OKWAP 英華達網站被植入惡意連結,目前尚不知此惡意程式的名稱,稍後會更新資訊,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個 網站,以免中毒,等確認他們已經修復後,會在此更新訊息。另外,此惡意程式也有使用微軟所公佈 ANI 的安全漏洞 (Vulnerability in Windows Animated Cursor Handling)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝

請按我..繼續閱讀全文....

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
**高度危險網站:常常被植入惡意連結,列入網站黑名單,不建議瀏覽此網站**
台灣電子地圖服務網網站又被植入惡意連結,大部分的防毒軟體認不出此惡意程式,最近有瀏覽這個網頁的網友 (請各位使用其他的電子地圖,如果各位還是使用此電子地圖,那就是自尋死路),應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝

請按我..繼續閱讀全文....

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
永達技術學院網站被植入惡意連結,此惡意程式為 GrayBird 和 Lineage 的變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。(感謝網友通知)

請按我..繼續閱讀全文....

rogerspeaking 發表在 痞客邦 留言(3) 人氣()

▲top
從今天起,各位可以使用 www.rogerspeaking.com 連至大砲開講,這是大砲開講新的網址,舊的網址 (rogerspeaking.blogspot.com) 依然可以繼續使用,感謝各位的支持與愛護。

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
**高度危險網站:常常被植入惡意連結,列入網站黑名單,不建議瀏覽此網站**
財 團法人證券投資人及期貨交易人保護中心網站又植入惡意連結,此惡意程式可能為 Lineage 的變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。另外,此惡意程式是利用微軟所公佈ANI 的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。

請按我..繼續閱讀全文....

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
中華人事主管協會被植入惡意連結,此惡意程式為 Lineage 的變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。

請按我..繼續閱讀全文....

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
1111 創業加盟網被植入惡意連結,此惡意程式為 Lineage 的變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。

請按我..繼續閱讀全文....

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
**高度危險網站:常常被植入惡意連結,列入網站黑名單,不建議瀏覽此網站**
台灣電子地圖服務網網站又被植入惡意連結,此惡意程式為 Lineage 的變種,最近有瀏覽這個網頁的網友 (請各位使用其他的電子地圖,如果各位還是使用此電子地圖,那就是自尋死路),應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。




惡意連結是放置在首頁 (可能要仔細檢查一下囉) 中的:



惡意程式碼的一部份為:



當執行此惡意程式之後,會產生應用程式錯誤的訊息:



執行之後,有下面的行為 (會造成網路中斷,無法連上網):

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\test[1].js
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/5/2 @ 20:00),下面的防毒軟體可以偵測到這些惡意檔案:

od2media.dll:
[ Trend ], "TSPY_ONLINEG.BHX"
update[1].exe:
[ Trend ], "TROJ_NSANTI.CE"
avp.exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Beta_Gen ], "Possible_MLWR-1"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "Virus:Win32/Detnat.F"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.kw"
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Trj/Lineage.DJC"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Norman ], "Trojan W32/OnLineGames.EAT"
[ Ewido ], "Trojan.OnLineGames.kw"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
test[1].js:
[ HBEDV ], "JS/Dldr.Ani.A"

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
亞太固網寬頻網站被植入惡意連結,此惡意程式為 Lineage 的變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。另外,也利用了 ANI 的安全漏洞。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。(Credit: Wang)




惡意連結是放置在首頁 (可能要仔細檢查一下囉) 中的:



惡意程式碼的一部份為:



執行之後,有下面的行為 (似乎會造成網路中斷):

[Added process]
C:\WINDOWS\avp.exe

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\9197p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\test[1].js
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/5/2 @ 20:00),下面的防毒軟體可以偵測到這些惡意檔案 (除了 ANI 檔案外):

od2media.dll:
[ Trend ], "TSPY_ONLINEG.BHX"
update[1].exe:
[ Trend ], "TROJ_NSANTI.CE"
avp.exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Beta_Gen ], "Possible_MLWR-1"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "Virus:Win32/Detnat.F"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.kw"
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Trj/Lineage.DJC"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Norman ], "Trojan W32/OnLineGames.EAT"
[ Ewido ], "Trojan.OnLineGames.kw"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
test[1].js:
[ HBEDV ], "JS/Dldr.Ani.A"

