台灣網址導航網頁被植入惡意連結,此惡意程式為 PE_LOOKED、OnLineGames 的變種 (蠻慘的),另外,也利用了 ANI 的安全漏洞,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦,請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,幫忙通知他們,謝謝。(Credit: 路人)
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
惡意程式碼的一部份為:
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\System32\alg32.exe
C:\WINDOWS\system32\upnpsvc.exe
C:\WINDOWS\thhshy.exe
C:\WINDOWS\system32\systemm.exe
[DLL injection]
C:\Documents and Settings\Administrator\Desktop\svchost.exe (注入 svchost.exe 執行程序)
C:\Documents and Settings\Administrator\Local Settings\Temp\upxdnd.dll (注入某些執行程序如檔案總管等)
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll (注入某些執行程序如檔案總管等)
C:\Program Files\Internet Explorer\LSASS.EXE (注入 lsass.exe 執行程序)
C:\WINDOWS\system32\cmdbcs.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\mppds.dll (注入檔案總管執行程序)
C:\WINDOWS\system32\msccrt.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\RAVWM419.dll (注入檔案總管執行程序)
C:\WINDOWS\system32\winform.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\Winhttps.dll (注入 IE 執行程序)
[Added service]
NAME: Asynchronous UPnP Support Services
DISPLAY: Asynchronous UPnP Support Services
FILE: C:\WINDOWS\system32\upnpsvc.exe
NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys
NAME: WinWMServiceNow
DISPLAY: WinWMServiceNow
FILE: C:\Documents and Settings\Administrator\Local Settings\Temp\RAVWM.EXE
[Added file]
C:\Documents and Settings\Administrator\Desktop\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\RAVWM.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\upxdnd.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\upxdnd.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\0614[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[3].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\97725[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma5[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma6[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma8[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\mm[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\mm[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\mm[3].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\ok[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\xjz2007[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\888[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\9772513[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\comeoncool[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\downma1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\downma8[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\kg[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\stat[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\xjz2007[3].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\click[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\xjz2007[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\06014[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\8xz[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\9772513[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma11[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma12[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma1[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma2[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma4[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma9[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\muxiao2[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\sa[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\top[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\vbb[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\xjz2007[1].bmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\xjz2007[1].htm
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll
C:\Program Files\Internet Explorer\10Sy.exe
C:\Program Files\Internet Explorer\LSASS.EXE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\MirSet.ini
C:\WINDOWS\mppds.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\RichDll.dll
C:\WINDOWS\system32\alg32.dat
C:\WINDOWS\system32\alg32.exe
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\msccrt.dll
