惡意連結是放置在首頁 (可能要仔細檢查一下囉) 中的:
惡意程式碼的一部份為:
執行之後,有下面的行為:
[Hidden process]
C:\Program Files\Internet Explorer\iexplore.exe (鎖住 C:\WINDOWS\Hacker.com.cn.exe)
[Added service]
NAME: GrayPigeon_Hacker.com.cn
DISPLAY: GrayPigeon_Hacker.com.cn
FILE: C:\WINDOWS\Hacker.com.cn.exe
NAME: SVKP
DISPLAY: SVKP
FILE: \??\C:\WINDOWS\system32\SVKP.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\server1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\an[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\hker[1].htm
C:\WINDOWS\Hacker.com.cn.exe
C:\WINDOWS\system32\SVKP.sys
到目前為止 (2007/5/2 @ 10:45),下面的防毒軟體可以偵測到這些惡意檔案 (除了 ANI 檔案外):
12[1].exe:
[ Microsoft ], "[->(Upack)]:TrojanSpy:Win32/Maran.gen!A"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ Sophos ], "Troj/Maran-Gen"
[ Nod32 ], "a variant of Win32/PSW.Maran trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Drop.Maran.C.2"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
[ Ewido ], "Trojan.Pakes"
Hacker.com.cn.exe:
[ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A"
[ Kaspersky ], "PAK:SVKP, Backdoor.Win32.Hupigon.eko"
[ McAfee ], "BackDoor-ARR"
[ Sophos ], "Mal/GrayBird"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
[ Norman ], "Backdoor W32/Smalldoor.ANNN"
hker[1].htm:
[ Sophos ], "Mal/Psyme-A"
[ Fortinet ], "VBS/Small.CT!tr.dldr"
[ HBEDV ], "VBS/Dldr.Agent.6171"
[ Ewido ], "Downloader.Small.dk"
server1[1].exe:
[ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A"
[ Kaspersky ], "PAK:SVKP, Backdoor.Win32.Hupigon.eko"
[ McAfee ], "BackDoor-ARR"
[ Sophos ], "Mal/GrayBird"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
[ Norman ], "Backdoor W32/Smalldoor.ANNN"
SVKP.sys:
[ Fortinet ], "SPY/Joiner"