大砲開講

更新資訊：已修復 (2007/4/12 @ 22:40) 廣福旅行社網站 (還有廣德日本網) 被植入惡意連結，此惡意程式為 QQPass 變種，最近有瀏覽這個網頁的網友，應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站，以免中毒，等確認他們已經修復後，會在此更新訊息。另外，此惡意程式是利用微軟所公佈的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此為零時差攻擊) (此惡意程式應該會偷帳號與密碼)。 **請幫忙通知他們，謝謝** 惡意連結是放置在各個首頁中的： 惡意程式碼的一部分為： 執行之後，有下面的行為： [Added process] C:\WINDOWS\Kernel32.exe [DLL injection] C:\Documents and Settings\Administrator\Local Settings\Temp\~Tm8.tmp.rom (注入某些執行程序如檔案總管、IE等) C:\Program Files\Common Files\Microsoft Shared\MSInfo\NewInfo.dll (注入某些執行程序如檔案總管、IE等) C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys (注入某些執行程序如檔案總管、IE等) C:\WINDOWS\system32\5.dll (注入某些執行程序如檔案總管、IE等) C:\WINDOWS\system32\winform.dll (注入某些執行程序如檔案總管等) [Added file] C:\Documents and Settings\Administrator\Local Settings\Temp\3.exe C:\Documents and Settings\Administrator\Local Settings\Temp\4.exe C:\Documents and Settings\Administrator\Local Settings\Temp\6.exe C:\Documents and Settings\Administrator\Local Settings\Temp\7.exe C:\Documents and Settings\Administrator\Local Settings\Temp\moi.com C:\Documents and Settings\Administrator\Local Settings\Temp\~Tm8.tmp C:\Documents and Settings\Administrator\Local Settings\Temp\~Tm8.tmp.rom C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\11282[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\html[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\qq[1].jpg C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ss[1].jpg C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\tj[1].htm C:\Program Files\Common Files\Microsoft Shared\MSInfo\NewInfo.bak C:\Program Files\Common Files\Microsoft Shared\MSInfo\NewInfo.dll C:\Program Files\Common Files\Microsoft Shared\MSInfo\system.2dt C:\Program Files\Internet Explorer\PLUGINS\system2.jmp C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys C:\WINDOWS\Kernel32.exe C:\WINDOWS\system32\5.dll C:\WINDOWS\system32\winform.dll C:\WINDOWS\winform.exe [ Added COM/BHO ] {754FB7D8-B8FE-4810-B363-A788CD060F1F}-C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys {A6011F8F-A7F8-49AA-9ADA-49127D43138F}-C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.dll {C883F785-2E24-2157-7ADD-5B002D13D084}-C:\WINDOWS\system32\5.dll [Added registry] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Value=winform,Data=C:\WINDOWS\winform.