C:\WINDOWS\system32\RAVWM419.dll
C:\WINDOWS\system32\systemm.exe
C:\WINDOWS\system32\thhshy.dll
C:\WINDOWS\system32\UPnPSvc.dll
C:\WINDOWS\system32\upnpsvc.exe
C:\WINDOWS\system32\winform.dll
C:\WINDOWS\system32\Winhttps.dat
C:\WINDOWS\system32\Winhttps.dll
C:\WINDOWS\thhshy.exe
C:\WINDOWS\uninstall\rundl132.exe
C:\WINDOWS\winform.exe
C:\WINDOWS\~tmp.tmp
C:\_desktop.ini
[Modified file]
感染所有 PE 執行檔
[Added LSP]
ID: 1012
NAME: MT-TcpFilter
ID: 1013
NAME: MSAFD Tcpip [TCP/IP]
到目前為止 (2007/4/23 @ 20:37),下面的防毒軟體可以偵測到這些惡意檔案:
SysWFGQQ.dll:
[ Trend ], "Possible_Infostl"
winform.dll:
[ Trend ], "TSPY_ONLINEG.BCK"
winform.exe:
[ Trend ], "TSPY_LEGMIR.BCH"
xjz2007[1].htm:
[ Trend ], , "TROJ_DLOADER.JXD"
~tmp.tmp:
[ Trend ], "PE_LOOKED.XL-O"
8xz[1].exe:
[ Trend ], "TROJ_MIANCRYP.AI"
0614[1].js:
[ Trend ], "JS_PSYME.AMQ"
06014[4].htm:
[ Trend ], "EXPL_AGENT.AADR"
97725[1].exe:
[ Trend ], "PE_LOOKED.XL-O"
downma3[1].exe:
[ Trend ], "TSPY_ONLINEG.IA"
downma7[1].exe:
[ Trend ], "TROJ_DELF.GGR"
downma8[1].exe:
[ Trend ], "TROJ_MULTDROP.FU"
kg[1].exe:
[ Trend ], "WORM_DELF.GGU"
Logo1_.exe:
[ Trend ], "PE_LOOKED.XL-O"
LSASS.EXE:
[ Trend ], "TROJ_MULTDROP.FU"
mppds.exe:
[ Trend ], "TSPY_ONLINEG.IA"
RAVWM.EXE:
[ Trend ], "TROJ_DELF.GGR"
RichDll.dll:
[ Trend ], "TROJ_LOOKED.XL"
svchost.exe:
[ Trend ], "TROJ_MIANCRYP.AI"
systemm.exe:
[ Trend ], "HKTL_ARPSNIFFE.F"
SysWFGQQ2.dll:
[ Trend ], "Possible_Infostl"
thhshy.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Symantec ], "Infostealer.Gampass"
[ McAfee ], "PWS-Zhengtu"
[ Sophos ], "Troj/PSW-Gen"
[ Nod32 ], "a variant of Win32/Agent.NHN trojan"
[ HBEDV ], "HEUR/Malware"
thhshy.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.es"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "probably unknown NewHeur_PE virus [7]"
[ Fortinet ], "W32/OnLineGames.ES!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ Ewido ], "Trojan.OnLineGames.es"
UPnPSvc.dll:
[ McAfee ], "New DLL-b !!"
upnpsvc.exe:
[ Kaspersky ], "Trojan-PSW.Win32.Lmir.amj"
[ McAfee ], "[00004734.EXE]:New DLL-b !!"
[ HBEDV ], "HEUR/Crypted"
[ Ewido ], "Trojan.Lmir.amj"
upxdnd.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Frethog.A!dll"
[ Nod32 ], "a variant of Win32/PSW.Agent.NDF trojan"
[ HBEDV ], "HEUR/Malware"
upxdnd.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Frethog.A"
[ McAfee ], "PWS-LegMir.gen.b"
[ Nod32 ], "a variant of Win32/PSW.Agent.NDF trojan"
[ Fortinet ], "LegMir.B!tr.pws"
[ HBEDV ], "HEUR/Malware"
upxdnd.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Frethog.A"
[ McAfee ], "PWS-LegMir.gen.b"
[ Nod32 ], "a variant of Win32/PSW.Agent.NDF trojan"
[ Fortinet ], "LegMir.B!tr.pws"
[ HBEDV ], "HEUR/Malware"
Winhttps.dat:
[ Symantec ], "Infostealer.Lemir"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Troj/LegMir-ATL"
[ Fortinet ], "W32/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Trojan W32/OnLineGames.DYR"
[ Ewido ], "Trojan.OnLineGames.nw"
Winhttps.dll:
[ Symantec ], "Infostealer.Lemir"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Troj/LegMir-ATL"
[ Fortinet ], "W32/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Trojan W32/OnLineGames.DYR"
[ Ewido ], "Trojan.OnLineGames.nw"
xjz2007[3].js:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Symantec ], "Trojan Horse"
10Sy.exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Microsoft ], "VirTool:Win32/Obfuscator.B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.os"
[ Sophos ], "Mal/EncPk-F"
[ Nod32 ], "Win32/Pacex.Gen virus"
[ Fortinet ], "W32/OnLineGames.OS!tr.pws"
[ HBEDV ], "TR/PSW.OnLineGames.OS"
[ Ewido ], "Trojan.OnLineGames.os"
alg32.dat:
[ Kaspersky ], "PAK:FSG, Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Mal/Packer"
[ Alwil ], "Win32:Zlob-S [Trj]"
[ Fortinet ], "Misc/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Security Risk Suspicious_F.gen"
[ Ewido ], "Trojan.OnLineGames.nw"
alg32.exe:
[ Kaspersky ], "PAK:FSG, Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Mal/Packer"
[ Alwil ], "Win32:Zlob-S [Trj]"
[ Fortinet ], "Misc/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Security Risk Suspicious_F.gen"
[ Ewido ], "Trojan.OnLineGames.nw"
cmdbcs.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Symantec ], "Infostealer.Gampass"
