|
|
 |
|
|
| ¹ÙÀÌ·¯½º
À̸§ |
Worm-W32/Zotob.15386 |
¹ÙÀÌ·¯½º
Á¾·ù |
Worm |
| ½ÇÇà
ȯ°æ |
Windows |
Á¦ÀÛÁö |
ºÒºÐ¸í |
| ¹ß°ßÀÏ |
20050815 |
¹ÙÀÌ·¯½ºÅ©±â |
15,386 Byte |
| ¸ÞÀÏ
Á¦¸ñ |
|
| ÷ºÎÆÄÀÏ |
|
| ¹ÙÀÌ·¯½º Áõ»ó |
ÀÌ ¿úÀº Worm-W32/Zotob.22528 ÀÇ º¯Á¾À¸·Î À©µµ¿ì º¸¾È ÇêÁ¡À» ÀÌ¿ëÇÏ¿© ÀüÆĵǸç,
·¹Áö½ºÆ®¸® °ªº¯°æ¹×, Services.exe ¿À·ù¸¦ ¹ß»ý½ÃÄÑ ½Ã½ºÅÛ ÀçºÎÆÃ,
ƯÁ¤ Æ÷Æ®¸¦ ¿ÀÇ ÇÏ¿© irc ¼¹ö·ÎÀÇ ¿¬°áÀ» ½Ãµµ ÇÑ´Ù.
[Ư¡]
¿úÀÌ ½ÇÇàµÇ¸é ´ÙÀ½°ú °°ÀÌ À©µµ¿ì ½Ã½ºÅÛ Æú´õ(win 2000, NT : c:\Wint\system32, win XP : c:\windows\system32)
¿¡ Botzor.exe(22,528byte) ÆÄÀÏÀ» »ý¼ºÇÑ´Ù.
¶ÇÇÑ, ´ÙÀ½Ã³·³ ·¹Áö½ºÆ®¸¦ ¼öÁ¤ÇÏ¿© ´ÙÀ½ ºÎÆýà ½ÇÇàµÇµµ·Ï Á¶ÀÛÇÑ´Ù.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Ç׸ñ¿¡
csm Win Updates = "csm.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Ç׸ñ¿¡
csm Win Updates = "csm.exe"
¸¦ ±â·ÏÇÑ´Ù.
windows xp ¿¡¼´Â firwall ¼³Á¤¿¡ °ü°èµÈ ´ÙÀ½ ·¹Áö½ºÆ®¸®¸¦ ¼öÁ¤ÇÑ´Ù.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess
Start = "4"
±×¸®°í TCP 445 Æ÷Æ®¸¦ ÀÌ¿ëÇÏ¿© ¿ø°Ý ½© ½ºÅ©¸³Æ®
2PAC.txt ¸¦ Æ÷ÇÔÇÑ haha.exe ¸¦ ´Ù¿î·Îµå ¹Þ¾Æ
ƯÁ¤ IRC ¼¹ö¿¡ Á¢¼ÓÀ» ½ÃµµÇÑ´Ù.
(ÀÌ ¶§¹®¿¡ °úµµÇÑ Æ®·¡ÇÈ ¹ß»ýÀ¸·Î ÀÎÇÏ¿© ³×Æ®¿öÅ©¿¡ ºÎÇÏ°¡ °É·Á
ÁÖÀ§ ³×Æ®¿öÅ©»óÀÇ PC µéµµ ³×Æ®¿öÅ© ÀÛ¾÷ÀÌ µ¿ÀÛÇÏÁö ¾ÊÀ» ¼ö ÀÖ´Ù.)
Á¢¼ÓµÈ ½Ã½ºÅÛÀº ´ÙÀ½°ú °°Àº µ¿ÀÛÀÌ ¼öÇàµÉ¼ö ÀÖ´Ù.
1. ƯÁ¤ ½ÎÀÌÆ® ¿¬°á
2. ½Ã½ºÅÛ Á¤º¸ Àü´Þ
3. ÇÁ·Î¼¼½º °Á¦ Á¾·á
4. ¸ÞÀÏÁÖ¼Ò ¼öÁý
5. ÆÄÀÏ ½ÇÇà¹× »èÁ¦
¸¶Áö¸·À¸·Î MS04-011 º¸¾ÈÆÐÄ¡¿Í MS04-026ÀÇ ÇêÁ¡À» ÀÌ¿ëÇÑ
W32/Mytob.33485@mm¿Í µ¿ÀÏ ÇÏ°Ô Hosts ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿©
ƯÁ¤ ÁÖ¼Ò·Î Á¢¼ÓÀ» ¹æÇØ ÇÑ´Ù.
³»¿ëÀº ´ÙÀ½°ú °°´Ù.
127.0.0.1 avp.com
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
|
|
Ä¡·á ¹æ¹ý |
Åͺ¸¹é½Å Á¦Ç°±ºÀ¸·Î Áø´Ü/Ä¡·á °¡´ÉÇÕ´Ï´Ù.
¸¶ÀÌÅ©·Î ¼ÒÇÁÆ® MS05-039 º¸¾ÈÆÐÄ¡°¡ ¾ÈµÈ »ç¿ëÀÚ´Â
´ÙÀ½ ¸µÅ©¿¡¼ ÇØ´ç ¿î¿µÃ¼Á¦¿¡ ¸Â´Â º¸¾ÈÆÐÄ¡¸¦ ¹Þ¾Æ ¼³Ä¡ ÇØ¾ß ÇÑ´Ù.
MS05-039 º¸¾ÈÆÐÄ¡ ÆäÀÌÁö ¼³¸í(ÇѱÛ)
¸¶ÀÌÅ©·Î ¼ÒÇÁÆ® MS04-011 º¸¾ÈÆÐÄ¡¿Í MS04-026°¡ ¾ÈµÈ »ç¿ëÀÚ´Â
´ÙÀ½ ¸µÅ©¿¡¼ ÇØ´ç ¿î¿µÃ¼Á¦¿¡ ¸Â´Â º¸¾ÈÆÐÄ¡¸¦ ¹Þ¾Æ ¼³Ä¡ ÇØ¾ß ÇÑ´Ù.
MS04-011 º¸¾ÈÆÐÄ¡ ÆäÀÌÁö ¼³¸í(ÇѱÛ)
MS03-039 º¸¾ÈÆÐÄ¡ ÆäÀÌÁö ¼³¸í(ÇѱÛ)
¸¶ÀÌÅ©·Î ¼ÒÇÁÆ® 8¿ù Áß¿ä º¸¾È ÆÐÄ¡ º¸±â
Åͺ¸¹é½Å Ai¸¦ »ç¿ëÇÏ½Ã°í ¾Æ¿ô·èÀ» »ç¿ëÇϽŠ´Ù¸é ¹Ýµå½Ã À̸ÞÀÏ °¨½Ã±â¸¦
½ÇÇàÇϽñ⠹ٶø´Ï´Ù.
|
|
Á÷Á¢Ä¡·á¹æ¹ý |
|
|
|
|
|
