Re: [問題] SLATKO\torta.exe

看板AntiVirus (防毒)作者decorum (Brave New World)時間16年前 (2010/01/29 22:08)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串2/2 (看更多)

※ 引述《decorum (Brave New World)》之銘言： : 在隨身碟上發現的，應該是在圖書館看資料庫，存取資料時感染的， : 會在隨身碟上顯示出一個資源回收桶。google 了一下，發現討論的人很少， : 而且沒什麼結論： : http://forum.avast.com/index.php?action=printpage;topic=53297.0 : 不知道有什麼損害。早上用 xpe 開機，把 autorun.ini 和 SLATKO 目錄 : 砍了，不知道算了帳了嗎？ Symantec 有這個木馬的資訊了。會開後門，監視網路瀏覽活動，並盜取密碼。google 查到的資訊只有700多條，但是我跟學校圖書館說機器中標，已經過了幾個星期，他們也還沒處理！ http://www.symantec.com/security_response/writeup.jsp? docid=2010-011915-4635-99&tabid=2 Discovered: January 19, 2010 Updated: January 19, 2010 5:21:37 PM Type: Worm Infection Length: 142,848 bytes Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 When the worm is executed, it creates the following files: %SystemDrive%\RECYCLER\[SID]\nissan.exe %SystemDrive%\RECYCLER\[SID]\Desktop.ini %DriveLetter%\RECYCLER\[SID]\csrxx.exe (W32.IRCBot) %DriveLetter%\SLATKO\torta.exe %DriveLetter%\SLATKO\Desktop.ini %DriveLetter%\autorun.inf It then creates the following registry entry, so that it starts when Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Taskman" = "C:\RECYCLER\[SID]\nissan.exe" The worm then opens a back door and connects to the following domains on UDP port 25000: sandra.prichaonica.com pica.banjalucke-ljepotice.ru l33t.brand-clothes.net The worm also copies itself to the shared folder of the following file-sharing programs: Ares BearShare iMesh Shareaza Kazaa DC++ eMule LimeWire It then monitors browsing activities, logging passwords stored in the browsers. The worm will send messages through Microsoft instant messaging programs, such as MSN Messenger and Windows Live Messenger, that include a link to download the worm. -- There are a lot things we don't want to know about the people we love. --- Chuck Palahniuk -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 203.67.147.36