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Value=kernel32,Data=C:\WINDOWS\Kernel32.exe 到目前為止 (2007/4/4 @ 11:10)，下面的防毒軟體可以偵測到這些惡意檔案： 3.exe: [ Trend ], “TSPY_QQPASS.BUY” 6.exe: [ Trend ], “TSPY_ONLINEG.BZ” system2.jmp: [ Trend ], “TSPY_QQPASS.BUY” SystemKb.sys: [ Trend ], “TSPY_QQPASS.BUY” 4.exe: [ Kaspersky ], “PAK:PE_Patch, PAK:UPack” [ McAfee ], “New Malware.aj !!” [ Sophos ], “Mal/Packer” [ Panda ], “Trj/Wow.LQ” [ Fortinet ], “suspicious” [ HBEDV ], “TR/Agent.18757.B” [ Norman ], “Security Risk W32/Suspicious_U.gen” [ Ewido ], “Trojan.Wow” 5.dll: [ Sophos ], “Mal/Gampass-A” [ Fortinet ], “suspicious” [ HBEDV ], “TR/Delphi.Downloader.Gen” 7.exe: [ Kaspersky ], “PAK:FSG” [ Sophos ], “Mal/Packer” [ Alwil ], “Win32:Delf-BCN [Wrm]” [ Fortinet ], “suspicious” [ HBEDV ], “DR/Delphi.Gen” [ Norman ], “Security Risk Suspicious_F.gen” 11282[1].exe: [ Symantec ], “Infostealer” [ Microsoft ], “[->(UPX)]:Trojan:Win32/Dowque.A” [ Kaspersky ], “PAK:UPX, Trojan-PSW.Win32.Delf.qc” [ Sophos ], “[FILE:0000]:Mal/QQPass-B” [ HBEDV ], “DR/Delphi.Gen” [ Grisoft ], “Trojan horse Generic3.TDK” Kernel32.exe: [ Kaspersky ], “PAK:PE_Patch, PAK:UPack” [ McAfee ], “New Malware.aj !!” [ Sophos ], “Mal/Packer” [ Panda ], “Trj/Wow.LQ” [ Fortinet ], “suspicious” [ HBEDV ], “TR/Agent.18757.B” [ Norman ], “Security Risk W32/Suspicious_U.gen” [ Ewido ], “Trojan.Wow” moi.com: [ Symantec ], “Infostealer” [ Microsoft ], “[->(UPX)]:Trojan:Win32/Dowque.A” [ Kaspersky ], “PAK:UPX, Trojan-PSW.Win32.Delf.qc” [ Sophos ], “[FILE:0000]:Mal/QQPass-B” [ HBEDV ], “DR/Delphi.Gen” [ Grisoft ], “Trojan horse Generic3.TDK” NewInfo.bak: [ Microsoft ], “Trojan:Win32/Dowque.A” [ Kaspersky ], “Trojan-PSW.Win32.Delf.qc” [ Sophos ], “Mal/QQPass-B” [ HBEDV ], “HEUR/Malware” [ Ewido ], “Trojan.Delf.qc” [ Grisoft ], “Trojan horse Generic3.TDL” NewInfo.dll: [ Microsoft ], “Trojan:Win32/Dowque.A” [ Kaspersky ], “Trojan-PSW.Win32.Delf.qc” [ Sophos ], “Mal/QQPass-B” [ HBEDV ], “HEUR/Malware” [ Ewido ], “Trojan.Delf.qc” [ Grisoft ], “Trojan horse Generic3.TDL” system.2dt: [ Symantec ], “Infostealer” [ Microsoft ], “[->(UPX)]:Trojan:Win32/Dowque.A” [ Kaspersky ], “PAK:UPX, Trojan-PSW.Win32.Delf.qc” [ Sophos ], “[FILE:0000]:Mal/QQPass-B” [ HBEDV ], “DR/Delphi.Gen” [ Grisoft ], “Trojan horse Generic3.TDK” tj[1].htm: [ Ewido ], “Downloader.Agent.v” winform.dll: [ Alpha_Gen ], “Possible_OLGM-4〃 [ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.mq” [ McAfee ], “PWS-Lineage.dll” [ HBEDV ], “HEUR/Malware” [ Grisoft ], “Trojan horse PSW.Generic3.UHA” winform.exe: [ Alpha_Gen ], “Possible_OLGM” [ Microsoft ], “PWS:Win32/Lmir.gen” [ Kaspersky ], “Trojan-PSW.Win32.OnLineGames.mq” [ McAfee ], “[00001c60.EXE]:PWS-Lineage.dll” [ Sophos ], “Mal/Behav-106〃 [ Nod32 ], “probably a variant of Win32/PSW.Agent.NCC trojan” [ HBEDV ], “HEUR/Malware” [ Grisoft ], “Trojan horse PSW.Generic3.UHB” ~Tm8.tmp.rom: [ Kaspersky ], “PAK:UPack” [ Sophos ], “Mal/Packer” [ Fortinet ], “suspicious” [ HBEDV ], “TR/Agent.12671〃 [ Norman ], “Security Risk W32/Suspicious_U.gen” [ Ewido ], “Trojan.Wow”