大砲開講

苦勞網網站被植入惡意連結，此惡意程式為 QQHelper 和 SuperUtilBar (間諜軟體)，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站，以免中毒，等確認他們已經修復後，會在此更新訊息。另外，此惡意程式是利用微軟所公佈的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此為零時差攻擊)。對此有興趣的網友，可以在 VMWare 上測試一下，然後，回報修復的情形，而且，幫忙通知他們，謝謝。(Credit: joyusha)





惡意連結是放置在首頁 (其他頁面可能也有) 中的：



執行之後，有下面的行為 (蠻慘的)：

[Added process]
C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE
C:\Program Files\Internet Explorer\iexplore.exe (產生幾個隱藏的 IE)

[DLL injection]
C:\Program Files\superutilbar\superutilbar.dll (注入 IE 的執行程序)
C:\WINDOWS\system32\3724DC06.DLL (注入 winlogon 和檔案總管的執行程序)

[Added service]
NAME: 3724DC06
DISPLAY: 3724DC06
FILE: C:\WINDOWS\system32\3724DC06.EXE -service

NAME: DiRVIn
DISPLAY: Intranet Messenger
FILE: C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE C:\WINDOWS\SYSTEM32\WBEM\USYAC.DLL,Export 1087

[Added file]
C:\Documents and Settings\Administrator\Favorites\嗣杻璃桴-郔假溫陑腔璃桴.url
C:\Documents and Settings\Administrator\Local Settings\Temp\bind_50202.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\caiyi8[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\css[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\css[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\main[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\stat[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\foot[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\searchbg[1].png
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\top[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\update[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\wm[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\yoqoo580[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\760all7[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\bind_50202[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\js[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\css[2].js
C:\Program Files\Common Files\System\Updaterun.exe
C:\Program Files\Ethereal\snmp\mibs\.index
C:\Program Files\superutilbar\superutilbar.dll
C:\Program Files\superutilbar\uninst.exe
C:\WINDOWS\bar.exe
C:\WINDOWS\system32\3724DC06.DLL
C:\WINDOWS\system32\3724DC06.EXE
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\iylsz.dll
C:\WINDOWS\system32\rundll2kxp.exe
C:\WINDOWS\system32\Score.txt
C:\WINDOWS\system32\wbem\ocmor.dll
C:\WINDOWS\system32\wbem\usyac.dll

[Added COM/BHO]
{03465FF5-00AE-411a-9C34-960ED566EC03}-C:\Program Files\superutilbar\superutilbar.dll
{425882B0-B0BF-11CE-B59F-00AA006CB37D}-C:\WINDOWS\system32\npp\ndisnpp.dll
{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}-C:\Program Files\superutilbar\superutilbar.dll

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=System
Data=C:\Program Files\Common Files\System\Updaterun.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\妗蚚刲坰馱撿沭
Value=DisplayName
Data=妗蚚刲坰馱撿沭

到目前為止 (2007/4/16 @ 23:17)，下面的防毒軟體可以偵測到這些惡意檔案：

bar.exe:
[ Trend ], "ADW_BAIDU.BJ"
[ Kaspersky ], "ARC:NSIS, [data0002]:Trojan-Clicker.Win32.Agent.io"
[ McAfee ], "Adware-Baidu"
[ Sophos ], "Troj/QQHelp-DX"
bind_50202.exe:
[ Trend ], "TROJ_QQHHELPE.I"
[ Sophos ], "Mal/TinyDL-D"
css[2].js:
[ Trend ], "EXPL_ANICMOO.GEN"
[ Symantec ], "Trojan.Anicmoo"
[ Kaspersky ], "Exploit.Win32.IMG-ANI.gen"
[ McAfee ], "Exploit-ANIfile.c"
[ Sophos ], "Troj/Animoo-M"
iylsz.dll:
[ Kaspersky ], "PAK:PE_Patch"
[ Alwil ], "Win32:Qqhelper-J [Trj]"
[ Nod32 ], "a variant of Win32/TrojanDownloader.QQHelper trojan"
[ HBEDV ], "TR/Drop.Multi.D.2"
ocmor.dll:
[ HBEDV ], "TR/Dldr.QQHe.FT.5.D"
[ Ewido ], "Downloader.QQHe.ft"
RUNDLL2KXP.EXE:
[ HBEDV ], "TR/Agent.10240.A"
[ Ewido ], "Trojan.Agent"
superutilbar.dll:
[ Microsoft ], "BrowserModifier:Win32/SuperUtilBar"
[ Kaspersky ], "Trojan-Clicker.Win32.Agent.io"
[ Panda ], "Application/SuperUtilBar"
[ Nod32 ], "Win32/Adware.Toolbar.Baidu application"
[ Fortinet ], "PossibleThreat"
[ HBEDV ], "TR/Click.Agent.IO.2"
[ Ewido ], "Hijacker.Agent.io"
temp.exe:
[ Nod32 ], "a variant of Win32/TrojanDownloader.QQHelper trojan"
[ HBEDV ], "TR/Dldr.QQhelper.DB"
uninst.exe:
[ Kaspersky ], "ARC:NSIS"
[ McAfee ], "Adware-Baidu"
[ Panda ], "Adware/BaiduBar"
[ Fortinet ], "Adware/Baidu"
[ HBEDV ], "ADSPY/BaiduBar.BR"
Updaterun.exe:
[ Nod32 ], "a variant of Win32/Adware.Toolbar.Baidu application"
usyac.dll:
[ Alpha_Gen ], "Suspicious_Rsrc"
[ Kaspersky ], "PAK:PE_Patch"
[ Nod32 ], "a variant of Win32/TrojanDownloader.QQHelper trojan"
[ HBEDV ], "HEUR/Malware"
wm[1].htm:
[ HBEDV ], "VBS/Dldr.Psyme.FV"
3724DC06.DLL:
[ Alpha_Gen ], "NSPM_Protected"
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ Nod32 ], "a variant of Win32/Agent.NEO trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Rising ], "Trojan.IMMSG.TBMSG.dn"
[ Ewido ], "Backdoor.Agent.ahj"
3724DC06.EXE:
[ Alpha_Gen ], "NSPM_Protected"
[ Microsoft ], "VirTool:Win32/Obfuscator.A"
[ McAfee ], "New Malware.ce !!"
[ Panda ], "Suspicious file"
[ Nod32 ], "a variant of Win32/Agent.NEO trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Crypted"

注意：有一個 ANI 的樣本，所有的防毒軟體都不能夠偵測到，難道，有新的變形嗎？