PCZONE 討論區 - 觀看單一文章 - 【警告】台灣出現零時差攻擊 (Zero-Day Attack)

harry_chang2003 · 2007-03-31, 10:21 AM

TrendMicro詳細說明:http://www.trendmicro.com/vinfo/zh-t...5FANICMOO%2EAX

--------------------------------------------------------------------------------------------以下資訊擷取自"趨勢科技網路安全百科(台灣)"

惡意程式類別: Trojan

別名: No Alias Found

廣泛傳播: 是

破壞性的: 不

語言: English

平台: Windows XP

加密的: 不

整體的風險程度: 低度

--------------------------------------------------------------------------------

回報的感染案例: 低度

損害可能性: 中度

散佈可能性: 低度

--------------------------------------------------------------------------------

描述:

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This Trojan may arrive on a system as a specially crafted animated cursor (.ANI) file downloaded from the Internet by unsuspecting users. It may be downloaded by on a system via a specially crafted HTML email message.

It takes advantage of a vulnerability in the way Windows handles animated cursor files (.ANI). More information regarding this flaw can be found on the following Microsoft Web page:

Security Advisory 935423
It uses the said vulnerability to download and execute files from several URLs. One of the downloaded files is detected by Trend Micro as TROJ_SMALL.DRF. As a result, routines of the downloaded Trojan may also be exhibited on the affected system.

掃描引擎版本最低需求: 8.000

需要的病毒碼: 4.375.00

病毒碼發佈日期: Mar 28, 2007

--------------------------------------------------------------------------------

解決方案:

Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_ANICMOO.AX and TROJ_SMALL.DRF. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Note: As of this writing, there is no available patch for the Windows vulnerability that this malware exploits. Trend Micro recommends checking the Microsoft Web site for the latest patches and updates.

常駐記憶體: 不

惡意程式大小: 794 Bytes

最初收到的樣本: Mar 28, 2007

相關: TROJ_SMALL.DRF

--------------------------------------------------------------------------------

病毒發作情形 1: Downloads files

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

細節:

This Trojan may arrive on a system as a specially crafted animated cursor (.ANI) file downloaded from the Internet by unsuspecting users. It may be downloaded by on a system via a specially crafted HTML email message.

It takes advantage of a vulnerability in the way Windows handles animated cursor files (.ANI). More information regarding this flaw can be found on the following Microsoft Web page:

Security Advisory 935423
It uses the said vulnerability to download and execute files from the following URLs:

http://220.71.{BLOCKLED}.189/wincf.exe - detected as TROJ_SMALL.DRF
http://{BLOCKED}yadsfdg.biz/adv/014/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/102/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/109/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/110/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/113/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/114/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/133/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/134/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/139/
http://{BLOCKED}yadsfdg.biz/adv/139/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/147/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/152/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/153/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/159/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/161/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/163/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/165/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/169/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/171/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/176/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/177/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/180/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/185/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/186/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/198/win32.exe
http://www.{BLOCKED}vmtek.com/2/11.exe
http://www.{BLOCKED}vmtek.com/2/11.exe
http://www.{BLOCKED}crcmedia.net/exe/flash.exe
http://www.{BLOCKED}crcmedia.net/exe/flash.exe
http://www.{BLOCKED}softhelp.com/update.exe
http://www.{BLOCKED}softhelp.com/update.exe
As a result, routines of the downloaded files may also be exhibited on the affected system.

This Trojan runs on Windows XP.