close
巧軒水草網網站被放置惡意程式碼,還找不到網頁有沒有被放置這惡意程式碼,不過,連進他們的論壇,會出現一個很奇怪 Help 的視窗,與執行這個惡意程式碼是一樣的,也許是無法在我的測試機器上執行,不過,我還是把它抓下來執行看看,結果,真的有問題,所以,請各位小心。
更新:惡意程式被放在 default.asp (hxxp://www.g-h.idv.tw/web/ghforum/default.asp) 的檔案裡。
執行之後,會有下面的行為:
[DLL Injection]
C:\WINDOWS\KZAEAD.DAT (注入瀏覽器的執行程序)
C:\WINDOWS\XWDVXS.DAT (注入某些執行程序如檔案總管等)
[Added service]
NAME: Workstation Service
DISPLAY: Workstation Service
FILE: C:\WINDOWS\svchostr.exe (找不到這個檔案)
[Modified service]
NAME: ALG
DISPLAY: Application Layer Gateway Service
FILE: C:\WINDOWS\System32\alg.exe
NAME: IpNat
DISPLAY: IP Network Address Translator
FILE: System32\DRIVERS\ipnat.sys
NAME: SharedAccess
DISPLAY: Windows Firewall/Internet Connection Sharing (ICS)
FILE: C:\WINDOWS\System32\svchost.exe -k netsvcs
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[1].exe
C:\Temp\xiexie.exe
C:\WINDOWS\KZAEAD.DAT
C:\WINDOWS\svchostr.exe
C:\WINDOWS\system32\PluginENLOG.DLL
C:\WINDOWS\XWDVXS.DAT
注意:下面的防毒軟體可以偵測到這些惡意檔案。
xiexie.exe:
[ Trend ], "WORM_DELF.DXF"
KZAEAD.DAT:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, Backdoor.Win32.Hupigon.avh"
[ McAfee ], "BackDoor-AWQ.b"
[ Alwil ], "Win32:Hupigon-GL [Trj]"
[ Nod32 ], "probably a variant of Win32/Hupigon trojan"
[ Fortinet ], "suspicious"
[ Rising ], "[>>PECompact2.x>>PECompact2.x]:Trojan.Spy.Keylogger.acx"
[ Grisoft ], "Trojan horse BackDoor.Generic3.RGV"
XWDVXS.DAT:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, Backdoor.Win32.Hupigon.avg"
[ McAfee ], "BackDoor-AWQ.b"
[ Nod32 ], "Win32/Hupigon trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.jm.1.B"
[ Rising ], "[>>PECompact2.x]:Trojan.Spy.Keylogger.acy"
[ Grisoft ], "Trojan horse BackDoor.Delf.18.AS"
1[1].exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PEPatch, Backdoor.Win32.Hupigon.gs"
[ McAfee ], "[000c7200.EXE]:BackDoor-AWQ.b, [000b8400.EXE]:BackDoor-AWQ.b"
[ Sophos ], "Troj/GrayBr-Gen"
[ Alwil ], "Win32:Hupigon-BX [Trj]"
[ Nod32 ], "a variant of Win32/Hupigon trojan"
[ Fortinet ], "W32/Hupigon.GS!tr.bdr"
[ HBEDV ], "BDS/Hupigon.GS.268"
[ Norman ], "Trojan W32/Hupigon.THT"
[ Rising ], "[>>PECompact2.x>>PE_PATCH(07)]:Backdoor.Gpigeon.gen"
[ Ewido ], "Backdoor.Hupigon.gs"
[ Grisoft ], "Trojan horse BackDoor.Generic3.RJJ"-----
更新:惡意程式被放在 default.asp (hxxp://www.g-h.idv.tw/web/ghforum/default.asp) 的檔案裡。
執行之後,會有下面的行為:
[DLL Injection]
C:\WINDOWS\KZAEAD.DAT (注入瀏覽器的執行程序)
C:\WINDOWS\XWDVXS.DAT (注入某些執行程序如檔案總管等)
[Added service]
NAME: Workstation Service
DISPLAY: Workstation Service
FILE: C:\WINDOWS\svchostr.exe (找不到這個檔案)
[Modified service]
NAME: ALG
DISPLAY: Application Layer Gateway Service
FILE: C:\WINDOWS\System32\alg.exe
NAME: IpNat
DISPLAY: IP Network Address Translator
FILE: System32\DRIVERS\ipnat.sys
NAME: SharedAccess
DISPLAY: Windows Firewall/Internet Connection Sharing (ICS)
FILE: C:\WINDOWS\System32\svchost.exe -k netsvcs
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[1].exe
C:\Temp\xiexie.exe
C:\WINDOWS\KZAEAD.DAT
C:\WINDOWS\svchostr.exe
C:\WINDOWS\system32\PluginENLOG.DLL
C:\WINDOWS\XWDVXS.DAT
注意:下面的防毒軟體可以偵測到這些惡意檔案。
xiexie.exe:
[ Trend ], "WORM_DELF.DXF"
KZAEAD.DAT:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, Backdoor.Win32.Hupigon.avh"
[ McAfee ], "BackDoor-AWQ.b"
[ Alwil ], "Win32:Hupigon-GL [Trj]"
[ Nod32 ], "probably a variant of Win32/Hupigon trojan"
[ Fortinet ], "suspicious"
[ Rising ], "[>>PECompact2.x>>PECompact2.x]:Trojan.Spy.Keylogger.acx"
[ Grisoft ], "Trojan horse BackDoor.Generic3.RGV"
XWDVXS.DAT:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, Backdoor.Win32.Hupigon.avg"
[ McAfee ], "BackDoor-AWQ.b"
[ Nod32 ], "Win32/Hupigon trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.jm.1.B"
[ Rising ], "[>>PECompact2.x]:Trojan.Spy.Keylogger.acy"
[ Grisoft ], "Trojan horse BackDoor.Delf.18.AS"
1[1].exe:
[ Kaspersky ], "PAK:PE_Patch.PECompact, PAK:PecBundle, PAK:PECompact, PAK:PEPatch, Backdoor.Win32.Hupigon.gs"
[ McAfee ], "[000c7200.EXE]:BackDoor-AWQ.b, [000b8400.EXE]:BackDoor-AWQ.b"
[ Sophos ], "Troj/GrayBr-Gen"
[ Alwil ], "Win32:Hupigon-BX [Trj]"
[ Nod32 ], "a variant of Win32/Hupigon trojan"
[ Fortinet ], "W32/Hupigon.GS!tr.bdr"
[ HBEDV ], "BDS/Hupigon.GS.268"
[ Norman ], "Trojan W32/Hupigon.THT"
[ Rising ], "[>>PECompact2.x>>PE_PATCH(07)]:Backdoor.Gpigeon.gen"
[ Ewido ], "Backdoor.Hupigon.gs"
[ Grisoft ], "Trojan horse BackDoor.Generic3.RJJ"-----
全站熱搜
留言列表
