USB 有菌 - havent.exe
一向很小心使用USB儲存裝置,亦經常提醒朋友開啟外來USB手指時盡量避免直接在我的電腦Double Click 裝置。 人就是貪快貪方便,我上星期替朋友整電腦方便了,中招了......TvT
今天在公司接駁自己的外置Hard disk,發現 autorun.inf 檔案 !!! (IT 人特別敏感呢...hohooo)
打開看看內容是:
######################################################
[autorun]
USEAUTOPLAY=1
shellexecute=recthis/havent.exe
action=Open program to update using Windows Explorer
Shellbfshdvvngjewiofgw
shell\Explore\command=recthis/havent.exe
shellOpen\command=recthis/havent.exe
icon=recthis/havent.exe
open=recthis/havent.exe
[autorun]
USEAUTOPLAY=1
shellexecute=recthis/havent.exe
action=Open program to update using Windows Explorer
Shellbfshdvvngjewiofgw
shell\Explore\command=recthis/havent.exe
shellOpen\command=recthis/havent.exe
icon=recthis/havent.exe
open=recthis/havent.exe
######################################################
立即到那個隱藏了的 recthis 文件夾看個究竟,在內就是找到 havent.exe。 再到Goolge search "recthis/havent.exe" , "havent.exe", "recthis", "havent.exe virus"......找不到病毒資料呢 ^^"
............先別高興啊,到VirSCAN.org 上載了那個havent.exe 掃掃毒,中獎了,結果如下:
#####################################################
VirSCAN.org Scanned Report :
Scanned time : 2012/03/27 10:05:32 (HKT)
Scanner results: 42%的防毒軟體(15/36)報告發現病毒
File Name : havent.exe
File Size : 83456 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 7bfdc1359cd185f7f88265eaa083fcfc
SHA1 : 5347117ea9f62fb3575721fe9731572a3d5d01d6
Online report : http://r.virscan.org/f5d51d7954d848151b9b14679664e572
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120327090133 2012-03-27 8.34 Trojan.Win32.Inject!IK
AhnLab V3 2012.03.26.00 2012.03.26 2012-03-26 9.38 Trojan/Win32.Inject
AntiVir 8.2.10.24 7.11.25.222 2012-03-22 0.18 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.28 -
Arcavir 2011 201203261318 2012-03-26 4.17 -
Authentium 5.1.1 201203262108 2012-03-26 1.57 -
AVAST! 4.7.4 120326-2 2012-03-26 0.22 Win32:Morphex-D [Cryp]
AVG 12.0.1782 2114/4896 2012-03-26 0.26 Win32/Cryptor
BitDefender 7.90123.6969119 7.41595 2012-03-25 3.78 Gen:Variant.Kazy.60719
ClamAV 0.97.3 14703 2012-03-26 0.22 -
Comodo 5.1 11914 2012-03-26 4.65 UnclassifiedMalware
CP Secure 1.3.0.5 2012.03.27 2012-03-27 0.16 -
Dr.Web 7.0.1.2210 2012.03.26 2012-03-26 12.62 Win32.HLLW.AutorunerENT.44048
F-Prot 4.6.2.117 20120326 2012-03-26 1.04 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 0.26 -
Fortinet 4.3.392 15.354 2012-03-25 0.28 W32/Kryptik.ANM!tr
GData 22.4431 20120327 2012-03-27 8.71 Gen:Variant.Kazy.60719 [Engine:A]
ViRobot 20120326 2012.03.26 2012-03-26 0.65 -
Ikarus T3.1.32.20.0 2012.03.26.80812 2012-03-26 5.28 Trojan.Win32.Inject
JiangMin 13.0.900 2012.03.26 2012-03-26 5.48 -
Kaspersky 5.5.10 2012.03.26 2012-03-26 0.26 Trojan.Win32.Inject.dfmo
KingSoft 2009.2.5.15 2012.3.27.9 2012-03-27 4.80 -
McAfee 5400.1158 6661 2012-03-26 9.20 W32/Worm-FBY!7BFDC1359CD1
Microsoft 1.8202 2012.03.27 2012-03-27 21.05 Trojan:Win32/Rimecud.A
NOD32 3.0.21 7001 2012-03-26 0.24 a variant of Win32/Kryptik.ACMS trojan
Panda 9.05.01 2012.03.25 2012-03-25 14.55 -
Trend Micro 9.500-1005 8.866.05 2012-03-26 0.56 -
