¿¡ºê¸®Á¸¼Ò°³ | Á¦Ç°¼Ò°³ | °í°´¼¾ÅÍ | »çÀÌÆ®¸Ê | Home
°³ÀÎ°í°´ ¿©¼º°í°´ eº¸¾È¸¶ÄÏ À̺¥Æ®
°³ÀÎ°í°´±â¾÷°í°´
º¸¾ÈÁ¢¼Ó IDÀúÀå
AD ¹«·á·Î Ã¥¹Þ¾Æ°¡¼¼¿ä!


 ¸ñ·Ï |  À­±Û |  ¾Æ·§±Û  
W32/Mytob.83489@mm
 ¹ÙÀÌ·¯½º Á¾·ù
Worm
 ½ÇÇàȯ°æ
Windows
 ¹ß°ßÀÏ
2005³â07¿ù31ÀÏ
 Á¦ÀÛÁö
ºÒºÐ¸í
 À§Çèµî±Þ
º¸Åë
 È®»ê¹æ¹ý
À̸ÞÀÏ, ³×Æ®¿öÅ©, º¸¾ÈÃë¾à¼º
 ¹ÙÀÌ·¯½º Å©±â
83,489 Byte
 Ã·ºÎÆÄÀÏ
information.zip ¿Ü ´Ù¼ö
 ¸ÞÀÏÁ¦¸ñ
  Notice of account limitation ¿Ü ´Ù¼ö
 Áõ»ó¿ä¾à
  ·¹Áö½ºÆ®¸® º¯°æ, ¸ÞÀϹ߼Û, ƯÁ¤ Æ÷Æ®(6667) ¿ÀÇÂ, ÆÄÀÏ»ý¼º, ƯÁ¤¼­¹ö Á¢¼Ó
 Ä¡·á¹æ¹ý

Åͺ¸¹é½Å Á¦Ç°±ºÀ¸·Î Áø´Ü/Ä¡·á °¡´ÉÇÕ´Ï´Ù.


¸¶ÀÌÅ©·Î ¼ÒÇÁÆ® MS04-011 º¸¾ÈÆÐÄ¡¿Í MS04-026°¡ ¾ÈµÈ »ç¿ëÀÚ´Â ´ÙÀ½ ¸µÅ©¿¡¼­ ÇØ´ç ¿î¿µÃ¼Á¦¿¡ ¸Â´Â º¸¾ÈÆÐÄ¡¸¦ ¹Þ¾Æ ¼³Ä¡ ÇØ¾ß ÇÑ´Ù.
MS04-011 º¸¾ÈÆÐÄ¡ ÆäÀÌÁö ¼³¸í(ÇѱÛ)

MS03-039 º¸¾ÈÆÐÄ¡ ÆäÀÌÁö ¼³¸í(ÇѱÛ)



  
 
»ó¼¼¼³¸í
ÀÌ ¿úÀº À̸ÞÀÏÀ» ÅëÇÏ¿© ÀüÆĵǸç,

°¨¿°µÈ ¸ÞÀϹ߼Û, TCP 6667 ¹ø Æ÷Æ®¸¦ ¿ÀÇ ÇÏ¿© irc ¼­¹ö·ÎÀÇ ¿¬°áÀ» ½Ãµµ ÇÑ´Ù.


[¸ÞÀÏ Á¦¸ñ]

´ÙÀ½ Áß¿¡¼­ ¼±ÅõȴÙ.

*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons


[¸ÞÀÏ ³»¿ë]

Dear {µµ¸ÞÀÎ ÁÖ¼Ò} Member,

Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week.
If you could please take 5-10 minutes out of your online experience
and confirm the attached document so you will not run into
any future problems with the online service.

Virtually yours,
The {µµ¸ÞÀÎ ÁÖ¼Ò} Support Team

-----------------------------------

Dear {µµ¸ÞÀÎ} Member,

We have temporarily suspended your email account {¸ÞÀÏÁÖ¼Ò}.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the attached details to reactivate your {µµ¸ÞÀÎ} account.

Sincerely,The {µµ¸ÞÀÎ} Support Team

----------------------------------------

Some information about your {µµ¸ÞÀÎ} account is attached.

The {µµ¸ÞÀÎ} Support Team

[÷ºÎÆÄÀÏ]

À̸§ Àº ´ÙÀ½ ¸®½ºÆ®¿¡¼­ ¼±Åà µÈ´Ù.

account-details.zip
account-info.zip
account-report.zip
document.zip
email-details.zip
important-details.zip
information.zip
readme.zip

¾ÐÃàÆÄÀÏÀ» Ç®¸é ±ä °ø¹é»çÀÌ·Î ´ÙÀ½°ú °°Àº È®ÀåÀÚ°¡ ºÙ´Â´Ù.

ù¹ø° È®ÀåÀÚ

doc, htm, tmp, txt

µÎ¹ø° ÆÄÀÏ È®ÀåÀÚ

bat, cmd, exe, pif, scr

[Ư¡]

¿úÀÌ ½ÇÇàµÇ¸é ´ÙÀ½°ú °°ÀÌ À©µµ¿ì ½Ã½ºÅÛ Æú´õ(win 2000, NT : c:\Wint\system32, win XP : c:\windows\system32)
¿¡ wrmana32.exe ÆÄÀÏÀ» »ý¼ºÇÑ´Ù.

