
SVCHOST.exe:
[ Alpha_Gen ], "Possible_MLWR.01"
[ Beta_Gen ], "Possible_MLWR-1"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
svhost32.exe:
[ Alpha_Gen ], "PAK_LookWow"
[ Beta_Gen ], "Possible_MLWR-3"
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ Nod32 ], "Win32/PSW.Lineage.NDI trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
[ Grisoft ], "Trojan horse Generic3.VZ"
