이름

W32/BoBax.79936@mm

바이러스 종류

Worm

실행환경

Windows

증상요약

이메일과 네트웍 보안취약성을 이용해서 전파, 레지스트리 수정, 프로세스 종료

위험등급

보통

확산방법

네트워크, 보안취약성, 이메일

치료방법

<span class="style4">터보백신 제품군으로 진단/치료 가능합니다.</span><br> <br> <br> <br> 마이크로 소프트 MS05-039 보안패치가 안된 사용자는 다음 링크에서 해당 운영체제에 맞는 보안패치를 받아 설치 해야 한다. <br> <a href="http://www.microsoft.com/korea/technet/security/bulletin/MS05-039.mspx"><font color="blue">MS05-039 보안패치 페이지 설명(한글)</a><br><br> [참고] 마이크로 소프트 사에서는 네트웍 보안 취약점에 대한 검사를 실행해 주는 MBSA(Microsoft Baseline Security Analyzer) 프로그램을 제공하고 있으므로 확인해 보기 바란다.<br><br> <a href="http://www.microsoft.com/korea/technet/security/tools/Tools/MBSAhome.asp"><font color="blue">http://www.microsoft.com/korea/technet/security/tools/Tools/MBSAhome.asp</font></a><br><br>  

※ 상세 설명

이 웜은 이메일과 네트웍 보안취약성을 이용해서 전파된다. [메일 제목] 다음 중에서 선택된다. Accounts department Ahtung! Camila Daily activity report Ello! Flayers among us Freedom for everyone From Hair-cutter From me Greet the day Hardware devices price-list Hello my friend Hi! Jenny Jessica Looking for the report Maria Melissa Monthly incomings summary New Price-list Price Price list Price-list Pricelist Proclivity to servitude Registration confirmation The account The employee The summary USA government abolishes the capital punishment Weekly activity report Well... You are dismissed You really love me? he he [메일 내용] +++ Attachment: No Virus found +++ F-Secure AntiVirus - You are protected +++ Norman AntiVirus - You are protected +++ Norton AntiVirus - You are protected +++ Panda AntiVirus - You are protected +++ www.f-secure.com +++ www.norman.com +++ www.pandasoftware.com +++ www.symantec.com Account Information Are Attached! Attached some pics that i found Check this out :-) Cya Empty Everything inside the attach Follow the instructions in the attachment. Hello, I was going through my album, and look what I found.. Long time! Check this out! Look it through Mail transaction failed. Partial message is available. Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. Osama Bin Laden Captured. Please read the attached document and follow it''''''''s instructions. Remember this? Request Response Saddam Hussein - Attempted Escape, Shot dead Secret! Subj Testing The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. The original message has been included as an attachment. To safeguard your email account from possible termination, please see the attached file. To unblock your email account acces, please see the attachment. We attached some important information regarding your account. We have suspended some of your email services, to resolve the problem you should read the attached document. please look at attached document. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. [첨부파일] 파일 이름 은 다음 리스트에서 선택 된다. INFO accepted-password account-details account-info account-password account-report account/-details approved-password attachment body bush data doc document document/_full email-details email-doc email-info email-password email/-doc email/-info file funny important-details info info-text info/-text information instruction instructions joke letter mail message new-password password pics readme secret test text transcript updated-password your/-details 확장자는 다음 두가지중에서 선택 된다. EXE INFO DOC PIF SCR TMP zip 파일 형식은 위의 확장자 파일을 1:1일 압축한 경우다. [특징] 웜이 실행되면 윈도우폴더(win 2000, NT : c:\Winnt, Win XP, 9x : c:\windows)에 Msdefr.exe, Nb32ext2.exe, Csrss.exe, Services.exe, Smss.exe, Winlogon.exe파일을 생성한다. 