close
更新資訊:已修復 (2007/4/10 @ 10:03)
**高度危險網站:常常被植入惡意連結,列入網站黑名單,不建議瀏覽此網站**台灣 Nikon 網站又被植入惡意連結,此惡意程式為 Lineage 和 灰鴿子變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式會偷帳號與密碼)。另外,其中某些惡意檔案是利用微軟的安全漏洞 (Vulnerability in Windows Animated Cursor Handling)(此為零時差攻擊)。
**請幫忙通知他們,謝謝**
惡意連結是放置在首頁中的:
惡意程式碼的一部分為:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\Debug\UserMode\08835B.dll (注入某些執行程序如檔案總管、IE等)
[Added service]
NAME: winsedx.com.cn
DISPLAY: winsedx.com.cn
FILE: C:\WINDOWS\BBSr.com.cn.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\gz002.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gh02[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gh1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gz[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\index0703[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\testtest[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\2[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\gh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\kabakao[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\test[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gz001[1].exe
C:\WINDOWS\BBSr.com.cn.exe
C:\WINDOWS\Debug\UserMode\08835B.dll
C:\WINDOWS\Debug\UserMode\08835B.exe
[Added COM/BHO]
{AD11A17C-83C2-4121-89C8-D0660555685C}-C:\WINDOWS\debug\userMode\08835B.dll
到目前為止 (2007/3/30 @ 21:54),下面的防毒軟體可以偵測到這些惡意檔案:
08835B.dll:
[ Trend ], "TSPY_LINEAGE.EXA"
08835B.exe:
[ Trend ], "TSPY_LINEAGE.EWX"
gh02[1].exe:
[ Trend ], "TSPY_LINEAGE.EWX"
gz002.exe:
[ Trend ], "TROJ_AGENT.PPO"
kabakao[1].exe:
[ Trend ], "TROJ_AGENT.PPO"
1[1].jpg:
[ Microsoft ], "TrojanDownloader:Win32/Anicmoo.gen!D"
[ Kaspersky ], "Trojan-Downloader.Win32.Ani.g"
[ McAfee ], "Exploit-ANIfile.c"
[ Sophos ], "Troj/Animoo-U"
[ Rising ], "Hack.Exploit.RIFF.b"
2[1].jpg:
[ Microsoft ], "TrojanDownloader:Win32/Anicmoo.gen!D"
[ Kaspersky ], "Trojan-Downloader.Win32.Ani.g"
[ McAfee ], "Exploit-ANIfile.c"
[ Sophos ], "Troj/Animoo-U"
[ Rising ], "Hack.Exploit.RIFF.a"
BBSr.com.cn.exe:
[ Symantec ], "Backdoor.Graybird"
[ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A"
[ Kaspersky ], "PAK:PE-Armor, unknown format."
[ McAfee ], "BackDoor-AWQ"
[ Sophos ], "Mal/GrayBird"
[ Alwil ], "Win32:Hupigon-OH [Trj]"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
gh[1].htm:
[ HBEDV ], "VBS/Dldr.Agent.6171"
[ Grisoft ], "Virus identified VBS/Psyme.N"
gz001[1].exe:
[ Kaspersky ], "PAK:PE-Armor, unknown format."
[ McAfee ], "New Win32.g2 !!"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.XPACK.Gen"
gz[1].htm:
[ HBEDV ], "VBS/Dldr.Agent.6171"
[ Grisoft ], "Virus identified VBS/Psyme.N"
index0703[1].exe:
[ Symantec ], "Backdoor.Graybird"
[ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A"
[ Kaspersky ], "PAK:PE-Armor, unknown format."
[ McAfee ], "BackDoor-AWQ"
[ Sophos ], "Mal/GrayBird"
[ Alwil ], "Win32:Hupigon-OH [Trj]"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
**高度危險網站:常常被植入惡意連結,列入網站黑名單,不建議瀏覽此網站**台灣 Nikon 網站又被植入惡意連結,此惡意程式為 Lineage 和 灰鴿子變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式會偷帳號與密碼)。另外,其中某些惡意檔案是利用微軟的安全漏洞 (Vulnerability in Windows Animated Cursor Handling)(此為零時差攻擊)。
**請幫忙通知他們,謝謝**
惡意連結是放置在首頁中的:
惡意程式碼的一部分為:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\Debug\UserMode\08835B.dll (注入某些執行程序如檔案總管、IE等)
[Added service]
NAME: winsedx.com.cn
DISPLAY: winsedx.com.cn
FILE: C:\WINDOWS\BBSr.com.cn.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\gz002.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gh02[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gh1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\gz[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\index0703[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\testtest[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\2[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\gh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\kabakao[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\test[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\gz001[1].exe
C:\WINDOWS\BBSr.com.cn.exe
C:\WINDOWS\Debug\UserMode\08835B.dll
C:\WINDOWS\Debug\UserMode\08835B.exe
[Added COM/BHO]
{AD11A17C-83C2-4121-89C8-D0660555685C}-C:\WINDOWS\debug\userMode\08835B.dll
到目前為止 (2007/3/30 @ 21:54),下面的防毒軟體可以偵測到這些惡意檔案:
08835B.dll:
[ Trend ], "TSPY_LINEAGE.EXA"
08835B.exe:
[ Trend ], "TSPY_LINEAGE.EWX"
gh02[1].exe:
[ Trend ], "TSPY_LINEAGE.EWX"
gz002.exe:
[ Trend ], "TROJ_AGENT.PPO"
kabakao[1].exe:
[ Trend ], "TROJ_AGENT.PPO"
1[1].jpg:
[ Microsoft ], "TrojanDownloader:Win32/Anicmoo.gen!D"
[ Kaspersky ], "Trojan-Downloader.Win32.Ani.g"
[ McAfee ], "Exploit-ANIfile.c"
[ Sophos ], "Troj/Animoo-U"
[ Rising ], "Hack.Exploit.RIFF.b"
2[1].jpg:
[ Microsoft ], "TrojanDownloader:Win32/Anicmoo.gen!D"
[ Kaspersky ], "Trojan-Downloader.Win32.Ani.g"
[ McAfee ], "Exploit-ANIfile.c"
[ Sophos ], "Troj/Animoo-U"
[ Rising ], "Hack.Exploit.RIFF.a"
BBSr.com.cn.exe:
[ Symantec ], "Backdoor.Graybird"
[ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A"
[ Kaspersky ], "PAK:PE-Armor, unknown format."
[ McAfee ], "BackDoor-AWQ"
[ Sophos ], "Mal/GrayBird"
[ Alwil ], "Win32:Hupigon-OH [Trj]"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
gh[1].htm:
[ HBEDV ], "VBS/Dldr.Agent.6171"
[ Grisoft ], "Virus identified VBS/Psyme.N"
gz001[1].exe:
[ Kaspersky ], "PAK:PE-Armor, unknown format."
[ McAfee ], "New Win32.g2 !!"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/Crypt.XPACK.Gen"
gz[1].htm:
[ HBEDV ], "VBS/Dldr.Agent.6171"
[ Grisoft ], "Virus identified VBS/Psyme.N"
index0703[1].exe:
[ Symantec ], "Backdoor.Graybird"
[ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A"
[ Kaspersky ], "PAK:PE-Armor, unknown format."
[ McAfee ], "BackDoor-AWQ"
[ Sophos ], "Mal/GrayBird"
[ Alwil ], "Win32:Hupigon-OH [Trj]"
[ Fortinet ], "suspicious"
[ HBEDV ], "BDS/Hupigon.Gen"
全站熱搜
留言列表