[ Sophos ], "Troj/PSW-Gen"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
cmdbcs.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Lmir.gen"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
downma1[1].exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Frethog.A"
[ McAfee ], "PWS-LegMir.gen.b"
[ Nod32 ], "a variant of Win32/PSW.Agent.NDF trojan"
[ Fortinet ], "LegMir.B!tr.pws"
[ HBEDV ], "HEUR/Malware"
downma2[1].exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Lmir.gen"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
downma9[1].exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Lmir.gen"
[ McAfee ], "PWS-LegMir.gen.b"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
downma10[1].exe:
[ Kaspersky ], "PAK:FSG, Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Mal/Packer"
[ Alwil ], "Win32:Zlob-S [Trj]"
[ Fortinet ], "Misc/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Security Risk Suspicious_F.gen"
[ Ewido ], "Trojan.OnLineGames.nw"
downma11[1].exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Microsoft ], "VirTool:Win32/Obfuscator.B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.os"
[ Sophos ], "Mal/EncPk-F"
[ Nod32 ], "Win32/Pacex.Gen virus"
[ Fortinet ], "W32/OnLineGames.OS!tr.pws"
[ HBEDV ], "TR/PSW.OnLineGames.OS"
[ Ewido ], "Trojan.OnLineGames.os"
downma12[1].exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
mppds.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Symantec ], "Infostealer.Gampass"
[ Sophos ], "Troj/PSW-Gen"
[ HBEDV ], "HEUR/Malware"
msccrt.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Symantec ], "Infostealer.Gampass"
[ Sophos ], "Troj/PSW-Gen"
[ HBEDV ], "HEUR/Malware"
msccrt.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Lmir.gen"
[ McAfee ], "PWS-LegMir.gen.b"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
RAVWM419.dll:
[ Kaspersky ], "PAK:UPX"
[ Sophos ], "Mal/Behav-010"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
惡意連結是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
惡意程式碼的一部份為:
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\System32\alg32.exe
C:\WINDOWS\system32\upnpsvc.exe
C:\WINDOWS\thhshy.exe
C:\WINDOWS\system32\systemm.exe
[DLL injection]
C:\Documents and Settings\Administrator\Desktop\svchost.exe (注入 svchost.exe 執行程序)
C:\Documents and Settings\Administrator\Local Settings\Temp\upxdnd.dll (注入某些執行程序如檔案總管等)
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll (注入某些執行程序如檔案總管等)
C:\Program Files\Internet Explorer\LSASS.EXE (注入 lsass.exe 執行程序)
C:\WINDOWS\system32\cmdbcs.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\mppds.dll (注入檔案總管執行程序)
C:\WINDOWS\system32\msccrt.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\RAVWM419.dll (注入檔案總管執行程序)
C:\WINDOWS\system32\winform.dll (注入某些執行程序如檔案總管等)
C:\WINDOWS\system32\Winhttps.dll (注入 IE 執行程序)
[Added service]
NAME: Asynchronous UPnP Support Services
DISPLAY: Asynchronous UPnP Support Services
FILE: C:\WINDOWS\system32\upnpsvc.exe
NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys
NAME: WinWMServiceNow
DISPLAY: WinWMServiceNow
FILE: C:\Documents and Settings\Administrator\Local Settings\Temp\RAVWM.EXE
[Added file]
C:\Documents and Settings\Administrator\Desktop\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\RAVWM.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\upxdnd.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\upxdnd.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\0614[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[3].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\9772513[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\97725[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma10[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma12[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma2[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma3[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma5[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma6[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma7[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\downma8[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\mm[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\mm[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\mm[3].