¿¡ºê¸®Á¸¼Ò°³ | Á¦Ç°¼Ò°³ | °í°´¼¾ÅÍ | »çÀÌÆ®¸Ê | Home
°³ÀÎ°í°´ ¿©¼º°í°´ eº¸¾È¸¶ÄÏ À̺¥Æ®
°³ÀÎ°í°´±â¾÷°í°´
º¸¾ÈÁ¢¼Ó IDÀúÀå
AD ¹«·á·Î Ã¥¹Þ¾Æ°¡¼¼¿ä!


 ¸ñ·Ï |  À­±Û |  ¾Æ·§±Û  
Worm-W32/Welchia.12800.B
 ¹ÙÀÌ·¯½º Á¾·ù
Worm
 ½ÇÇàȯ°æ
Win9x, Win2000, NT
 ¹ß°ßÀÏ
2004³â02¿ù13ÀÏ
 Á¦ÀÛÁö
ºÒºÐ¸í
 À§Çèµî±Þ
 È®»ê¹æ¹ý
 ¹ÙÀÌ·¯½º Å©±â
12,800 Bytes
 Ã·ºÎÆÄÀÏ
 ¸ÞÀÏÁ¦¸ñ
  
 Áõ»ó¿ä¾à
  
 Ä¡·á¹æ¹ý

Åͺ¸¹é½Å Ai, Åͺ¸¹é½Å 2001 ¶Ç´Â Åͺ¸¹é½Å OnlineÀ¸·Î Ä¡·á
°¡´É ÇÕ´Ï´Ù.

Ä¡·á ÈÄ windows 2000 Server À̻󿡼­ IIS ¼­¹ö¸¦ »ç¿ëÇϽô À¯Àú´Â
±Ùº»ÀûÀÎ ÇØ°áÀ» À§ÇØ ´ÙÀ½ÀÇ À©µµ¿ìÁî º¸¾ÈÆÐÄ¡¸¦ ¼öÇà ÇϽñ⠹ٶø´Ï´Ù.

*WebDAV ÆÐÄ¡
http://www.microsoft.com/korea/technet/security/bulletin/MS03-013.asp

*RPC-DCOM º¸¾ÈÆÐÄ¡ ´Ù¿î·Îµå ¾È³»
http://www.microsoft.com/korea/technet/security/bulletin/MS03-039.asp

*¿öÅ©½ºÅ×ÀÌ¼Ç ¼­ºñ½ºÀÇ ¹öÆÛ ¿À¹ö·± º¸¾ÈÆÐÄ¡ ´Ù¿î·Îµå ¾È³»
http://www.microsoft.com/korea/technet/security/bulletin/MS03-049.asp


  
 
»ó¼¼¼³¸í
Worm-W32/Blaster ¿Í °°Àº NT °è¿­ÀÇ
DCOM RPC º¸¾ÈÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© °¨¿° ÀüÆĵȴÙ.

±×·¯³ª À©µµ¿ìÁî ¾÷µ¥ÀÌÆ® »çÀÌÆ®¿¡¼­ ÇØ´ç OS ¾ð¾îº° DCOM RPC ÆÐÄ¡¸¦
´Ù¿î¹Þ¾Æ ¼³Ä¡ÇÑ ÈÄ¿¡ ÀçºÎÆÃÈÄ W32/Mydoom@mmÀÌ »ý¼ºÇÑ ´ÙÀ½°ú °°Àº ÆÄÀÏÀÌ
Á¸ÀçÇÏ¸é »èÁ¦½Ãµµ¸¦ ÇÑ´Ù.

ctfmon.dll
Explorer.exe
shimgapi.dll
TaskMon.exe

HEKY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Ç׸ñ¿¡

windows xpÀÇ °æ¿ì : TaskMon = c:\windows\system32\taskmon.exe
window 2000ÀÇ °æ¿ì : TaskMon = c:\winnt\system32\taskmon.exe


¿úÀÌ ½ÇÇà µÇ¸é À©µµ¿ì ½Ã½ºÅÛ ÇÏÀ§ driversÆú´õ(win 2000, NT : c:\winnt\system32\drivers
Windows Xp : c:\windows\system32\drivers)¿¡
svchost.exe(12,800 byte)¸¦ »ý¼ºÇÑ´Ù.

svchost.exe ÆÄÀÏÀº ½Ã½ºÅÛ Æú´õ(c:\winnt\system32)ÀÇ svchost.exe¿Í ´Ù¸¥ ÆÄÀÏÀÌ´Ù.

