close

中國E網網頁被置入惡意程式碼,請各位小心囉。



homepage.jpg

惡意連結是放置在 menu.js 的檔案中:

location1.jpg

解碼之後為 hxxp://www.cf9388.com/enlish/map.htm

惡意程式碼為:

code1.jpg

執行之後,有下面行為:

[Added process]
C:\Documents and Settings\Administrator\Local Settings\Temp\SVCHOST.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\SVCH0ST.exe

[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\SVCHOST.EXE (注入某些執行程序如 svchost.exe 等)

[Added service]
NAME: microsoft basicnet service
DISPLAY: microsoft network service
FILE: C:\WINDOWS\msnet.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\g0ld.com
C:\Documents and Settings\Administrator\Local Settings\Temp\SVCH0ST.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\SVCHOST.EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\a[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\network[2].exe
C:\SVCHOST.exe
C:\WINDOWS\msnet.exe

[Added registry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run||Value=system||Data=c:\SVCHOST.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run||Value=system||Data=c:\SVCHOST.exe



請注意下面的防毒軟體可以偵測到這些惡意檔案:

msnet.exe:
[ Trend ], "BKDR_HUPIGON.UH"
SVCH0ST.exe:
[ Kaspersky ], "PAK:FSG"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably unknown NewHeur_PE virus [7]"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk Suspicious_F.gen"
[ Rising ], "[>>FSG2.0]:Trojan.DL.Agent.cjq"-----


arrow
arrow
    全站熱搜
    創作者介紹
    創作者 rogerspeaking 的頭像
    rogerspeaking

    大砲開講

    rogerspeaking 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