¿¡ºê¸®Á¸¼Ò°³ | Á¦Ç°¼Ò°³ | °í°´¼¾ÅÍ | »çÀÌÆ®¸Ê | Home
°³ÀÎ°í°´ ¿©¼º°í°´ eº¸¾È¸¶ÄÏ À̺¥Æ®
°³ÀÎ°í°´±â¾÷°í°´
º¸¾ÈÁ¢¼Ó IDÀúÀå
AD ¹«·á·Î Ã¥¹Þ¾Æ°¡¼¼¿ä!


 ¸ñ·Ï |  À­±Û |  ¾Æ·§±Û  
Dropper-W32/Balge.36352.H
 ¹ÙÀÌ·¯½º Á¾·ù
Worm
 ½ÇÇàȯ°æ
windows
 ¹ß°ßÀÏ
2005³â08¿ù11ÀÏ
 Á¦ÀÛÁö
ºÒºÐ¸í
 À§Çèµî±Þ
º¸Åë
 È®»ê¹æ¹ý
³×Æ®¿öÅ©
 ¹ÙÀÌ·¯½º Å©±â
36,352 byte
 Ã·ºÎÆÄÀÏ
 ¸ÞÀÏÁ¦¸ñ
  
 Áõ»ó¿ä¾à
  ÀÌ ¿úÀº ³ëÆ®ÆÐµå ¾ÆÀÌÄÜ ¸ð¾çÀ» °¡Áö°í ÀÖÀ¸¸ç, ƯÁ¤ ¹é½Å¹× ¹æÈ­º®ÀÇ ÇÁ·Î¼¼½º¸¦ °­Á¦ Á¾·á ½ÃÅ´, ƯÁ¤ ½ÎÀÌÆ®¿¡¼­ Trojan ´Ù¿î·Îµå.
 Ä¡·á¹æ¹ý

Åͺ¸¹é½Å Á¦Ç°±ºÀ¸·Î Áø´Ü/Ä¡·á °¡´ÉÇÕ´Ï´Ù.



  
 
»ó¼¼¼³¸í
¿úÀÌ ½ÇÇàµÇ¸é ´ÙÀ½°ú °°ÀÌ À©µµ¿ì ½Ã½ºÅÛ Æú´õ(win 2000, NT : c:\Wint\system32, win XP : c:\windows\system32)
¿¡ WIWSHOST.EXE(9,216 byte)ÆÄÀÏÀ» »ý¼º ÇÑ´Ù.

ÀÌÆÄÀÏÀº Åͺ¸¹é½Å Á¦Ç°±º¿¡¼­ Trojan-W32/Bagle.9216.H ·Î
Áø´Ü »èÁ¦ ÇÑ´Ù.

¶ÇÇÑ, ´ÙÀ½Ã³·³ ·¹Áö½ºÆ®¸¦ ¼öÁ¤ÇÏ¿© ´ÙÀ½ ºÎÆýà ½ÇÇàµÇµµ·Ï Á¶ÀÛÇÑ´Ù.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Ç׸ñ¿¡

(win9xÀÇ °æ¿ì)
winshost.exe = c:\windows\system\winshost.exe

(win2000, NTÀÇ °æ¿ì)
winshost.exe = c:\winnt\system32\winshost.exe

(WinXPÀÇ °æ¿ì)
winshost.exe = c:\windows\system32\winshost.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Ç׸ñ¿¡

(win9xÀÇ °æ¿ì)
winshost.exe = c:\windows\system\winshost.exe

(win2000, NTÀÇ °æ¿ì)
winshost.exe = c:\winnt\system32\winshost.exe

(WinXPÀÇ °æ¿ì)
winshost.exe = c:\windows\system32\winshost.exe

HKEY_CURRENT_USER\Software\FirstRun
Ç׸ñ¿¡

FirstRunRR = "dword:00000001"

¸¦ ±â·ÏÇÑ´Ù.

