HyTV 電視王網頁被植入惡意連結,好像是熊貓燒香病毒,中毒後,CPU 的使用量一直維持在 100%,而且,無法在安全模式清除它們,請各位特別小心。(感謝 MR)
**請幫忙通知他們,謝謝**
惡意連結為:
惡意程式的一部分為:
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\system32\drivers\nvscv32.exe
C:\WINDOWS\iexpl0re.exe
C:\WINDOWS\iexp1ore.exe
[Deleted process]
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\msiexec.exe
[DLL injection]
C:\WINDOWS\system32\drivers\clipsrv.dll (注入檔案總管)
C:\WINDOWS\system32\LgSyzr.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\windhcp.ocx (注入檔案總管)
[Added service]
NAME: WinDHCPsvc
DISPLAY: Windows DHCP Service
FILE: C:\WINDOWS\system32\\rundll32.exe windhcp.ocx,input
[Modified service]
NAME: ALG
DISPLAY: Application Layer Gateway Service
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\alg.exe
NAME: ClipSrv
DISPLAY: ClipBook
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\system32\drivers\clipsrv.exe
NAME: IpNat
DISPLAY: IP Network Address Translator
STATUS: SERVICE_STOPPED
FILE: System32\DRIVERS\ipnat.sys
NAME: MSIServer
DISPLAY: Windows Installer
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\msiexec.exe /V
NAME: Schedule
DISPLAY: Task Scheduler
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\svchost.exe -k netsvcs
NAME: SharedAccess
DISPLAY: Windows Firewall/Internet Connection Sharing (ICS)
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\svchost.exe -k netsvcs
[Deleted service]
NAME: wscsvc
DISPLAY: Security Center
FILE: C:\WINDOWS\System32\svchost.exe -k netsvcs
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\ProcessExplorerNt\Desktop_.ini
C:\Program Files\Desktop_.ini
C:\Program Files\MSN Gaming Zone\Desktop_.ini
C:\Program Files\Online Services\Desktop_.ini
C:\Program Files\Uninstall Information\Desktop_.ini
C:\Program Files\xerox\Desktop_.ini
C:\Program Files\xerox\nwwia\Desktop_.ini
C:\WINDOWS\cs.exe
C:\WINDOWS\ie.exe
C:\WINDOWS\iexp1ore.exe
C:\WINDOWS\iexpl0re.exe
C:\WINDOWS\my.exe
C:\WINDOWS\system32\drivers\clipsrv.dll
C:\WINDOWS\system32\drivers\clipsrv.exe
C:\WINDOWS\system32\drivers\nvscv32.exe
C:\WINDOWS\system32\drivers\usbme.sys
C:\WINDOWS\system32\LgSym.dll
C:\WINDOWS\system32\LgSyzr.dll
C:\WINDOWS\system32\twunk32.exe
C:\WINDOWS\system32\windhcp.ocx
C:\WINDOWS\wl.exe
C:\WINDOWS\wm.exe
C:\WINDOWS\zt.exe
[Added registry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run||Value=nvscv32||Data=C:\WINDOWS\system32\drivers\nvscv32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run||Value=rb7bmm9||Data=C:\WINDOWS\iexpl0re.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run||Value=3m0qi9w9||Data=C:\WINDOWS\iexp1ore.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run||Value=nvscv32||Data=C:\WINDOWS\system32\drivers\nvscv32.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run||Value=rb7bmm9||Data=C:\WINDOWS\iexpl0re.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run||Value=3m0qi9w9||Data=C:\WINDOWS\iexp1ore.exe
到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:
ie.exe:
[ Trend ], "TSPY_AGENT.JCJ"
iexp1ore.exe:
[ Trend ], "TSPY_LINEAGE.HAZ"
nvscv32.exe:
[ Trend ], "PE_FUJACKS.CA-O"
svchost.exe:
[ Trend ], "PE_FUJACKS.CA-O"
windhcp.ocx:
[ Trend ], "TROJ_AGENT.KFD"
wl.exe:
[ Trend ], "TSPY_LINEAGE.DRA"
clipsrv.exe:
[ Trend ], "TSPY_AGENT.JCJ"
cs.exe:
[ Trend ], "TSPY_LINEAGE.DRU"
worm.exe:
[ Trend ], "PE_FUJACKS.CA-O"
iexpl0re.exe:
[ Symantec ], "Bloodhound.NsAnti"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
LgSym.dll:
[ Symantec ], "Bloodhound.NsAnti"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/PSW.Agent.NBX trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
LgSyzr.dll:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:UPX"
[ Nod32 ], "probably a variant of Win32/PSW.Agent.NBX trojan"
[ HBEDV ], "TR/Dldr.Agent.OL.1"
my.exe:
[ Kaspersky ], "PAK:UPX"
[ McAfee ], "[GenUnp\0003a6c8.EXE]:Downloader-BAF.dll, [GenUnp\0002e0c8.EXE]:Downloader-BAF"
[ Nod32 ], "[UPX v12_m2]:unpack error"
[ HBEDV ], "HEUR/Crypted"
wm.exe:
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
zt.exe:
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"