sai7sai
2007-03-29, 12:30 AM
ESPNSTAR 體育台網站被植入惡意連結,此惡意程式為 Maran 的變種 (此惡意程式會偷帳號與密碼)。
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\avp.exe (偽裝卡巴司基防毒軟體的執行程序)
[DLL injecti]
C:\WINDOWS\lsass.exe (注入 lsass.exe 的執行程序)
C:\WINDOWS\system32\md5media.dll (注入某些執行程序如檔案總管、IE 等)
[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe
NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\getflashplayer[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\AVList[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\flash[1].exe
C:\WINDOWS\avp.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\ldmedia3.dll
C:\WINDOWS\system32\md5media.dll
C:\WINDOWS\system32\wnvdsf.ax
[Added LSP]
ID: 1014
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\ldmedia3.dll)
ID: 1015
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\ldmedia3.dll)
詳細的資訊,請參考「ESPNSTAR 體育台網站被植入惡意連結 (http://malware-test.com/blog/archives/2007/03/28/894)」。:cry:
贊助商連結
執行之後,有下面的行為:
[Added process]
C:\WINDOWS\avp.exe (偽裝卡巴司基防毒軟體的執行程序)
[DLL injecti]
C:\WINDOWS\lsass.exe (注入 lsass.exe 的執行程序)
C:\WINDOWS\system32\md5media.dll (注入某些執行程序如檔案總管、IE 等)
[Added service]
NAME: VGADown
DISPLAY: Audio Adapter
FILE: C:\WINDOWS\avp.exe
NAME: WS2IFSL (這是正常的服務)
DISPLAY: Windows Socket 2.0 Non-IFS Service Provider Support Environment
FILE: \SystemRoot\System32\drivers\ws2ifsl.sys
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\getflashplayer[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\AVList[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\flash[1].exe
C:\WINDOWS\avp.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\ldmedia3.dll
C:\WINDOWS\system32\md5media.dll
C:\WINDOWS\system32\wnvdsf.ax
[Added LSP]
ID: 1014
NAME: MSAFD Tcpip [RAW/IP] (連結至 C:\WINDOWS\system32\ldmedia3.dll)
ID: 1015
NAME: MSAFD Tcpip [TCP/IP] (連結至 C:\WINDOWS\system32\ldmedia3.dll)
詳細的資訊,請參考「ESPNSTAR 體育台網站被植入惡意連結 (http://malware-test.com/blog/archives/2007/03/28/894)」。:cry:
贊助商連結