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\ok[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\xjz2007[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\888[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\9772513[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\comeoncool[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\downma1[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\downma8[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\kg[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\stat[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\xjz2007[3].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\click[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\xjz2007[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\06014[4].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\0614[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\8xz[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\9772513[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma11[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma12[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma1[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma2[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma4[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\downma9[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\muxiao2[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\sa[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\top[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\vbb[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\xjz2007[1].bmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OD2ZGLMN\xjz2007[1].htm
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll
C:\Program Files\Internet Explorer\10Sy.exe
C:\Program Files\Internet Explorer\LSASS.EXE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\MirSet.ini
C:\WINDOWS\mppds.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\RichDll.dll
C:\WINDOWS\system32\alg32.dat
C:\WINDOWS\system32\alg32.exe
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\msccrt.dll
C:\WINDOWS\system32\RAVWM419.dll
C:\WINDOWS\system32\systemm.exe
C:\WINDOWS\system32\thhshy.dll
C:\WINDOWS\system32\UPnPSvc.dll
C:\WINDOWS\system32\upnpsvc.exe
C:\WINDOWS\system32\winform.dll
C:\WINDOWS\system32\Winhttps.dat
C:\WINDOWS\system32\Winhttps.dll
C:\WINDOWS\thhshy.exe
C:\WINDOWS\uninstall\rundl132.exe
C:\WINDOWS\winform.exe
C:\WINDOWS\~tmp.tmp
C:\_desktop.ini
[Modified file]
感染所有 PE 執行檔
[Added LSP]
ID: 1012
NAME: MT-TcpFilter
ID: 1013
NAME: MSAFD Tcpip [TCP/IP]
到目前為止 (2007/4/23 @ 20:37),下面的防毒軟體可以偵測到這些惡意檔案:
SysWFGQQ.dll:
[ Trend ], "Possible_Infostl"
winform.dll:
[ Trend ], "TSPY_ONLINEG.BCK"
winform.exe:
[ Trend ], "TSPY_LEGMIR.BCH"
xjz2007[1].htm:
[ Trend ], , "TROJ_DLOADER.JXD"
~tmp.tmp:
[ Trend ], "PE_LOOKED.XL-O"
8xz[1].exe:
[ Trend ], "TROJ_MIANCRYP.AI"
0614[1].js:
[ Trend ], "JS_PSYME.AMQ"
06014[4].htm:
[ Trend ], "EXPL_AGENT.AADR"
97725[1].exe:
[ Trend ], "PE_LOOKED.XL-O"
downma3[1].exe:
[ Trend ], "TSPY_ONLINEG.IA"
downma7[1].exe:
[ Trend ], "TROJ_DELF.GGR"
downma8[1].exe:
[ Trend ], "TROJ_MULTDROP.FU"
kg[1].exe:
[ Trend ], "WORM_DELF.GGU"
Logo1_.exe:
[ Trend ], "PE_LOOKED.XL-O"
LSASS.EXE:
[ Trend ], "TROJ_MULTDROP.FU"
mppds.exe:
[ Trend ], "TSPY_ONLINEG.IA"
RAVWM.EXE:
[ Trend ], "TROJ_DELF.GGR"
RichDll.dll:
[ Trend ], "TROJ_LOOKED.XL"
svchost.exe:
[ Trend ], "TROJ_MIANCRYP.AI"
systemm.exe:
[ Trend ], "HKTL_ARPSNIFFE.F"
SysWFGQQ2.dll:
[ Trend ], "Possible_Infostl"
thhshy.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Symantec ], "Infostealer.Gampass"
[ McAfee ], "PWS-Zhengtu"
[ Sophos ], "Troj/PSW-Gen"
[ Nod32 ], "a variant of Win32/Agent.NHN trojan"
[ HBEDV ], "HEUR/Malware"
thhshy.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.es"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "probably unknown NewHeur_PE virus [7]"
[ Fortinet ], "W32/OnLineGames.ES!tr.pws"
[ HBEDV ], "HEUR/Malware"
[ Ewido ], "Trojan.OnLineGames.es"
UPnPSvc.dll:
[ McAfee ], "New DLL-b !!"
upnpsvc.exe:
[ Kaspersky ], "Trojan-PSW.Win32.Lmir.amj"
[ McAfee ], "[00004734.EXE]:New DLL-b !!"
