大砲開講

台灣小冠鸚鵡俱樂部網站被植入惡意連結，此惡意程式為 Lineage 和灰鴿子變種，最近有瀏覽這些網頁的網友 (受害者應該很多吧)，應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站，以免中毒，等確認他們已經修復後，會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。另外，此惡意程式是利用微軟所公佈的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此為零時差攻擊) **請幫忙通知他們，謝謝** 惡意連結是放置在首頁中的： 惡意程式碼的一部分為： ANI 零時差攻擊的部份： 執行之後，有下面的行為： [DLL injection] C:\WINDOWS\Debug\UserMode\32BB5B6.dll (注入某些執行程序如檔案總管、IE等) [Added service] NAME: winsedx.com.cn DISPLAY: winsedx.com.cn FILE: C:\WINDOWS\win.cn.exe [Added file] C:\Documents and Settings\Administrator\Local Settings\Temp\gz002.exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\index0707[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh02[1].exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh1[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gz[1].htm C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\kabakao[1].exe C:\WINDOWS\Debug\UserMode\32BB5B6.dll C:\WINDOWS\Debug\UserMode\32BB5B6.exe C:\WINDOWS\win.cn.exe [ Added COM/BHO ] {F2319AD4-D519-45AC-86A7-02FE9B851F37}-C:\WINDOWS\debug\userMode\32BB5B6.dll 到目前為止 (2007/4/9 @ 17:38)，下面的防毒軟體可以偵測到這些惡意檔案： 32BB5B6.exe: [ Trend ], "Possible_Lineage" gh02[1].exe: [ Trend ], "Possible_Lineage" gh[1].htm: [ Trend ], "VBS_PSYME.AKW" gz[1].htm: [ Trend ], "HTML_AGENT.PQV" 32BB5B6.dll: [ Trend], "Possible_Lineage" gz002.exe: [ Kaspersky ], "PAK:PE-Armor, unknown format." [ Fortinet ], "suspicious" [ HBEDV ], "HEUR/Crypted" index0707[1].exe: [ Symantec ], "Backdoor.Graybird" [ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A" [ Kaspersky ], "PAK:PE-Armor, unknown format." [ McAfee ], "BackDoor-AWQ" [ Sophos ], "Mal/GrayBird" [ Alwil ], "Win32:Hupigon-OH [Trj]" [ Fortinet ], "suspicious" [ HBEDV ], "BDS/Hupigon.Gen" kabakao[1].exe: [ Kaspersky ], "PAK:PE-Armor, unknown format." [ Fortinet ], "suspicious" [ HBEDV ], "HEUR/Crypted" win.cn.exe: [ Symantec ], "Backdoor.Graybird" [ Microsoft ], "TrojanDropper:Win32/Hupigon.gen!A" [ Kaspersky ], "PAK:PE-Armor, unknown format." [ McAfee ], "BackDoor-AWQ" [ Sophos ], "Mal/GrayBird" [ Alwil ], "Win32:Hupigon-OH [Trj]" [ Fortinet ], "suspicious" [ HBEDV ], "BDS/Hupigon.Gen"