大砲開講

屏東縣里港國小網頁被植入惡意連結。這隻惡意程式在系統安裝了非常多的元件，請各位暫時不要瀏覽這個網站，以免中毒，等確認他們已經修復後，會在此更新訊息 (此惡意程式會偷帳號與密碼)。(感謝 Jimau)

**請幫忙通知他們，謝謝**



惡意連結放置在我的圖片冊的首頁中 (有很多筆)：



惡意程式碼的一部分為：



執行之後，有下面的行為：

[Added process]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\伀縐勘.EXE
C:\WINDOWS\svch0st.exe
C:\Documents and Settings\Temp.exe
C:\WINDOWS\system32\bot7.exe
c:\bot2.exe

[DLL injection]
C:\WINDOWS\system32\Kav26.dll (注入某些執行程序如檔案總管等)

[Added service]
NAME: qrffsdfsdf
DISPLAY: qrffsdfsdf
FILE: C:\WINDOWS\Hacker.com.cn.ini

NAME: svcname
DISPLAY: 督昢靡
FILE: C:\WINDOWS\system32\bot7.exe

[Added file]

C:\bot2.exe
C:\bot5.exe
C:\bot6.exe
C:\bot7.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\bt5400.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\haotian.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Server.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\伀縐勘.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\yt.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\6[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\mimi[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\yg[1].vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\admin_book[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\network[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\恀毞2堎5蔬綬惘鎮[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1[2].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\4[1].exe
C:\Documents and Settings\Temp.exe
C:\WINDOWS\Hacker.com.cn.ini
C:\WINDOWS\svch0st.exe
C:\WINDOWS\system32\bot7.exe
C:\WINDOWS\system32\ctfnom.exe
C:\WINDOWS\system32\drivers\usbue.sys
C:\WINDOWS\system32\Kav26.dll
C:\WINDOWS\yg.exe

[Added registry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run,
Value=z7d10vf8dyg8m8q,Data=C:\WINDOWS\svch0st.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=MYIE2,Data=c:\bot2.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,
Value=wextract_cleanup0,Data=rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\"

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\
CurrentVersion\Run,Value=z7d10vf8dyg8m8q,Data=C:\WINDOWS\svch0st.exe

