close
更新資訊:已修復 (2007/4/9 @ 11:10)
iThome 網站被植入惡意連結,最近有瀏覽這些網頁的網友,應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息。另外,此惡意程式是利用微軟所公佈的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此為零時差攻擊)。(感謝網友瘋了告知)
**請幫忙通知他們,謝謝**
惡意連結是放置在首頁中的:
惡意程式碼的一部分為 (使用 malformed ascii bypassing 的技術,看起來像是毫無意義,實際上,它是可以被執行的):
當執行此惡意程式時,會產生一個應用程式錯誤訊息:
執行之後,有下面的行為:
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\qing.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\7888p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\test[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\9197p[1].jpg
到目前為止 (2007/4/9 @ 11:06),下面的防毒軟體可以偵測到這些惡意檔案:
qing.exe:
[ Trend ], "TROJ_NSANTI.CV"
[ Alpha_Gen ], “NSPM_Protected”
[ Beta_Gen ], “Possible_MLWR-1〃
[ Microsoft ], “Virus:Win32/Detnat.F”
[ McAfee ], “New Malware.bc !!”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSAnti.Gen”
[ Norman ], “Trojan Suspicious_N.gen”
[ Ahnlab ], “infected by Win32/NSAnti.suspicious”
update[1].exe:
[ Trend ], "TROJ_NSANTI.CV"
[ Alpha_Gen ], “NSPM_Protected”
[ Beta_Gen ], “Possible_MLWR-1〃
[ Microsoft ], “Virus:Win32/Detnat.F”
[ McAfee ], “New Malware.bc !!”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSAnti.Gen”
[ Norman ], “Trojan Suspicious_N.gen”
[ Ahnlab ], “infected by Win32/NSAnti.suspicious”
update[1].htm:
[ Kaspersky ], "Trojan-Downloader.HTML.Agent.ch"-----
iThome 網站被植入惡意連結,最近有瀏覽這些網頁的網友,應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息。另外,此惡意程式是利用微軟所公佈的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此為零時差攻擊)。(感謝網友瘋了告知)
**請幫忙通知他們,謝謝**
惡意連結是放置在首頁中的:
惡意程式碼的一部分為 (使用 malformed ascii bypassing 的技術,看起來像是毫無意義,實際上,它是可以被執行的):
當執行此惡意程式時,會產生一個應用程式錯誤訊息:
執行之後,有下面的行為:
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\qing.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\7888p[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\test[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\mystat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\update[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\9197p[1].jpg
到目前為止 (2007/4/9 @ 11:06),下面的防毒軟體可以偵測到這些惡意檔案:
qing.exe:
[ Trend ], "TROJ_NSANTI.CV"
[ Alpha_Gen ], “NSPM_Protected”
[ Beta_Gen ], “Possible_MLWR-1〃
[ Microsoft ], “Virus:Win32/Detnat.F”
[ McAfee ], “New Malware.bc !!”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSAnti.Gen”
[ Norman ], “Trojan Suspicious_N.gen”
[ Ahnlab ], “infected by Win32/NSAnti.suspicious”
update[1].exe:
[ Trend ], "TROJ_NSANTI.CV"
[ Alpha_Gen ], “NSPM_Protected”
[ Beta_Gen ], “Possible_MLWR-1〃
[ Microsoft ], “Virus:Win32/Detnat.F”
[ McAfee ], “New Malware.bc !!”
[ Sophos ], “Mal/Packer”
[ Fortinet ], “suspicious”
[ HBEDV ], “TR/Crypt.NSAnti.Gen”
[ Norman ], “Trojan Suspicious_N.gen”
[ Ahnlab ], “infected by Win32/NSAnti.suspicious”
update[1].htm:
[ Kaspersky ], "Trojan-Downloader.HTML.Agent.ch"-----
全站熱搜
留言列表