ZIDDU 空間被掛馬且是我上一次中的廣告病毒??? 沒幾家防毒查殺....

發表時間: 2008-7-03 13:21 作者: krichard2007 來源: AVPClub Security Home

我剛剛本來是要找KIS 7.0 的KEY...
h**p://www.ziddu.com/download.php?uid=caydlJqobaqelOKnaaqhkZSrZqyfmZmm9
我發現到不管進到哪個...
別人上傳在ziddu的東西...
進到那裡面...
會跳出一堆廣告...
且會下載一個叫 ~ninstall.exe 的東西...
到 C:\WINDOWS\temp\
C:\WINDOWS\System32\drivers\svchost.exe
產生登陸檔...
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
<SVCHOST.EXE><D:\WINDOWS\System32\drivers\svchost.exe>

接著....
D:\WINDOWS\System32\drivers\svchost.exe
會下載 winupdate.exe
到...
D:\WINDOWS\system32\winupdate.exe
且產生登陸檔...
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
<run><"D:\WINDOWS\system32\winupdate.exe">
且會下載大量木馬和病毒...
跟我上次進到 Funny Flash Games 的狀況一樣...
這病毒好像美國流行耶...
以下是 VT檢查結果...
http://www.virustotal.com/zh-tw/ ... 91b181ffb997b73815d
天啊...只有兩家查的到...

以下是我在幾個禮拜前發的一篇求救貼...
症狀完全一樣...
http://www.avpclub.ddns.info/dis ... ;highlight=%BCs%A7i

[ 本帖最後由 krichard2007 於 2008-7-3 13:30 編輯 ]

~ninstall.rar
(2008-07-03 13:30:06, Size: 19.9 kB, Downloads: 35)

我也來說兩句 查看全部評論相關評論

alex222 (2008-7-03 13:36:44)

這空間那麼恐怖喔??
我最近剛好有看到人家分享東西在那邊
想說去抓的= ="...
krichard2007 (2008-7-03 13:44:17)

抱歉上面會寫的是D槽是因為我的系統在D槽...
我忘了把它改成C槽了...
大家把它們看成是C槽吧..

[ 本帖最後由 krichard2007 於 2008-7-3 13:53 編輯 ]
14167 (2008-7-03 13:45:40)

回報紅傘
barbara (2008-7-03 14:32:12)

ziddu空间的确很快....可能是由于使用的人日渐增多，被不法分子盯上

看了下VT的扫描结果...这玩意还真是有所准备的 LZ的机器上没有HIPS类的东东呀?
m1224542 (2008-7-03 19:33:49)

是每個地方都有嗎??
m1224542 (2008-7-03 20:01:14)

用google檢查
http://www.google.com/safebrowsi ... KnaaqhkZSrZqyfmZmm9

What is the current listing status for www.ziddu.com/?

This site is not listed as suspicious.

What happened when Google visited this site?

Of the 280 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 07/02/2008, and the last time suspicious content was found on this site was on 05/28/2008.

Malicious software includes 16 trojan(s). Successful infection resulted in an average of 4 new processes on the target machine.

Malicious software is hosted on 2 domain(s), including adxanet.net, picksday.com.

8 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including adecn.com, adrefer.net, adjuggler.com.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, www.ziddu.com/ appeared to function as an intermediary for the infection of 4 site(s) including axill.com, wrestlenewz.com, bulanpurnama.blogdrive.com.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.
wopti (2008-7-03 20:51:11)

驱逐舰没有发现病毒存在
wsc47621 (2008-7-03 21:33:38)

ESET沒有發現
krichard2007 (2008-7-03 21:42:26)

Kaspersky 回應了...
Hello,

~ninstall.exe_ - Trojan-Proxy.Win32.Agent.arf

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Evgeny Aseev
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

> Attachment: ~ninstall.rar

>
>
>
>  ???????,????????? ????????- ????<http://tw.rd.yahoo.com/referurl/mail/search/tag_0702/*http://sev.search.yahoo.net>!
> mtx
sun88990 (2008-7-03 22:28:32)

已上報給McAfee,明後2天將加入病毒偵測庫中~
m1224542 (2008-7-04 17:01:55)

Avira 回覆如下

We received the following archive files:
File ID    Filename Size (Byte) Result
25064810    ~ninstall.rar 19.94 KB OK

A listing of files contained inside archives alongside their results can be found below:
File ID    Filename Size (Byte) Result
25064811    ~ninstall.exe    27 KB    MALWARE

Please find a detailed report concerning each individual sample below:
Filename Result
~ninstall.exe    MALWARE

The file '~ninstall.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Proxy.Agent.arf. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.05.46.

資料來源:http://analysis.avira.com/sample ... p;incidentid=169751
kkavp (2008-7-04 19:03:28)

Access to the data has been denied!
Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL: http://www.avpclub.ddns.info/discuz/attachment.php?aid=6435
Information: Is the Trojan horse TR/Proxy.Agent.arf

Generated by AntiVir WebGuard 8.0.13.0, AVE 8.1.0.64, VDF 7.0.5.48
==================================================
連下戴都不讓我下載
小紅傘讓我放心
郭政勳 (2008-7-05 04:21:06)

費爾找不到
14167 (2008-7-06 23:08:01)

Kaspersky
Internet Security 2009
Access denied
The requested URL could not be retrieved

While trying to retrieve the URL:

http://www.avpclub.ddns.info/discuz/
attachment.php?aid=6435

The following error was encountered:

The requested object is INFECTED with the following viruses: Trojan-Proxy.Win32.Agent.arf
said411f (2008-7-07 09:42:18)

h**p://www.ziddu.com/download.php?uid=caydlJqobaqelOKnaaqhkZSrZqyfmZmm9
LinkScanner pro無視

卡巴 v3.5 瑞士版下載攔截
木馬1豬
挪威的冬天 (2008-7-07 12:09:08)

信息 2008-07-07  12:08:41 您此次查毒隔离了1个文件
信息 2008-07-07  12:08:41 您此次查毒共查出1个病毒以及危险代码
信息 2008-07-07  12:08:41 您此次查毒共查了内存模块0个，磁盘引导扇区0个，文件2个
信息 2008-07-07  12:08:41 金山毒霸主程序查毒过程结束，查毒方式：命令行查毒
病毒 2008-07-07  12:08:41 D:\Desktop\~ninstall.rar\~ninstall.exe Win32.Troj.Agent.27648 隔离成功