Mall 購物入口網站出現釣魚網站 (hxxp://www.2uo.com.tw,應該不太可能是真的吧!),幾乎跟原來的網站 (hxxp://www.mall.com.tw) 一模一樣,而且,網頁放置惡意連結,請各位不要輕易嘗試。這隻惡意程式會偷相關的資料和側錄鍵盤資訊,而且,具有 rootkit 的行為,會隱藏某些執行程序等。這篇文章跟「So-net 個人網頁網站被置入惡意程式碼!」是有關係的,因為此網頁中的惡意連結是連到 So-net 的某個網頁。請各位暫時不要瀏覽這個網站,等我們確認他們已經修復後,會在此更新訊息。(Credit: X-Solve 的小蟲)
**請幫忙通知他們,謝謝**
原來的網站:
釣魚網站 (複製 Mall 購物入口網站):
惡意連結放置在首頁中:
惡意程式碼的一部分為:
執行之後,有下面的行為 (有 rootkit 的行為,會穩藏某些執行程序):
[Hidden process]
c:\windows\system32\notepad.exe (開啟很多個隱藏的 notepad)
c:\program files\internet explorer\iexplore.exe (開啟很多個隱藏的 IE)
C:\WINDOWS\svclove\svclove.exe
c:\windows\system32\taskmgr.exe
c:\windows\system32\cmd.exe (開啟很多個隱藏的 cmd)
[DLL injection]
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe (注入 svchost.exe)
C:\WINDOWS\svclove\svclovehk.dll (注入某些執行程序如檔案總管等)
[Added service]
NAME: Sortable Sedi Merial Sumber Nervice
DISPLAY: sknetsvcs
FILE: C:\WINDOWS\system32\drivers\snporit.exe
[Added file]
C:\Documents and Settings\1.exe
C:\Documents and Settings\1.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\6[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\3[1].exe
C:\Documents and Settings\Search.ini
C:\Program Files\Common Files\System\IDrivers.pif
C:\Program Files\Common Files\System\temp[1].exe
C:\Program Files\Common Files\System\temp[2].exe
C:\Program Files\Common Files\System\temp[3].exe
C:\WINDOWS\svclove\bpk.dat
C:\WINDOWS\svclove\pk.bin
C:\WINDOWS\svclove\svclove.exe
C:\WINDOWS\svclove\svclovehk.dll
C:\WINDOWS\svclove\web.dat
C:\WINDOWS\system32\paramstr.txt
C:\WINDOWS\Temp\~TMP0.EXE
C:\WINDOWS\Temp\~TMP2.EXE
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run||Value=svclove||Data=C:\WINDOWS\svclove\svclove.exe
到目前為止,下面的防毒軟體可以偵測到此惡意檔案:
2[1].exe:
[ Trend ], "TROJ_DROPPER.BZW"
temp[2].exe:
[ Trend ], "TROJ_DROPPER.BZW"
svclove.exe:
[ Trend ]SPYW_PERFLOG.AG"
svclovehk.dll:
[ Trend ]SPYW_PERFLOG.AG"
temp[3].exe:
[ Kaspersky ], "ARC:RarSFX, ARC:[data.rar]:RAR"
[ Fortinet ], "suspicious"
~TMP0.EXE:
[ Kaspersky ], "PAK:UPack"
[ McAfee ], "New Malware.n !!"
[ Sophos ], "[FILE:0000]:Mal/Packer, Mal/Behav-058"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
1[1].exe:
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Ahnlab ], "infected by Dropper/Xema.335314"
svchost.exe:
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Ahnlab ], "infected by Dropper/Xema.335314"
temp[1].exe:
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Ahnlab ], "infected by Dropper/Xema.335314"
IDrivers.pif:
[ Symantec ], "Downloader"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "probably a variant of Win32/Genetik trojan"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
3[1].exe:
[ Kaspersky ], "ARC:RarSFX, ARC:[data.rar]:RAR"
1.html:
[ McAfee ], "[000001bf.vbs]:Exploit-MS06-014"
[ Grisoft ], "Trojan horse Downloader.Small.57.V"
至於其他的資訊,也可以參考「查天堂,找天堂,讓你電腦上天堂」。
留言列表
