【木馬】Yahoo新聞中木馬了

[天氣預報]

Yahoo新聞中木馬了
http://tw.news.yahoo.com/tech/3c/

現在確定有
我不知道晚點會不會移掉
不過這麼大的站居然也會中木馬

有毒連結
http://www.misofthelp.com/1.htm
http://www.misofthelp.com/11.htm

[Roger]

avpclub有人抓到2隻了
http://www.avpclub.ddns.info/discuz/...xtra=#pid35360

hxxp://www.misofthelp.com/update.exe
hxxp://www.misofthelp.com/update1.exe

[Roger]

運行update.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-23 06:51:03 创建文件 操作:允许
进程路径:D:\桌面\virus\update\update.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\WINDOWS\system32\od3mdi.dll
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:51:03 创建文件 操作:允许
进程路径:D:\桌面\virus\update\update.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\WINDOWS\avp.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-23 06:51:05 底层磁盘操作 操作:阻止
进程路径:D:\桌面\virus\update\update.exe

触发规则:所有程序规则->*

2007-07-23 06:51:05 创建文件 操作:允许
进程路径:D:\桌面\virus\update\update.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\WINDOWS\system32\delplme.bat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:51:06 运行应用程序 操作:阻止
进程路径:D:\桌面\virus\update\update.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c delplme.bat
触发规则:所有程序规则->系統程序->%windir%\system32\cmd.exe

1.它會在C\WINDOWS\system32\生成
od3mdi.dll
2.它會在C\WINDOWS\生成
avp.exe
3.它會運行底层磁盘操作
4.它會在C\WINDOWS\system32\生成
delplme.bat
5.它會運行C:\windows\system32\cmd.exe
/c delplme.bat

delplme.bat的結構

@echo off
:loop
del "D:\桌面\virus\update\update.exe"
if exist "D:\桌面\virus\update\update.exe" goto loop
C:\windows\system32\update.exe
del delplme.bat

[Roger]

運行update1.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-23 06:56:59 创建文件 操作:允许
进程路径:D:\桌面\virus\update1\update1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\4mz.dll
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:57:00 创建文件 操作:允许
进程路径:D:\桌面\virus\update1\update1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\t.sys
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:57:03 加载驱动程序 操作:允许
进程路径:D:\桌面\virus\update1\update1.exe
驱动名称:t.sys
触发规则:所有程序规则->*


2007-07-23 06:57:05 修改其它进程内存 操作:允许
进程路径:D:\桌面\virus\update1\update1.exe
目标进程:C:\Program Files\Internet Explorer\iexplore.exe
触发规则:所有程序规则->系統程序->%ProgramFiles%\Internet Explorer\IEXPLORE.EXE

2007-07-23 06:57:11 创建文件 操作:允许
进程路径:D:\桌面\virus\update1\update1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Program Files\Windows NT\SERVICES.EXE
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:57:11 创建注册表值 操作:阻止
进程路径:D:\桌面\virus\update1\update1.exe
注册表路径:HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\winlogon
注册表名称:Userinit
注册表数据:C:\WINDOWS\system32\userinit.exe,C:\Program Files\Windows NT\SERVICES.EXE,
触发规则:所有程序规则->WinLogon->*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon*

2007-07-23 06:57:11 创建文件 操作:允许
进程路径:D:\桌面\virus\update1\update1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\$$c31.tmp
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:57:11 创建文件 操作:允许
进程路径:D:\桌面\virus\update1\update1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\$$c31.tmp.bat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:57:11 运行应用程序 操作:阻止
进程路径:D:\桌面\virus\update1\update1.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c C:\DOCUME~1\HungAndy\LOCALS~1\Temp\$$c31.tmp.bat
触发规则:所有程序规则->系統程序->%windir%\system32\cmd.exe

2007-07-23 06:57:14 创建文件 操作:允许
进程路径:C:\Program Files\Internet Explorer\iexplore.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\wincab.sys
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:57:14 运行应用程序 操作:允许
进程路径:D:\桌面\virus\update1\update1.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Program Files\Windows NT\SERVICES.EXE
触发规则:所有程序规则->*

2007-07-23 06:57:15 修改文件 操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Program Files\Windows NT\SERVICES.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\4mz.dll
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:57:15 创建文件 操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Program Files\Windows NT\SERVICES.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\hykii4i.sys
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:57:17 加载驱动程序 操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Program Files\Windows NT\SERVICES.EXE
驱动名称:hykii4i.sys
触发规则:所有程序规则->*


2007-07-23 06:57:19 修改其它进程内存 操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Program Files\Windows NT\SERVICES.EXE
目标进程:C:\Program Files\Internet Explorer\iexplore.exe
触发规则:所有程序规则->系統程序->%ProgramFiles%\Internet Explorer\IEXPLORE.EXE

2007-07-23 06:57:22 创建文件 操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Program Files\Windows NT\SERVICES.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\ACE.dll
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*


2007-07-23 06:57:22 创建文件 操作:允许
进程路径:C:\Program Files\Internet Explorer\iexplore.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\wincab.sys
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

1.它會在C:\Documents and Settings\HungAndy\Local Settings\Temp\生成
4mz.dll
t.sys
2.它會加载驱动程序
t.sys
3.它會修改iexplore.exe的进程内存
4.它會在C\Program Files\Windows NT\生成
SERVICES.EXE
5.它會创建注册表值
HKEY_CURRENT_USER\machine\software\microsoft\windows nt\currentversion\winlogon
Userinit
C:\WINDOWS\system32\userinit.exe,C:\Program Files\Windows NT\SERVICES.EXE,
6.它會在C:\Documents and Settings\HungAndy\Local Settings\Temp\生成
$$c31.tmp
$$c31.tmp.bat
7.它會運行C:\windows\system32\cmd.exe
/c C:\DOCUME~1\HungAndy\LOCALS~1\Temp\$$c31.tmp.bat
8.iexplore.exe會在C\windows\system32\生成
wincab.sys
9.它會運行C\Program Files\Windows NT\SERVICES.EXE
10.SERVICES.EXE會在C:\Documents and Settings\HungAndy\Local Settings\Temp\生成
4mz.dll
hykii4i.sys
11.SERVICES.EXE會加载驱动程序
hykii4i.sys
12.SERVICES.EXE會修改iexplore.exe的进程内存
13.SERVICES.EXE會在C\windows\system32\生成
ACE.dll
14.iexplore.exe會在C\windows\system32\生成
wincab.sys

$$c31.tmp.bat的結構

:try
del "D:\桌面\virus\update1\update1.exe"
if exist "D:\桌面\virus\update1\update1.exe" goto try
del "C:\DOCUME~1\HungAndy\LOCALS~1\Temp\$$c31.tmp.bat"

[BitDefender]

BitDefender Antivirus v10

update.exe Infected: DeepScan:Generic.PWS.Maran.5442D6AF
update1.exe Infected: Packer.Malware.NSAnti.H

[ㄚ一]

BitDefender Antivirus v10

update.exe Infected: DeepScan:Generic.PWS.Maran.5442D6AF
update1.exe Infected: Packer.Malware.NSAnti.H

update.exe 報啟發建議上報
update1.exe 報殼一樣也需要上報