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
Maxell 網站被植入惡意連結,此惡意程式為 Lineage 的變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。。另外,此惡意程式是利用微軟所公佈ANI 的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。(Credit: 匿名網友和~魂)




惡意連結是放置在首頁 (可能要仔細檢查一下囉) 中的:



惡意程式碼的一部份為:



執行之後,有下面的行為:

[DLL injection]
C:\WINDOWS\Debug\UserMode\2A8967.dll (注入某些執行程序如檔案總管、IE 等)

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\714[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\help[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\laog[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\m[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index614[1].htm
C:\WINDOWS\Debug\UserMode\2A8967.dll
C:\WINDOWS\Debug\UserMode\2A8967.exe

[Added COM/BHO]
{BEE22F69-4E86-487E-A02E-19AF9AE6014F}-C:\WINDOWS\debug\userMode\2A8967.dll

到目前為止 (2007/5/4 @ 18:04),下面的防毒軟體可以偵測到這些惡意檔案 (除了 ANI 檔案外):

2A8967.exe:
[ Trend ], "Possible_Infostl"
m[1].exe:
[ Trend ], "Possible_Infostl"
2A8967.dll:
[ Trend ], "Possible_Infostl"
index614[1].htm:
[ McAfee ], "VBS/Psyme"
[ Sophos ], "Mal/Psyme-A"
[ Fortinet ], "VBS/Psyme.CH!tr.dldr"
[ Rising ], "Trojan.DL.VBS.Agent.cgk"

rogerspeaking 發表在 痞客邦 留言(1) 人氣()

▲top
台北市雜誌商業同業公會網站又被植入惡意連結 (很多頁面都有,蠻慘的),此惡意程式為 QQPass 變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息。另外,此惡意程式是利用微軟所公佈ANI 的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝




惡意連結是放置在首頁及其他頁面 (可能要仔細檢查一下囉) 中的:



惡意程式碼的一部份為:



當執行此惡意程式之後,會產生應用程式錯誤的訊息:



執行之後,有下面的行為:

[Added process]
C:\Documents and Settings\Administrator\Desktop\svchost.exe

[DLL injection]
C:\Documents and Settings\Administrator\Desktop\svchost.exe (注入 svchost.exe 的執行程序)
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll (注入某些執行程序如檔案總管、IE 等)
C:\WINDOWS\system32\mppds.dll (注入某些執行程序如檔案總管、IE 等)
C:\WINDOWS\system32\nwizmhxy.dll (注入檔案總管的執行程序)
C:\WINDOWS\system32\qjsj100.dll (注入檔案總管的執行程序)

[Added file]
C:\Documents and Settings\Administrator\Desktop\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ldup.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\8xz[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\97725[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ok1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ok[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\muxiao2[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\x454[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1023960[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\kg[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\xjz2007[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\888[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\9772513[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\xjz2007[1].bmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\xjz2007[1].htm
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll
C:\WINDOWS\mppds.exe
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\nwizmhxy.dll
C:\WINDOWS\system32\nwizmhxy.exe
C:\WINDOWS\system32\nwizqjsj.exe
C:\WINDOWS\system32\qjsj100.dll
C:\WINDOWS\~tmp.tmp

[Added COM/BHO]
{91B1E846-2BEF-4345-8848-7699C7C9935F}-C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=mppds
Data=C:\WINDOWS\mppds.exe

到目前為止 (2007/5/3 @ 17:43),下面的防毒軟體可以偵測到這些惡意檔案 (除了 ANI 檔案外):

