惡意程式碼是被放置在 top.asp 檔案中:
而程式碼為:
執行之後,有下列行為:
[DLL Injection]
C:\WINDOWS\Help\A8644260.dll (注入某些執行程序如檔案總管等)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I69Q72L4\gmsex[1].exe
C:\WINDOWS\Help\A8644260.dll
C:\WINDOWS\Help\A8644260.exe
[Added BHO]
{DD8BC00C-4CB1-43C3-BC48-4FBBB53A2618}-C:\WINDOWS\help\A8644260.dll
注意:大部分防毒軟體都偵測不到,除了下列:
A8644260.dll:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ Nod32 ], "probably a variant of Win32/PSW.Lineage.DN trojan"
[ HBEDV ], "HEUR/Malware"
A8644260.exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ HBEDV ], "HEUR/Malware"
gmsex[1].exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ HBEDV ], "HEUR/Malware"
update.exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact"
[ HBEDV ], "HEUR/Malware"