À©µµ¿ì xp ¿¡¼­´Â ¼­ºñ½ºÆÑ 2ÀÇ ¹æÈ­º®À» ÁßÁö ½ÃÅ°µµ·Ï ·¹Áö½ºÆ®¸®¸¦ Á¶ÀÛÇÑ´Ù.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess
Ç׸ñ¿¡

Start = "4" (¹æÈ­º® µðÆúÆ® °ªÀº "2" ÀÌ´Ù)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv
Ç׸ñ¿¡

Start = "dword:00000004" (¾÷µ¥ÀÌÆ® µðÆúÆ® °ªÀº "00000002" ÀÌ´Ù)

Windows NT ¿¡¼­ ´ÙÀ½ ó·³ ·¹Áö½ºÆ®¸®¸¦ Á¶ÀÛÇÑ´Ù.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Alerter
Ç׸ñ¿¡

Start = "dword:00000004" (¾÷µ¥ÀÌÆ® µðÆúÆ® °ªÀº "00000002" ÀÌ´Ù)

´ÙÀ½°ú °°Àº Ç׸ñÀÌ ÀÖ´Ù¸é »èÁ¦ ÇÑ´Ù.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"APVXDWIN"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"avg7_cc"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"avg7_emc"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"ccApp"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"KAV50"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"McAfee Guardian"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"NAV CfgWiz"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"SSC_UserPrompt"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Symantec NetDriver Monitor"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Zone Labs Client"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"McAfee.InstantUpdate.Monitor"

¶ÇÇÑ ´ÙÀ½°ú °°Àº ÆÄÀÏÀÌ ½ÇÇàµÇ¸é °­Á¦ Á¾·á ½ÃÅ°°Ô µÈ´Ù.

ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
UPGRADER.EXE

±×¸®°í ÀϺΠ¾ÈƼ ¹ÙÀÌ·¯½º ÇÁ·Î±×·¥°ú º¸¾È ÇÁ·Î±×·¥ÀÇ °ü·Ã ¼­ºñ½º Ç׸ñÀ»
·¹Áö½ºÆ®¸®¿¡¼­ »èÁ¦Çϰųª º¯°æ ÇÑ´Ù.

±× ¸®½ºÆ®´Â ´ÙÀ½°ú °°´Ù.

Ahnlab task Scheduler
alerter
AlertManger
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
avpcc
AVUPDService
AvxIni
awhost32
backweb client - 4476822
BackWeb Client - 7681197
backweb client-4476822
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
DefWatch
dvpapi
dvpinit
F-Secure Gatekeeper Handler Starter
fsbwsys
fsdfwd
FSMA
KAVMonitorService
kavsvc
KLBLMain
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
PREVSRV
PSIMSVC
ravmon8
SAVFMSE
SAVScan
SBService
schscnt
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus Plug-in
vsmon
wuauserv
XCOMM

¸¶Áö¸·À¸·Î Hosts ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© 127.0.0.1 localhost ¸¦ Æ÷ÇÔ½ÃÅ°°í
´ÙÀ½ ½ÎÀÌÆ®¿¡¼­ osa4.gif ÆÄÀÏÀ» ´Ù¿î·Îµå ÇÏ¿© À©µµ¿ìÁî Æú´õ¿¡ _re_file.exe·Î ÀúÀåÇÑ´Ù.