SysWFGQQ2.dll:
[ Trend ], "Possible_Infostl"
xjz2007[1].htm:
[ Trend ], "TROJ_DLOADER.JXD"
0614[1].js:
[ Trend ], "JS_PSYME.AMQ"
06014[1].htm:
[ Trend ], "EXPL_AGENT.AADR"
nwizmhxy.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.ql"
[ McAfee ], "Downloader-BCB"
[ Panda ], "Trj/QQPass.AAO"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Trojan W32/OnLineGames.ELY"
nwizmhxy.exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ Sophos ], "Mal/Behav-027"
[ Panda ], "Suspicious file"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
nwizqjsj.exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ Sophos ], "Mal/Behav-027"
[ Panda ], "Suspicious file"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
qjsj100.dll:
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.rc"
[ McAfee ], "Downloader-BCB"
[ Panda ], "Trj/QQPass.AAO"
[ HBEDV ], "HEUR/Malware"
svchost.exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Beta_Gen ], "Possible_MLWR-1"
[ Microsoft ], "Virus:Win32/Detnat.F"
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
xjz2007[1].js:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Symantec ], "Trojan Horse"
~tmp.tmp:
[ Alpha_Gen ], "Possible_MLWR-5"
[ McAfee ], "New Malware.bl !!"
[ Sophos ], "Mal/EncPk-F"
[ Nod32 ], "Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Drop.Ag.344576.B"
8xz[1].exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Beta_Gen ], "Possible_MLWR-1"
[ Microsoft ], "Virus:Win32/Detnat.F"
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
97725[1].exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ McAfee ], "New Malware.bl !!"
[ Sophos ], "Mal/EncPk-F"
[ Nod32 ], "Win32/Pacex.Gen virus"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Drop.Ag.344576.B"
kg[1].exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Beta_Gen ], "Possible_MLWR-1"
[ Microsoft ], "Virus:Win32/Detnat.F"
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
ldup.bat:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Beta_Gen ], "Possible_MLWR-1"
[ Microsoft ], "Virus:Win32/Detnat.F"
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
mppds.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Symantec ], "Infostealer.Gampass"
[ Sophos ], "Troj/PSW-Gen"
[ Panda ], "Trj/QQPass.AAO"
[ HBEDV ], "HEUR/Malware"
mppds.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "[->(Upack)]:PWS:Win32/Lmir.gen"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, PAK:PE_Patch"
[ McAfee ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ewido ], "Trojan.OnLineGames.es"

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
台灣國際青年文化交流協會被植入惡意連結,此惡意程式為 GrayBird 和 Lineage 的變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。(感謝網友通知)




惡意連結是放置在首頁 (可能要仔細檢查一下囉) 中的:



惡意程式碼的一部份為:



執行之後,有下面的行為:

[Hidden process]
C:\Program Files\Internet Explorer\iexplore.exe (鎖住 C:\WINDOWS\Hacker.com.cn.exe)

[Added process]
C:\WINDOWS\avp.exe

[DLL injection]
C:\WINDOWS\system32\tf2sound.dll (注入某些執行程序如檔案總管、IE等)

[Added service]
NAME: GrayPigeon_Hacker.com.cn
DISPLAY: GrayPigeon_Hacker.com.cn
FILE: C:\WINDOWS\Hacker.com.cn.exe

NAME: SVKP
DISPLAY: SVKP
FILE: \??\C:\WINDOWS\system32\SVKP.sys

NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys


[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\hello[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\hker[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\moon[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\server1[1].exe
C:\WINDOWS\avp.exe
C:\WINDOWS\Hacker.com.cn.exe
C:\WINDOWS\system32\SVKP.sys
C:\WINDOWS\system32\tf2sound.dll

到目前為止 (2007/5/3 @ 19:00),下面的防毒軟體可以偵測到這些惡意檔案 (除了 ANI 檔案外):

12[1].exe:
[ Microsoft ], "[->(Upack)]:TrojanSpy:Win32/Maran.gen!A"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ Sophos ], "Troj/Maran-Gen"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Drop.Maran.C.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ewido ], "Trojan.Pakes"
[ Trend ], "TROJ_MARAN.IY"
Hacker.com.cn.exe:
[ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A"
[ Kaspersky ], "PAK:SVKP, Backdoor.Win32.Hupigon.eko"
[ McAfee ], "BackDoor-ARR"
[ Sophos ], "Mal/GrayBird"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
[ Norman ], "Backdoor W32/Smalldoor.ANNN"
[ Trend ], "BKDR_HUPIGON.DTP"
hker[1].htm:
[ Sophos ], "Mal/Psyme-A"
[ Fortinet ], "VBS/Small.CT!tr.dldr"
[ HBEDV ], "VBS/Dldr.Agent.6171"
[ Ewido ], "Downloader.Small.dk"
[ Trend ], "TROJ_DLOADER.KKD"
server1[1].exe:
[ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A"
[ Kaspersky ], "PAK:SVKP, Backdoor.Win32.Hupigon.eko"
[ McAfee ], "BackDoor-ARR"
[ Sophos ], "Mal/GrayBird"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
[ Norman ], "Backdoor W32/Smalldoor.ANNN"
[ Trend ], "BKDR_HUPIGON.DTP"
SVKP.sys:
[ Fortinet ], "SPY/Joiner"
avp.exe:
[ Symantec ], "Infostealer.Gampass"
[ Alwil ], "Win32:Lineage-320 [Trj]"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ HBEDV ], "TR/Drop.Maran.C.2"
[ Ewido ], "Trojan.Lineage.ajf"
hello[1].htm:
[ Sophos ], "Mal/Psyme-A"
[ Fortinet ], "VBS/Small.CT!tr.dldr"
[ HBEDV ], "VBS/Dldr.Agent.6171"
[ Ewido ], "Downloader.Small.dk"
tf2sound.dll:
[ Symantec ], "Infostealer.Lineage"
[ Alwil ], "Win32:Maran-D [Trj]"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ HBEDV ], "TR/Drop.Maran.C.3"