Quick Heal 11.00 2012.03.26 2012-03-26 2.73 -
Rising 20.0 24.03.00.01 2012-03-26 4.59 -
Sophos 3.29.0 4.75 2012-03-27 10.65 -
Sunbelt 3.9.2530.2 11715 2012-03-26 7.58 -
Symantec 1.3.0.24 20120325.018 2012-03-25 0.33 -
nProtect 20120326.01 10984255 2012-03-26 12.87 -
The Hacker 6.7.0.1 v00433 2012-03-25 3.57 -
VBA32 3.12.16.4 20120326.1018 2012-03-26 3.18 BScope.Worm.Palevo.1531
VirusBuster 5.4.1.9 14.1.280.0/82294122012-03-26 0.18 -
Scanned time : 2012/03/27 10:05:32 (HKT)
Scanner results: 42%的防毒軟體(15/36)報告發現病毒
File Name : havent.exe
File Size : 83456 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 7bfdc1359cd185f7f88265eaa083fcfc
SHA1 : 5347117ea9f62fb3575721fe9731572a3d5d01d6
Online report : http://r.virscan.org/f5d51d7954d848151b9b14679664e572
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120327090133 2012-03-27 8.34 Trojan.Win32.Inject!IK
AhnLab V3 2012.03.26.00 2012.03.26 2012-03-26 9.38 Trojan/Win32.Inject
AntiVir 8.2.10.24 7.11.25.222 2012-03-22 0.18 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.28 -
Arcavir 2011 201203261318 2012-03-26 4.17 -
Authentium 5.1.1 201203262108 2012-03-26 1.57 -
AVAST! 4.7.4 120326-2 2012-03-26 0.22 Win32:Morphex-D [Cryp]
AVG 12.0.1782 2114/4896 2012-03-26 0.26 Win32/Cryptor
BitDefender 7.90123.6969119 7.41595 2012-03-25 3.78 Gen:Variant.Kazy.60719
ClamAV 0.97.3 14703 2012-03-26 0.22 -
Comodo 5.1 11914 2012-03-26 4.65 UnclassifiedMalware
CP Secure 1.3.0.5 2012.03.27 2012-03-27 0.16 -
Dr.Web 7.0.1.2210 2012.03.26 2012-03-26 12.62 Win32.HLLW.AutorunerENT.44048
F-Prot 4.6.2.117 20120326 2012-03-26 1.04 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 0.26 -
Fortinet 4.3.392 15.354 2012-03-25 0.28 W32/Kryptik.ANM!tr
GData 22.4431 20120327 2012-03-27 8.71 Gen:Variant.Kazy.60719 [Engine:A]
ViRobot 20120326 2012.03.26 2012-03-26 0.65 -
Ikarus T3.1.32.20.0 2012.03.26.80812 2012-03-26 5.28 Trojan.Win32.Inject
JiangMin 13.0.900 2012.03.26 2012-03-26 5.48 -
Kaspersky 5.5.10 2012.03.26 2012-03-26 0.26 Trojan.Win32.Inject.dfmo
KingSoft 2009.2.5.15 2012.3.27.9 2012-03-27 4.80 -
McAfee 5400.1158 6661 2012-03-26 9.20 W32/Worm-FBY!7BFDC1359CD1
Microsoft 1.8202 2012.03.27 2012-03-27 21.05 Trojan:Win32/Rimecud.A
NOD32 3.0.21 7001 2012-03-26 0.24 a variant of Win32/Kryptik.ACMS trojan
Panda 9.05.01 2012.03.25 2012-03-25 14.55 -
Trend Micro 9.500-1005 8.866.05 2012-03-26 0.56 -
Quick Heal 11.00 2012.03.26 2012-03-26 2.73 -
Rising 20.0 24.03.00.01 2012-03-26 4.59 -
Sophos 3.29.0 4.75 2012-03-27 10.65 -
Sunbelt 3.9.2530.2 11715 2012-03-26 7.58 -
Symantec 1.3.0.24 20120325.018 2012-03-25 0.33 -
nProtect 20120326.01 10984255 2012-03-26 12.87 -
The Hacker 6.7.0.1 v00433 2012-03-25 3.57 -
VBA32 3.12.16.4 20120326.1018 2012-03-26 3.18 BScope.Worm.Palevo.1531
VirusBuster 5.4.1.9 14.1.280.0/82294122012-03-26 0.18 -
####################################################
Yahoo 和 Google 都沒有資料,新木馬?? 真幸運。
另外,你可能會問為何不在自己的USB driver 放名叫 autorun.inf 的文件夾預防類似的電腦病毒? 我認為作為用家以此作預防是值得的,但我們作為系統的管理人員,適量接觸一下對系統安全會構成威脅的材料,以便鞏固自己日後的保安能力和知識都是應該的。