國立教育資料館全球資訊網被植入惡意連結。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式會偷帳號與密碼)。(感謝 Jimau) **請幫忙通知他們,謝謝** nioerar_edu_home_20070306.jpg 新的網址應該在 hxxp://www.nioerar.edu.tw,真搞不到,難道是舊的網址嗎? 惡意連結是放置在首頁中: nioerar_edu_url_20070306.png 惡意程式的一部份為: nioerar_edu_code_20070306.png 執行之後,有下面的行為: [Added process] C:\Program Files\Windows Media Player\svchost.exe [DLL injection] C:\Program Files\Windows Media Player\svchost.exe (注入 svchost.exe 的執行程序) C:\WINDOWS\system32\PDLL.dll (注入某些執行程序如瀏覽器等) [Added file] C:\autorun.inf C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\lineage[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\lineage[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ttt1[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ffg[1].exe C:\pagefile.pif C:\Program Files\ffg.exe C:\Program Files\Windows Media Player\svchost.exe C:\WINDOWS\kill.exe C:\WINDOWS\system32\PDLL.dll C:\WINDOWS\systemxz.dll C:\WINDOWS\systemxz.exe 到目前為止,下面的防毒軟體可以偵測到這些惡意檔案: systemxz.exe: [ Trend ], "TSPY_ONLINEGA.ZQ" systemxz.dll: [ Trend ], "TSPY_ONLINEGA.ZQ" pagefile.pif: [ Trend ], "TSPY_ONLINEGA.ZQ" lineage[1].exe: [ Trend ], "TSPY_ONLINEGA.ZQ" PDLL.dll: [ Trend ], "Possible_Lineage" kill.exe: [ Beta_Gen ], "TROJ_Generic.CON" [ McAfee ], "ProcKill-KnlKillP" [ Panda ], "Application/Pskill.S" [ HBEDV ], "APPL/Tool.PsKill.W" [ Ewido ], "Backdoor.PcClient.qh" lineage[1].htm: [ Sophos ], "VBS/Psyme-Fam" [ HBEDV ], "VBS/Psyme.Fam.K" [ Norman ], "Trojan VBS/Psyme.AK" [ Rising ], "Trojan.DL.VBS.Agent.chn" ffg[1].exe: [ Kaspersky ], "PAK:PE_Patch, ARC:Embedded EXE, Trojan-PSW.Win32.Nilage.ajm" [ McAfee ], "[0000a7e4.EXE]:corrupted" [ Fortinet ], "suspicious" ffg.exe: [ Kaspersky ], "PAK:PE_Patch, ARC:Embedded EXE, Trojan-PSW.Win32.Nilage.ajm" [ McAfee ], "[0000a7e4.EXE]:corrupted" [ Fortinet ], "suspicious" ttt1[1].exe: [ Symantec ], "Infostealer" [ Microsoft ], "PWS:Win32/Wowsteal.gen!A" [ McAfee ], "New Malware.u !!" [ Sophos ], "Mal/Packer" [ Nod32 ], "probably a variant of Win32/PSW.Lineage.AJP trojan" [ Fortinet ], "suspicious" [ HBEDV ], "DR/PSW.Lineage.U" [ Ewido ], "Trojan.Nilage.awo" [ Grisoft ], "Trojan horse PSW.Generic3.ITW" svchost.exe: [ Symantec ], "Infostealer" [ Microsoft ], "PWS:Win32/Wowsteal.gen!A" [ McAfee ], "New Malware.u !!" [ Sophos ], "Mal/Packer" [ Nod32 ], "probably a variant of Win32/PSW.Lineage.AJP trojan" [ Fortinet ], "suspicious" [ HBEDV ], "DR/PSW.Lineage.U" [ Ewido ], "Trojan.Nilage.awo" [ Grisoft ], "Trojan horse PSW.Generic3.ITW" autorun.inf: [ McAfee ], "Downloader.inf"-----