close
收藏家 (台灣防潮科技) 網站被植入惡意連結,此惡意程式為 Lineage 和灰鴿子變種,最近有瀏覽這些網頁的網友,應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。另外,此惡意程式是利用微軟所公佈的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此為零時差攻擊) (Credit: Bigfish)
**請幫忙通知他們,謝謝**
惡意連結是放置在首頁中的:
惡意程式碼的一部分為:
ANI 零時差攻擊的部份為:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\Debug\UserMode\32BB5B6.dll (注入某些執行程序如檔案總管、IE等)
[Added service]
NAME: winsedx.com.cn
DISPLAY: winsedx.com.cn
FILE: C:\WINDOWS\win.cn.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\gz002.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\index0707[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh02[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gz[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\kabakao[1].exe
C:\WINDOWS\Debug\UserMode\32BB5B6.dll
C:\WINDOWS\Debug\UserMode\32BB5B6.exe
C:\WINDOWS\win.cn.exe
[ Added COM/BHO ]
{F2319AD4-D519-45AC-86A7-02FE9B851F37}-C:\WINDOWS\debug\userMode\32BB5B6.dll
到目前為止 (2007/4/9 @ 23:00),下面的防毒軟體可以偵測到這些惡意檔案:
32BB5B6.exe:
[ Trend ], “Possible_Lineage”
gh02[1].exe:
[ Trend ], “Possible_Lineage”
gh[1].htm:
[ Trend ], “VBS_PSYME.AKW”
gz[1].htm:
[ Trend ], “HTML_AGENT.PQV”
32BB5B6.dll:
[ Trend], “Possible_Lineage”
gz002.exe:
[ Kaspersky ], “PAK:PE-Armor, unknown format.”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Crypted”
index0707[1].exe:
[ Symantec ], “Backdoor.Graybird”
[ Microsoft ], “TrojanDropper:Win32/Hupigon.gen!A”
[ Kaspersky ], “PAK:PE-Armor, unknown format.”
[ McAfee ], “BackDoor-AWQ”
[ Sophos ], “Mal/GrayBird”
[ Alwil ], “Win32:Hupigon-OH [Trj]”
[ Fortinet ], “suspicious”
[ HBEDV ], “BDS/Hupigon.Gen”
kabakao[1].exe:
[ Kaspersky ], “PAK:PE-Armor, unknown format.”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Crypted”
win.cn.exe:
[ Symantec ], “Backdoor.Graybird”
[ Microsoft ], “TrojanDropper:Win32/Hupigon.gen!A”
[ Kaspersky ], “PAK:PE-Armor, unknown format.”
[ McAfee ], “BackDoor-AWQ”
[ Sophos ], “Mal/GrayBird”
[ Alwil ], “Win32:Hupigon-OH [Trj]”
[ Fortinet ], “suspicious”
[ HBEDV ], “BDS/Hupigon.Gen”
**請幫忙通知他們,謝謝**
惡意連結是放置在首頁中的:
惡意程式碼的一部分為:
ANI 零時差攻擊的部份為:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\Debug\UserMode\32BB5B6.dll (注入某些執行程序如檔案總管、IE等)
[Added service]
NAME: winsedx.com.cn
DISPLAY: winsedx.com.cn
FILE: C:\WINDOWS\win.cn.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\gz002.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\index0707[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh02[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gz[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\kabakao[1].exe
C:\WINDOWS\Debug\UserMode\32BB5B6.dll
C:\WINDOWS\Debug\UserMode\32BB5B6.exe
C:\WINDOWS\win.cn.exe
[ Added COM/BHO ]
{F2319AD4-D519-45AC-86A7-02FE9B851F37}-C:\WINDOWS\debug\userMode\32BB5B6.dll
到目前為止 (2007/4/9 @ 23:00),下面的防毒軟體可以偵測到這些惡意檔案:
32BB5B6.exe:
[ Trend ], “Possible_Lineage”
gh02[1].exe:
[ Trend ], “Possible_Lineage”
gh[1].htm:
[ Trend ], “VBS_PSYME.AKW”
gz[1].htm:
[ Trend ], “HTML_AGENT.PQV”
32BB5B6.dll:
[ Trend], “Possible_Lineage”
gz002.exe:
[ Kaspersky ], “PAK:PE-Armor, unknown format.”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Crypted”
index0707[1].exe:
[ Symantec ], “Backdoor.Graybird”
[ Microsoft ], “TrojanDropper:Win32/Hupigon.gen!A”
[ Kaspersky ], “PAK:PE-Armor, unknown format.”
[ McAfee ], “BackDoor-AWQ”
[ Sophos ], “Mal/GrayBird”
[ Alwil ], “Win32:Hupigon-OH [Trj]”
[ Fortinet ], “suspicious”
[ HBEDV ], “BDS/Hupigon.Gen”
kabakao[1].exe:
[ Kaspersky ], “PAK:PE-Armor, unknown format.”
[ Fortinet ], “suspicious”
[ HBEDV ], “HEUR/Crypted”
win.cn.exe:
[ Symantec ], “Backdoor.Graybird”
[ Microsoft ], “TrojanDropper:Win32/Hupigon.gen!A”
[ Kaspersky ], “PAK:PE-Armor, unknown format.”
[ McAfee ], “BackDoor-AWQ”
[ Sophos ], “Mal/GrayBird”
[ Alwil ], “Win32:Hupigon-OH [Trj]”
[ Fortinet ], “suspicious”
[ HBEDV ], “BDS/Hupigon.Gen”
全站熱搜
留言列表