www.21ebuild.com/
www.51.net/
www.acsohio.com/
www.agria.hu/
www.andi.com.vn/
www.angham.de/
www.ascolfibras.com/
www.automobilonline.de/
www.bangyan.cn/
www.beall-cpa.com/
www.bolz.at/
www.bs-security.de/
www.centrovestecasa.it/
www.checkonemedia.nl/
www.contentproject.com/
www.cz-wanjia.com/
www.czwanqing.com/
www.czzm.com/
www.datanet.huwww.datanet.hu/
www.designgong.org/
www.dgy.com.cn/
www.die-fliesen.de/
www.discoteka-funfactory.com/
www.dom-invest.com.pl/
www.eagle.com.cn/
www.eagleclub.com.cn/
www.eagleclub.com.cn/
www.ehc.hu/
www.elvis-presley.ch/
www.engelhardtgmbh.de/
www.externet.hu/
www.fahrschule-herb.de/
www.fahrschule-lesser.de/
www.fermegaroy.com/
www.festivalteatrooccidente.com/
www.festivalteatrooccidente.com/
www.formholz.at/
www.fotomax.fi/
www.gemtrox.com.tw/
www.gepeters.org/
www.gimex-messzeuge.de/
www.gomyhome.com.tw/
www.gymzn.cz/
www.gymzn.cz/
www.gymzn.cz/
www.hondenservice.be/
www.idaf.de/
www.idcs.be/
www.ider.cl/
www.inside-tgweb.de/
www.izoli.sk/
www.jcm-american.com/
www.jeoushinn.com/
www.jingjuok.com/
www.jue-bo.com/
www.kingsley.ch/
www.marketvw.com/
www.megaserve.net/
www.mild.at/
www.mild.at/
www.mild.at/
www.niko.de/
www.nikogmbh.com/
www.olva.com.pe/
www.on24.ee/
www.onlink.net/
www.ppm-alliance.de/
www.presley.ch/
www.renegaderc.com/
www.replayu.com/
www.sachsenbuecher.de/
www.sanjinyuan.com/
www.scvanravenswaaij.nl/
www.slovanet.sk/
www.snsphoto.com/
www.societaet.de/
www.soeco.org/
www.softmajor.ru/
www.solt3.org/
www.spacium.biz/
www.speedcom.home.pl/
www.spirit-in-steel.at/
www.spoden.de/
www.sportnf.com/
www.spy.az/
www.sqnsolutions.com/
www.st-paulus-bonn.dehtdocs/
www.stbs.com.hk/
www.steripharm.com/
www.students.stir.ac.uk/
www.subsplanet.com/
www.sungodbio.com/
www.superbetcs.com/
www.sweb.cz/
www.sydolo.com/
www.szdiheng.com/
www.tcicampus.net/
www.techni.com.cn/
www.tg-sandhausen-basketball.de/
www.th-mutan.com/
www.thaifast.com/
www.thaiventure.com/
www.thefunkiest.com/
www.thefunkiest.com/
www.thenextstep.tv/
www.thenextstep.tv/
www.thetexasoutfitter.com/
www.tmhcsd1987.friko.pl/
www.toussain.be/
www.trago.com.pt/
www.travelourway.com/
www.trgd.dobrcz.pl/
www.triapex.cz/
www.triptonic.ch/
www.tv-marina.com/
www.udc-cassinadepecchi.it/
www.universe.sk/
www.uspowerchair.com/
www.uw.hu/
www.vercruyssenelektro.be/
www.vet24h.com/
www.vinimeloni.com/
www.vnn.vn/
www.vnrvjiet.ac.in/
www.vote2fateh.com/
www.vw.press-bank.pl/
www.wamba.asn.au/
www.wdlp.co.za/
www.welchcorp.com/
www.wesartproductions.com/
www.wilsonscountry.com/
www.windstar.pl/
www.wise-industries.com/
www.witold.pl/
www.witold.pl/
www.wombband.com/
www.x-treme.cz/
www.xiantong.net/
www.xmpie.com/
www.xmpie.com/
www.xmtd.com/
www.xojc.com/
www.yannick-spruyt.be/
www.yayadownload.com/
www.yesterdays.co.za/
www.yesterdays.co.za/
www.yshkj.com/
www.yshkj.com/
www.zakazcd.dp.ua/
www.zenesoftware.com/
www.zentek.co.za/
www.zorbas.az/
www.zsbersala.edu.sk/osa4.gif
 
¿¹¹æ ¹× ¼öµ¿Á¶Ä¡¹æ¹ý
¹«´ÜÀüÀç¤ý¹èÆ÷±ÝÁö
¿¡ºê¸®Á¸¿¡¼­ Á¦°øÇÏ´Â ¸ðµç ÄÁÅÙÃ÷ Á¤º¸¿¡ ´ëÇÑ ÀúÀÛ±ÇÀº ¿¡ºê¸®Á¸ÀÇ ¼ÒÀ¯ÀÌ¸ç °ü·Ã¹ýÀÇ º¸È£¸¦ ¹Þ½À´Ï´Ù.
¿¡ºê¸®Á¸ÀÇ »çÀü Çã°¡ ¾øÀÌ ¿¡ºê¸®Á¸ ÄÁÅÙÃ÷¸¦ ¹«´ÜÀ¸·Î ÀüÀç, ¹èÆ÷¸¦ ±ÝÁöµÇ¾î ÀÖ½À´Ï´Ù.
À̸¦ À§¹ÝÇÏ´Â °æ¿ì ¼ÕÇعè»óÀÇ ´ë»ó ¶Ç´Â ¹Î.Çü»ç»óÀÇ ¹ýÀû ¼Ò¼Û ´ë»óÀÌ µÉ ¼ö ÀÖ½À´Ï´Ù.
                                                                 * ¿¡ºê¸®Á¸ Á¤º¸ ÀÌ¿ë ¹®ÀÇ : greenking@everyzone.com
 ¸ñ·Ï