佛教慈濟綜合醫院網站被植入惡意連結

更新資訊：已修復 (2007/4/10 @ 10:03) 佛教慈濟綜合醫院網站被植入惡意連結，此惡意程式為 Maran 和 Delf 變種，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站，以免中毒，等確認他們已經修復後，會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。(Credit: firebox ) **請幫忙通知他們，謝謝** 惡意連結是放置在首頁及中文首頁中的：惡意程式碼的一部分為： 執行之後，有下面的行為： [Added process] C:\WINDOWS\avp.exe [DLL injection] C:\WINDOWS\system32\hsvwer2.dll (注入 IE 的執行程序) [Added service] NAME: VGADown DISPLAY: Audio Adapter FILE: C:\WINDOWS\avp.exe NAME: WS2IFSL (這是正常的服務) DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment FILE: \SystemRoot\System32\drivers\ws2ifsl.sys [Added file] C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\lin[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\loginform[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ajcount[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\svch2321[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\tw[1].htm C:\kao.reg C:\Program Files\Internet Explorer\loadie.EXE C:\WINDOWS\avp.exe C:\WINDOWS\system32\hsvwer2.dll C:\WINDOWS\~tmp2311.exe [Added LSP] ID: 1012 NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\hsvwer2.dll) ID: 1013 NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\hsvwer2.dll) [Added registry] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Value=AutoRun,Data=C:\Program Files\Internet Explorer\loadie.EXE 到目前為止 (2007/4/2 @ 22:47)，下面的防毒軟體可以偵測到這些惡意檔案： lin[1].exe: [ Trend ], "TROJ_DELF.FND" loadie.EXE: [ Trend ], "TROJ_DELF.FND" loginform[1].htm: [ Trend ], "VBS_PSYME.EZ" svch2321[1].exe: [ Trend ], "TROJ_MARAN.FT" ~tmp2311.exe: [ Trend ], "TROJ_DELF.FND" avp.exe: [ Kaspersky ], "Trojan-PSW.Win32.Maran.dj" [ Sophos ], "Troj/Maran-Gen" [ Nod32 ], "a variant of Win32/PSW.Maran trojan" [ HBEDV ], "TR/PSW.Maran.A.1" [ Norman ], "Trojan W32/Smalltroj.XXX" [ Rising ], "Trojan.Delf.njo" [ Ewido ], "Trojan.Maran.ag" [ Grisoft ], "Trojan horse PSW.Generic3.TDO" hsvwer2.dll: [ Kaspersky ], "Trojan-PSW.Win32.Maran.dj" [ Alwil ], "Win32:Maran-D [Trj]" [ Nod32 ], "a variant of Win32/PSW.Maran trojan" [ HBEDV ], "TR/Drop.Maran.C.3" [ Rising ], "Trojan.PSW.OnlineGames.yh" [ Ewido ], "Trojan.Maran.cx" [ Grisoft ], "Trojan horse PSW.Generic3.TDN" kao.reg: [ Panda ], "Trj/QQPass.MW" 1[1].exe: [ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.Maran.dj" [ McAfee ], "New Malware.n !!" [ Sophos ], "Troj/Maran-Gen" [ Nod32 ], "a variant of Win32/PSW.Maran trojan" [ Fortinet ], "suspicious" [ HBEDV ], "TR/PSW.Maran.A.1" [ Norman ], "Security Risk W32/Suspicious_U.gen" [ Ewido ], "Trojan.Maran.e" [ Grisoft ], "Trojan horse PSW.Generic3.TDM"