大砲開講

彩虹國際旅行社網站被植入惡意連結，此惡意程式為 Maran 變種，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站，以免中毒，等確認他們已經修復後，會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。 **請幫忙通知他們，謝謝** 惡意連結是放置在 major.asp 檔案中的： 惡意程式碼的一部份為： 當執行此惡意程式時，會產生一個應用程式錯誤： 執行之後，有下面的行為： [Added service] NAME: VGADown DISPLAY: Audio Adapter FILE: C:\WINDOWS\avp.exe NAME: WS2IFSL DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment FILE: \SystemRoot\System32\drivers\ws2ifsl.sys [Added file] C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\inpa[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\test[1].js C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\top[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\update[4].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\update[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\major[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\mystat[1].htm C:\WINDOWS\avp.exe C:\WINDOWS\system32\od2media.dll [Added LSP] ID: 1012 NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\od2media.dll) ID: 1013 NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\od2media.dll) 到目前為止，下面的防毒軟體可以偵測到這些惡意檔案： od2media.dll: [ Alpha_Gen ], "Possible_MLWR-1" [ Beta_Gen ], "Possible_MLWR-1" [ Microsoft ], "Virus:Win32/Detnat.F" [ Fortinet ], "suspicious" [ HBEDV ], "TR/Crypt.NSAnti.Gen" [ Ahnlab ], "infected by Win32/NSAnti.suspicious" update[1].exe: [ Alpha_Gen ], "Possible_MLWR-1" [ Beta_Gen ], "Possible_MLWR-1" [ Nod32 ], "a variant of Win32/PSW.Maran trojan" [ HBEDV ], "TR/Crypt.NSAnti.Gen" update[4].htm: [ Nod32 ], "VBS/TrojanDownloader.Small.BO trojan" [ Fortinet ], "VBS/Psyme.DP!tr.dldr" [ Rising ], "Trojan.DL.VBS.Agent.cii" [ Ewido ], "Downloader.Small.cu" avp.exe: [ Alpha_Gen ], "NSPM_Protected" [ Beta_Gen ], "Possible_MLWR-1" [ Microsoft ], "Virus:Win32/Detnat.F" [ Alwil ], "Win32:MianCrypt-gen [Trj]" [ Fortinet ], "suspicious" [ HBEDV ], "TR/Crypt.NSAnti.Gen" [ Ahnlab ], "infected by Win32/NSAnti.suspicious"