¶ÇÇÑ ÀÚ½ÅÀ» ¼­ºñ½º·Î µî·Ï µÇ¾î ½ÇÇàÇÒ¼ö ÀÖ°Ô ¾Æ·¡ÀÇ ³»¿ëÀÌ ·¹Áö½ºÆ®¸®¿¡ Ãß°¡ µÈ´Ù.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WksPatch

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WksPatch

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch


±×¸®°í °¨¿° ´ë»ó ½Ã½ºÅÛÀ» ã±â À§ÇØ ICMP ¶Ç´Â, PING ½ÅÈ£¸¦ º¸³»°Ô µÇ¸ç,
ÀÌ °úÁ¤¿¡¼­ ³×Æ®¿÷ Æ®·¡ÇÈÀÌ Áõ°¡ÇÏ°Ô µÈ´Ù.

ÀÌ¿úÀº 3°¡Áö Ãë¾àÁ¡°ú ³×°¡Áö Æ÷Æ®¸¦ ÀÌ¿ëÇÏ¿© ½Ã½ºÅÛ ÀÌ»óÀ» ÀÏÀ¸Å°´Âµ¥, ´ÙÀ½°ú °°´Ù.

1. 135¹ø Æ÷Æ®¸¦ ÅëÇؼ­´Â DCOM RPC Ãë¾àÁ¡(http://www.microsoft.com/korea/technet/security/bulletin/MS03-039.asp)
2. 80¹ø Æ÷Æ®¸¦ ÅëÇؼ­´Â WebDav Ãë¾àÁ¡(http://www.microsoft.com/korea/technet/security/bulletin/MS03-007.asp)
3. TCP 139¹ø°ú 445 Æ÷Æ®¸¦ ÅëÇؼ­´Â Workstation service buffer overrun Ãë¾àÁ¡(http://www.microsoft.com/korea/technet/security/bulletin/MS03-049.asp

¿úÀº À̵é Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© IIS 5.0 ½Ã½ºÅÛÀ» °ø°ÝÇÑ´Ù.

±×¸®°í À©µµ¿ìÁîÀÇ ÄÚµåÆäÀÌÁö¸¦ È®ÀÎ ÇÏ¿© ÀϺ»¾î ÆäÀÌÁö¶ó¸é

IIS Help ¿Í Virtual Roots Æú´õ¿¡ .shtml,.shtm,.stm,.cgi,.php,.html,.htm,.asp

ÆÄÀÏÀ» ´ÙÀ½ÀÇ HTML ÅؽºÆ®·Î °ãÃľ´´Ù.

LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15
Let history tell future !

¶ÇÇÑ ½Ã½ºÅÛ³¯Â¥¸¦ üũÇÏ¿© 2004³â 6¿ù1ÀÏ ÀÌÈÄ¿¡ ½ÇÇàµÇ¸é ÀÚ½ÅÀ» »èÁ¦ÇÑ´Ù.
 
¿¹¹æ ¹× ¼öµ¿Á¶Ä¡¹æ¹ý
¹«´ÜÀüÀç¤ý¹èÆ÷±ÝÁö
¿¡ºê¸®Á¸¿¡¼­ Á¦°øÇÏ´Â ¸ðµç ÄÁÅÙÃ÷ Á¤º¸¿¡ ´ëÇÑ ÀúÀÛ±ÇÀº ¿¡ºê¸®Á¸ÀÇ ¼ÒÀ¯ÀÌ¸ç °ü·Ã¹ýÀÇ º¸È£¸¦ ¹Þ½À´Ï´Ù.
¿¡ºê¸®Á¸ÀÇ »çÀü Çã°¡ ¾øÀÌ ¿¡ºê¸®Á¸ ÄÁÅÙÃ÷¸¦ ¹«´ÜÀ¸·Î ÀüÀç, ¹èÆ÷¸¦ ±ÝÁöµÇ¾î ÀÖ½À´Ï´Ù.
À̸¦ À§¹ÝÇÏ´Â °æ¿ì ¼ÕÇعè»óÀÇ ´ë»ó ¶Ç´Â ¹Î.Çü»ç»óÀÇ ¹ýÀû ¼Ò¼Û ´ë»óÀÌ µÉ ¼ö ÀÖ½À´Ï´Ù.
                                                                 * ¿¡ºê¸®Á¸ Á¤º¸ ÀÌ¿ë ¹®ÀÇ : greenking@everyzone.com
 ¸ñ·Ï