到目前為止，下面的防毒軟體可以偵測到這些惡意檔案：

1[1].exe:
[ Trend ], "TROJ_Generic"
bot7.exe:
[ Trend ], "TROJ_PANDDOS.B"
bot7.exe:
[ Trend ], "TROJ_PANDDOS.B"
ctfnom.exe:
[ Trend ], "TROJ_Generic"
mimi[1].exe:
[ Trend ], "TROJ_PANDDOS.B"
usbue.sys:
[ Trend ], "TROJ_SMALL.DQM"
1[2].exe:
[ Symantec ], "Backdoor.Hupigeon"
[ Kaspersky ], "PAK:Expressor, Backdoor.Win32.Hupigon.drc"
[ McAfee ], "BackDoor-ARR"
[ Sophos ], "Troj/GrayBr-Gen"
[ Panda ], "Suspicious file"
[ Nod32 ], "a variant of Win32/Hupigon trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
[ Rising ], "[>>eXPressor1.2]:Backdoor.Gpigeon.gen"
[ Ewido ], "Backdoor.Hupigon.128"
[ Ahnlab ], "infected by Win-Trojan/Hupigon.353148.B"
[ Grisoft ], "Trojan horse BackDoor.Generic3.TEB"
2[1].exe:
[ Kaspersky ], "PAK:NSPack, PAK:PE_Patch.MaskPE, Backdoor.Win32.Hupigon.dzq"
[ McAfee ], "New Malware.u !!"
[ Sophos ], "Troj/GrayBr-Gen"
[ Nod32 ], "a variant of Win32/Hupigon trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
[ Norman ], "Trojan W32/Klone.J"
2[1].exe:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.Delf.ub"
[ McAfee ], "Generic Downloader.y"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/PSW.Delf.NEV trojan"
[ Fortinet ], "Dloader.Y!tr"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "Trojan W32/DLoader.BYPF"
[ Ewido ], "Downloader.Murlo.ez"
[ Grisoft ], "Trojan horse Downloader.Generic3.NVY"
4[1].exe:
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "Trojan-PSW.Win32.Nilage.bft"
[ Fortinet ], "W32/Nilage.BFT!tr.pws"
[ HBEDV ], "TR/PSW.Nilage.bft.29"
[ Ewido ], "Trojan.Nilage.bft"
[ Grisoft ], "Trojan horse PSW.Generic3.DRT"
6[1].exe:
[ Fortinet ], "PossibleThreat!022954"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Grisoft ], "Trojan horse PSW.Generic3.DUB"
admin_book[1].exe:
[ Kaspersky ], "ARC:DotFix NiceProtect, ARC:[data0000.cab]:CAB, ARC:[data0000.cab/?.EXE]:QuickBatch, PAK:[data0000.cab/Server.exe]:NSPack, PAK:[data0000.cab/Server.exe]:ASPack, PAK:[data0000.cab/Server.exe]:PE_Patch.UPX, PAK:[data0000.cab/Server.exe]:UPX, [data0000.cab/Server.exe]:unknown format."
[ Sophos ], "[SfxArchiveData\Server.exe]:Troj/GrayBr-Gen"
[ Fortinet ], "BDoor.AWQ!tr.bdr"
[ Ewido ], "[/Server.exe]:Backdoor.Hupigon.awp, [/Server.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\Server.exe]:Trojan horse BackDoor.Generic4.PQO, Trojan horse BackDoor.Generic4.PQO"
bot2.exe:
[ Symantec ], "Infostealer.Gampass"
[ McAfee ], "Generic Downloader.y"
[ Sophos ], "Mal/Packer"
[ Nod32 ], "a variant of Win32/PSW.Delf.NEV trojan"
[ Fortinet ], "Dloader.Y!tr"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "Trojan W32/DLoader.BYPF"
[ Ewido ], "Downloader.Murlo.ez"
[ Grisoft ], "Trojan horse Downloader.Generic3.NVY"
bot5.exe:
[ Fortinet ], "PossibleThreat!022954"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Grisoft ], "Trojan horse PSW.Generic3.DUB"
bot6.exe:
[ Fortinet ], "PossibleThreat!022965"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
filename_change1.exe:
[ Fortinet ], "PossibleThreat!022965"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
Kav26.dll:
[ Symantec ], "Infostealer.Gampass"
[ McAfee ], "PWS-Zhengtu"
[ Fortinet ], "W32/Nilage.BFT!tr.pws"
[ HBEDV ], "TR/Dldr.Agent.OL.1"
[ Ewido ], "Trojan.Nilage.bft"
[ Grisoft ], "Trojan horse PSW.Generic3.CJH"
network[1].exe:
[ Microsoft ], "[->(UPX)]:TrojanDropper:Win32/Small.gen"
[ Nod32 ], "probably unknown NewHeur_PE virus [7]"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Downloader"
[ Grisoft ], "Trojan horse Generic3.OA"
Server.exe:
[ Symantec ], "Backdoor.Graybird"
[ McAfee ], "BackDoor-AWQ"
[ Sophos ], "Troj/GrayBr-Gen"
[ Alwil ], "Win32:Hupigon-OH [Trj]"
[ Nod32 ], "a variant of Win32/Hupigon trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
[ Ewido ], "Backdoor.Hupigon.awp"
[ Grisoft ], "Trojan horse BackDoor.Generic4.PQO"
Temp.exe:
[ Sophos ], "[SfxArchiveData\Server.exe]:Troj/GrayBr-Gen"
[ Fortinet ], "BDoor.AWQ!tr.bdr"
[ Ewido ], "[/Server.exe]:Backdoor.Hupigon.awp, [/Server.exe]:Backdoor.Hupigon.awp"
[ Grisoft ], "[\Server.exe]:Trojan horse BackDoor.Generic4.PQO, Trojan horse BackDoor.Generic4.PQO"
yg.exe:
[ Microsoft ], "[->(UPX)]:TrojanDropper:Win32/Small.gen"
[ Nod32 ], "probably unknown NewHeur_PE virus [7]"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
[ Norman ], "[Heuristic Sandbox detection]:Virus W32/Downloader"
[ Grisoft ], "Trojan horse Generic3.OA"-----