¶ÇÇÑ, ´ÙÀ½Ã³·³ ·¹Áö½ºÆ®¸¦ ¼öÁ¤ÇÏ¿© ´ÙÀ½ ºÎÆýà ½ÇÇàµÇµµ·Ï Á¶ÀÛÇÑ´Ù.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ç׸ñ¿¡

"Windows NetDDe" = "wrmana32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Ç׸ñ¿¡

"Windows NetDDe" = "wrmana32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Ç׸ñ¿¡

"Windows NetDDe" = "wrmana32.exe"

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce
Ç׸ñ¿¡

"Windows NetDDe" = "wrmana32.exe"

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
Ç׸ñ¿¡

"Windows NetDDe" = "wrmana32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
Ç׸ñ¿¡

"Windows NetDDe" = "wrmana32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Ç׸ñ¿¡

"Windows NetDDe" = "wrmana32.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT\0000\Control
Ç׸ñ¿¡

"*NewlyCreated*" = "0x00000000"
"ActiveService" = "shit"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT\0000
Ç׸ñ¿¡

"Service" = "shit"
"Legacy" = "0x00000001"
"ConfigFlags" = "0x00000000"
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "Windows NetDDe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT
Ç׸ñ¿¡

"NextInstance" = "0x00000001"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shit\Enum
Ç׸ñ¿¡

"0" = "Root\LEGACY_SHIT\0000"
"Count" = "0x00000001"
"NextInstance" = "0x00000001"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shit
Ç׸ñ¿¡

"Type" = "0x00000020"
"Start" = "00000004"
"ErrorControl" = "0x00000001"
"ImagePath" = "C:\WINNT\System32\wrmana32.exe" -netsvcs"
"DisplayName" = "Windows NetDDe"
"ObjectName" = "LocalSystem"
"FailureActions" = "FF FF FF FF 00 00 00 00 00 00 00 00 01 00 00 00 00 07 09 00 01 00 00 00 01 00 00 00"
"DeleteFlag" = "0x00000001"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shit\Security
Ç׸ñ¿¡

"Security" = "01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 A5 4E 00 0C 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 29 6B 99 DE 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 29 6B 99 DE 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00"

¸¦ ±â·ÏÇÑ´Ù.

±×¸®°í ´ÙÀ½°ú °°Àº Å°°ªÀ» »ý¼ºÇÑ´Ù.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shit

¼­ºñ½º Ç׸ñ¿¡ µî·ÏµÉ ¶§¿¡´Â Shit¸¦ µð½ºÇ÷¹À̳×ÀÓÀº Windows NetDDe¸¦ »ç¿ëÇÑ´Ù.

À̸ÞÀÏ ÁÖ¼Ò´Â ´ÙÀ½ È®ÀåÀÚ¸¦ °¡Áø ÆÄÀÏ¿¡¼­ ÃßÃâ ÇÑ´Ù.

ADB
ASP
CGI
DBX
HTM
HTML
JSP
PHP
SHT
TBB
XML

´ÙÀ½ ¹®ÀÚ¿­À» Æ÷ÇÔÇÑ ¸ÞÀÏÁּҷδ °¨¿°µÈ ¸ÞÀÏÀ» º¸³»Áö ¾Ê´Â´Ù.

abuse
accoun
acketst
admin
anyone
arin
avp
berkeley
borlan
bugs
ca
certific
contact
example
feste
fido
foo
gold-certs
google
gov
gov
help
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mil
mozilla
msn
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spam
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your


´ÙÀ½ ¹®ÀÚ¸¦ Æ÷ÇÔÇÑ ¸ÞÀÏÁּҷδ °¨¿°µÈ ¸ÞÀÏÀ» Àü¼ÛÇÏÁö ¾Ê´Â´Ù.

abuse
accoun
acketst
admin
administrator
anyone
arin.
be_loyal:
berkeley
borlan
certific
contact
example
feste
gold-certs
google
hotmail
ibm.com
icrosof
icrosoft
inpris
isc.o
isi.e
kernel
linux
linux
listserv
mit.e
mozilla
mydomai
nobody
nodomai
noone
nothing
ntivi
panda
postmaster
privacy
rating
register
rfc-ed
ripe.
ruslis
samples
secur
secur
sendmail
service
service
somebody
someone
sopho
submit
support
system
tanford.e
the.bat
usenet
utgers.ed
virusalert
webmaster

¸¶Áö¸·À¸·Î TCP TCP 6667 Æ÷Æ®¸¦ ÀÌ¿ëÇÏ¿© ƯÁ¤ ¼­¹ö¿¡ Á¢¼ÓÀ» ½ÃµµÇÑ´Ù.
 
¿¹¹æ ¹× ¼öµ¿Á¶Ä¡¹æ¹ý
¹«´ÜÀüÀç¤ý¹èÆ÷±ÝÁö
¿¡ºê¸®Á¸¿¡¼­ Á¦°øÇÏ´Â ¸ðµç ÄÁÅÙÃ÷ Á¤º¸¿¡ ´ëÇÑ ÀúÀÛ±ÇÀº ¿¡ºê¸®Á¸ÀÇ ¼ÒÀ¯ÀÌ¸ç °ü·Ã¹ýÀÇ º¸È£¸¦ ¹Þ½À´Ï´Ù.
¿¡ºê¸®Á¸ÀÇ »çÀü Çã°¡ ¾øÀÌ ¿¡ºê¸®Á¸ ÄÁÅÙÃ÷¸¦ ¹«´ÜÀ¸·Î ÀüÀç, ¹èÆ÷¸¦ ±ÝÁöµÇ¾î ÀÖ½À´Ï´Ù.
À̸¦ À§¹ÝÇÏ´Â °æ¿ì ¼ÕÇعè»óÀÇ ´ë»ó ¶Ç´Â ¹Î.Çü»ç»óÀÇ ¹ýÀû ¼Ò¼Û ´ë»óÀÌ µÉ ¼ö ÀÖ½À´Ï´Ù.
                                                                 * ¿¡ºê¸®Á¸ Á¤º¸ ÀÌ¿ë ¹®ÀÇ : greenking@everyzone.com
 ¸ñ·Ï