또한, 다음처럼 레지스트를 수정하여 다음 부팅시 실행되도록 조작한다. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 항목에 (win2000, NT의 경우) RPCserv32g = c:\winnt\(랜덤 파일명).exe (WinXP의 경우) RPCserv32g = c:\windows\(랜덤 파일명).exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices 항목에 Helloworld = Nb32ext2.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 항목에 (win2000, NT의 경우) Userinit = c:\winnt\system32\userinit.exe,c:\winnt\services.exe (WinXP의 경우) Userinit = c:\windows\system32\userinit.exe,c:\windows\services.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess 항목에 Start = "00000004" (기본값은 00000003 이다) 그리고 다음과 같은 레지스트리 값을 생성한다. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy 항목에 Enable Firewall = "0" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile 항목에 Enable Firewall = "0" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\DomainProfile 항목에 Enable Firewall = "0" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List 항목에 Enable Firewall = "0" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 항목에 Enable Firewall = "0" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer 항목에 IEPsdgxc = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer 항목에 Fdfg = "{값}" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies 항목에 DisableRegistryTools = "0" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies 항목에 DisableRegistryTools = "0" 그리고 다음처럼 일부 보안제품의 프로세스를 발견하면 종료시키게 된다. _AVP32.EXE _AVPCC.EXE _AVPM.EXE ATUPDATER.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVPUPD.EXE AVWUPD32.EXE AVXQUAR.EXE B055262C.DLL BACKDOOR.RBOT.GEN.EXE BACKDOOR.RBOT.GEN_(17).EXE CFIAUDIT.EXE DAILIN.EXE DRWEBUPW.EXE F-AGOBOT.EXE GFXACC.EXE HIJACKTHIS.EXE IAOIN.EXE ICSSUPPNT.EXE ICSUPP95.EXE LIEN VAN DE KELDERRR.EXE LUALL.EXE MCUPDATE.EXE MSNMSGR.EXE MSSSSS.EXE NUPGRADE.EXE OUTPOST.EXE PSAPI.DLL RASMNGR.EXE RAVMOND.EXE RB.EXE SYSTRA.EXE TASKMANAGR.EXE UPDATE.EXE VISUALGUARD.EXE WFDMGR.EXE WIN32.EXE WIN32US.EXE WINACTIVE.EXE WIN-BUGSFIX.EXE WINDOW.EXE WINDOWS.EXE WININETD.EXE WININIT.EXE WININITX.EXE WINLOGIN.EXE WINMAIN.EXE WINPPR32.EXE WINRECON.EXE WINSHOST.EXE WINSSK32.EXE WINSTART.EXE WINSTART001.EXE WINTSK32.EXE WINUPDATE.EXE WKUFIND.EXE WNAD.EXE WNT.EXE WOWPOS32.EXE WRADMIN.EXE WRCTRL.EXE WUAMGA.EXE WUAMGRD.EXE WUPDATER.EXE WUPDT.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.EXE 마지막으로 hosts 파일을 수정하여 보안싸이트의 접속을 방해 한다. avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com downloads-eu1.kaspersky-labs.com downloads-us1.kaspersky-labs.com downloads1.kaspersky-labs.com downloads2.kaspersky-labs.com downloads3.kaspersky-labs.com downloads4.kaspersky-labs.com f-secure.com kaspersky-labs.com kaspersky.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com mcafee.com microsoft.com my-etrust.com nai.com networkassociates.com oxyd.fr pandasoftware.com rads.mcafee.com secure.nai.com securityresponse.symantec.com sophos.com symantec.com t35.com t35.net trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com viruslist.com virustotal.com www.avp.com www.ca.com www.f-secure.com www.grisoft.com www.kaspersky.com www.mcafee.com www.microsoft.com www.my-etrust.com www.nai.com www.networkassociates.com www.oxyd.fr www.pandasoftware.com www.sophos.com www.symantec.com www.t35.com www.t35.net www.trendmicro.com www.viruslist.com www.virustotal.com

※ 예방 및 수동 조치 방법

• 본 컨텐츠에 대한 저작권은 '에브리존'에게 있으며 이에 무단 사용 및 재배포를 금지합니다.
• 본 컨텐츠에 대한 이용 문의는 '에브리존'으로 문의하여 주십시요