手機王網頁又被植入惡意連結。這已經是第三次,他們的網頁被植入惡意連結,這是購物網站,真是不應該,而且,正逢過年期間,他們的網管應該也在休假,所以,我猜測中毒的網友應該不少 (受害者可以索賠嗎?)。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式會偷使用者帳號與密碼,很可能也會偷信用卡卡號,而且,有 Rootkit 的行為)。
執行之後,有下面的行為:
[Added hidden process] (隱藏執行程序)
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
[DLL injection]
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe (注入 svchost.exe)
C:\WINDOWS\Debug\UserMode\299E575.dll (注入某些執行程序如檔案總管等)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\CiKE.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\test[1].exe
C:\logex.txt
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eCompress.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eImgConverter.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eLIB.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\HideProc.dll
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\internet.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\krnln.fnr
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\Nhook.dll
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\shell.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
C:\WINDOWS\Debug\UserMode\299E575.dll
C:\WINDOWS\Debug\UserMode\299E575.exe
[Added COM/BHO]
{77D9BC5E-7942-499F-9AA0-D1BA226D2788}-C:\WINDOWS\debug\userMode\299E575.dll
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=svchost, Data=C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
至於詳細的資訊,請參考「大砲開講部落格」。
書籤