[ HBEDV ], "HEUR/Crypted"
[ Ewido ], "Trojan.Lmir.amj"
upxdnd.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Frethog.A!dll"
[ Nod32 ], "a variant of Win32/PSW.Agent.NDF trojan"
[ HBEDV ], "HEUR/Malware"
upxdnd.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Frethog.A"
[ McAfee ], "PWS-LegMir.gen.b"
[ Nod32 ], "a variant of Win32/PSW.Agent.NDF trojan"
[ Fortinet ], "LegMir.B!tr.pws"
[ HBEDV ], "HEUR/Malware"
upxdnd.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Frethog.A"
[ McAfee ], "PWS-LegMir.gen.b"
[ Nod32 ], "a variant of Win32/PSW.Agent.NDF trojan"
[ Fortinet ], "LegMir.B!tr.pws"
[ HBEDV ], "HEUR/Malware"
Winhttps.dat:
[ Symantec ], "Infostealer.Lemir"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Troj/LegMir-ATL"
[ Fortinet ], "W32/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Trojan W32/OnLineGames.DYR"
[ Ewido ], "Trojan.OnLineGames.nw"
Winhttps.dll:
[ Symantec ], "Infostealer.Lemir"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Troj/LegMir-ATL"
[ Fortinet ], "W32/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Trojan W32/OnLineGames.DYR"
[ Ewido ], "Trojan.OnLineGames.nw"
xjz2007[3].js:
[ Alpha_Gen ], "Heur_Infrm-2"
[ Symantec ], "Trojan Horse"
10Sy.exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Microsoft ], "VirTool:Win32/Obfuscator.B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.os"
[ Sophos ], "Mal/EncPk-F"
[ Nod32 ], "Win32/Pacex.Gen virus"
[ Fortinet ], "W32/OnLineGames.OS!tr.pws"
[ HBEDV ], "TR/PSW.OnLineGames.OS"
[ Ewido ], "Trojan.OnLineGames.os"
alg32.dat:
[ Kaspersky ], "PAK:FSG, Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Mal/Packer"
[ Alwil ], "Win32:Zlob-S [Trj]"
[ Fortinet ], "Misc/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Security Risk Suspicious_F.gen"
[ Ewido ], "Trojan.OnLineGames.nw"
alg32.exe:
[ Kaspersky ], "PAK:FSG, Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Mal/Packer"
[ Alwil ], "Win32:Zlob-S [Trj]"
[ Fortinet ], "Misc/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Security Risk Suspicious_F.gen"
[ Ewido ], "Trojan.OnLineGames.nw"
cmdbcs.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Symantec ], "Infostealer.Gampass"
[ Sophos ], "Troj/PSW-Gen"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
cmdbcs.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Lmir.gen"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
downma1[1].exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Frethog.A"
[ McAfee ], "PWS-LegMir.gen.b"
[ Nod32 ], "a variant of Win32/PSW.Agent.NDF trojan"
[ Fortinet ], "LegMir.B!tr.pws"
[ HBEDV ], "HEUR/Malware"
downma2[1].exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Lmir.gen"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
downma9[1].exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Lmir.gen"
[ McAfee ], "PWS-LegMir.gen.b"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
downma10[1].exe:
[ Kaspersky ], "PAK:FSG, Trojan-PSW.Win32.OnLineGames.nw"
[ Sophos ], "Mal/Packer"
[ Alwil ], "Win32:Zlob-S [Trj]"
[ Fortinet ], "Misc/LSP"
[ HBEDV ], "TR/PSW.OnLineGames.NW.6"
[ Norman ], "Security Risk Suspicious_F.gen"
[ Ewido ], "Trojan.OnLineGames.nw"
downma11[1].exe:
[ Alpha_Gen ], "Possible_MLWR-5"
[ Microsoft ], "VirTool:Win32/Obfuscator.B"
[ Kaspersky ], "Trojan-PSW.Win32.OnLineGames.os"
[ Sophos ], "Mal/EncPk-F"
[ Nod32 ], "Win32/Pacex.Gen virus"
[ Fortinet ], "W32/OnLineGames.OS!tr.pws"
[ HBEDV ], "TR/PSW.OnLineGames.OS"
[ Ewido ], "Trojan.OnLineGames.os"
downma12[1].exe:
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack"
[ McAfee ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Fortinet ], "suspicious"
[ HBEDV ], "HEUR/Malware"
[ Norman ], "Security Risk W32/Suspicious_U.gen"
mppds.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Symantec ], "Infostealer.Gampass"
[ Sophos ], "Troj/PSW-Gen"
[ HBEDV ], "HEUR/Malware"
msccrt.dll:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Symantec ], "Infostealer.Gampass"
[ Sophos ], "Troj/PSW-Gen"
[ HBEDV ], "HEUR/Malware"
msccrt.exe:
[ Alpha_Gen ], "Possible_OLGM-4"
[ Microsoft ], "PWS:Win32/Lmir.gen"
[ McAfee ], "PWS-LegMir.gen.b"
[ Sophos ], "Mal/Behav-106"
[ Nod32 ], "a variant of Win32/PSW.Agent.NCC trojan"
[ HBEDV ], "HEUR/Malware"
RAVWM419.dll:
[ Kaspersky ], "PAK:UPX"
[ Sophos ], "Mal/Behav-010"
[ HBEDV ], "TR/Delphi.Downloader.Gen"
文章標籤
全站熱搜
