2008-03-17, 23:04
|
#1
|
|
論壇管理員
註冊日期: 2003-04
住址: Taipei
文章: 16,393
感謝: 12
已有11篇文章得到16會員感謝
|
[轉貼]竊取Gmail帳密的 Infostealer.Geemarc木馬
引用:
2008-03-10 竊取Gmail帳密的 Infostealer.Geemarc木馬
病毒型態:
木馬
影響平台:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
概述:
Infostealer.Geemarc 竊取Gmail帳號密碼的木馬。
說明:
當 Infostealer.Geemarc 執行時,會產生下列動作:
1.建立下列檔案:
%UserProfile%\Desktop\G-Archiver 1.0.lnk
%UserProfile%\Start Menu\Programs\MateMedia\G-Archiver\G-Archiver 1.0.lnk
%ProgramFiles%\MateMedia\G-Archiver 1.0\G-Archive\Banner.gif
%ProgramFiles%\MateMedia\G-Archiver 1.0\G-Archiver 1.0.exe
%ProgramFiles%\MateMedia\G-Archiver 1.0\G-ArchiverIcon.ico
%ProgramFiles%\MateMedia\G-Archiver 1.0\License.rtf
%ProgramFiles%\MateMedia\G-Archiver 1.0\Mail.dll
%ProgramFiles%\MateMedia\G-Archiver 1.0\SM.dll
%Windir%\Installer\{CE5F519C-E1E6-4DBC-9466-233F156244C7}\_6FEFF9B68218417F98F549.exe
%Windir%\Installer\{CE5F519C-E1E6-4DBC-9466-233F156244C7}\_72F4B9A3636570A0827CE3.exe
%Windir%\Installer\{CE5F519C-E1E6-4DBC-9466-233F156244C7}\_A01885BE201430C921BA79.exe
2.建立下列資料夾:
%Windir%\Installer
3.於上述資料夾中,建立下列msi檔:
%Windir%\Installer\[RANDOM 5 DIGIT HEXIDECIMAL FILE NAME].msi
%Windir%\Installer\[RANDOM 6 DIGIT HEXIDECIMAL FILE NAME].msi
註:類似下列檔案:
%Windir%\Installer\4ed355.msi
%Windir%\Installer\4ed35.msi
4.建立下列暫存檔:
%UserProfile%\Local Settings\Temp
5.建立下列子登錄機碼:
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{CE5F519C-E1E6-4DBC-9466-233F156244C7}
HKEY_LOCAL_MACHINE\Software\Classes\Installer\Assemblies
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\
C915F5EC6E1ECBD4496632F35126447C
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\
DC62B62C2A90373449E4936579767009
6.建立下列登錄機碼:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
Folders\C:\Program Files\"MateMedia" = " "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
Folders\C:\Program Files\MateMedia\"G-Archiver 1.0" = " "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
Folders\C:\Program Files\MateMedia\G-Archiver 1.0\"G-Archive" = " "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
Folders\C:\DocumentsandSettings\AllUsers\StartMenu\Programs\"MateMedia " = " "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
Folders\C:\DocumentsandSettings\AllUsers\StartMenu\Programs\MateMedia\
"G-Archiver " = " "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
Folders\C:\Windows\Installer\"{CE5F519C-E1E6-4DBC-9466-233F156244C7}" = " "
7.竊取Gmail帳號密碼登入後,寄送電子郵件給攻擊者。
|
全文:
http://www.icst.org.tw/content/appli...%2C3255%2Cplan
__________________
[新奇]TWFTP也能發 好人卡!
[鬼扯]把 IRC稱呼聊天室有點小看它的功用(  ̄ c ̄)y▂ξ
[中肯]穩定的主機應該要有的表現  |
|
|