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
彰化縣政府旅遊資訊網網站被植入惡意連結,此惡意程式為 Lineage 的變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。另外,也利用了 ANI 的安全漏洞。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。(Credit: Jimau)




惡意連結是放置在首頁 (可能要仔細檢查一下囉) 中的:



惡意程式碼的一部份為:



執行之後,有下面的行為 (似乎會造成網路中斷):

[Added process]
C:\WINDOWS\avp.exe

[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe

NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\9197p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\test[1].js
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\od2media.dll

[Added LSP]
ID: 1012
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

ID: 1013
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll)

到目前為止 (2007/5/2 @ 20:00),下面的防毒軟體可以偵測到這些惡意檔案 (除了 ANI 檔案外):

od2media.dll:
[ Trend ], "TSPY_ONLINEG.BHX"
update[1].exe:
[ Trend ], "TROJ_NSANTI.CE"
avp.exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Beta_Gen ], "Possible_MLWR-1"
[ Symantec ], "Infostealer.Gampass"
[ Microsoft ], "Virus:Win32/Detnat.F"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.kw"
[ McAfee ], "New Malware.w !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Trj/Lineage.DJC"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSAnti.Gen"
[ Norman ], "Trojan W32/OnLineGames.EAT"
[ Ewido ], "Trojan.OnLineGames.kw"
[ Ahnlab ], "infected by Win32/NSAnti.suspicious"
test[1].js:
[ HBEDV ], "JS/Dldr.Ani.A"

rogerspeaking 發表在 痞客邦 留言(2) 人氣()

▲top
理想旅遊網站被植入惡意連結,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。(Credit: Jimau)




惡意連結是放置在首頁 (可能要仔細檢查一下囉) 中的:



惡意程式碼的一部份為:



當執行此惡意程式之後,會產生應用程式錯誤的訊息:



執行之後,有下面的行為:

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\music[1].png
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\music[1].htm
C:\WINDOWS\Help\69GH0BNS.dll
C:\WINDOWS\Help\69GH0BNS.exe

[ Added COM/BHO ]
{79921D3F-7537-463E-9E38-CD503A8FA485}-C:\WINDOWS\help\69GH0BNS.dll

到目前為止 (2007/5/2 @ 16:11),下面的防毒軟體可以偵測到這些惡意檔案:

69GH0BNS.exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Sophos ], "Mal/EncPk-F"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Trend ], "TROJ_NSPM.TM"
69GH0BNS.dll:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Sophos ], "Mal/EncPk-F"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
music.png:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Sophos ], "Mal/EncPk-F"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Trend ], "TROJ_NSPM.TM"

rogerspeaking 發表在 痞客邦 留言(0) 人氣()

▲top
藍色小舖網站被植入惡意檔案,此惡意程式可能為 Downloader 的變種,雖然,目前沒有發現他們的網站被植入惡意連結,不過,儲存在他們的伺服器上的惡意檔案已經被當成跳板,已知的案件有「世新廣播電台網站被值入惡意連結」。另外,希望他們的網管好好檢查系統或軟體是不是有安全漏洞,否則,怎麼可能被植入惡意檔案呢?

藍色小舖網站首頁:



藍色小舖加值會員 ASP 網頁空間首頁:



此惡意檔案是放置在:

rogerspeaking 發表在 痞客邦 留言(2) 人氣()

▲top
«1...567 89...32