Net-Worm.Win32.Kolabc.gza
1. ¿ä¾à : IRC [¹éµµ¾î] ±â´ÉÀ» °¡Áø À©µµ¿ì ±â¹ÝÀÇ ³×Æ®¿öÅ© ¿ú
- ÄÚµå¸í : Net-Worm.Win32.Kolabc.gza (¸í¸í : Kaspersky, 2009-07-22, GMT+1)
- ´Ù¸¥ À̸§ : Exploit:Win32/MS08067.gen!A, Mal/TinyDL-T
- °¨¿° °æ·Î : MS08-067, MS04-012, MS04-011 + [Ãë¾àÇÑ Æнº¿öµå]ÀÇ ³×Æ®¿öÅ© [°øÀ¯Æú´õ]
- Å©±â : 171,955 ¹ÙÀÌÆ® (MD5 : deffdf68e848d5e5c0e2019b16bc05e2)
- [Æ÷Æ®] : 69 (UDP), 1051 (TCP), 1176 (TCP), 17038 (TCP)
2. »ý¼º ÆÄÀÏ (%½Ã½ºÅÛ% ¶õ? : Ŭ¸¯)
- %À©µµ¿ì% Æú´õÀÇ [Font] Æú´õ ¾Æ·¡ : unwise_.exe (2,695,168 ¹ÙÀÌÆ®)
3. °¨¿° ¿¹¹æ ¹× °ü·Ã Á¤º¸
- MS08-067, MS04-012, MS04-011 º¸¾È Ãë¾àÁ¡ ÆÐÄ¡ ¼³Ä¡
- ¾Ç¼ºÄÚµå Â÷´ÜÀ» À§ÇÑ °ü¸®¸ñÀû °øÀ¯Æú´õ ¹× °øÀ¯Æú´õ °ü¸®
- ¿·ÁÁø Æ÷Æ®ÀÇ À§Ç輺°ú Æ÷Æ® Á¡°Ë ¿ä·É
4. ÁÖ¿ä Áõ»ó : IRC [¹éµµ¾î] »ý¼º ÈÄ ¾ÇÀÇÀû ¸í·É ¼öÇà
- À©µµ¿ìÀÇ Æ¯Á¤ ¼ºñ½º disable : wscsvc, ¿ø°Ý ·¹Áö½ºÆ®¸® ¼ºñ½º µî
- º¸¾È ¹× AV°ü·Ã »çÀÌÆ® Á¢¼Ó Â÷´Ü
5. ·¹Áö½ºÆ®¸® Ãß°¡/º¯°æ (HKLM À̶õ? : Ŭ¸¯)
- HKLM -> SYSTEM -> ControlSet001 -> Services -> Windows Hosts Controller
- HKLM -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion -> Shell Extensions
intime = °¨¿°µÈ ³¯Â¥¿Í ½Ã°£, reup = 0x0000007A
- HKLM -> SOFTWARE -> Policies -> Microsoft -> Windows -> WindowsUpdate DonotAllowXPSP2 = 1
- HKLM -> SOFTWARE -> Policies -> Microsoft -> MRT, DontReportInfectionInformation = 1
- HKLM -> SOFTWARE -> Policies -> Microsoft -> Windows NT -> Windows File Protection SFCDisable = 0xFFFFFF9D, SFCScan = 0
- HKLM -> SYSTEM -> ControlSet001 -> Control, WaitToKillServiceT = 5000
6. Áø´Ü/Ä¡·á (ÀϺΠÅëÇϱ⠰ø°³)
- IRCbot ¿ú Àü¿ë Ä¡·á ¹é½Å ´Ù¿î·Îµå ¹× °¨¿° °æ·Î Â÷´Ü
- ÀÚÁÖ °¨¿°µÇ´Â ¾Ç¼ºÄÚµå Àü¿ë Á¦°Å/Ä¡·á µµ±¸ (80 Á¾·ù)
- ¹«·á ¿Â¶óÀÎ/¿ÀÇÁ¶óÀÎ ¾Ç¼ºÄÚµå °Ë»ç/Ä¡·á µµ±¸ ¸ðÀ½
- ¹«·á ¿Â¶óÀÎ °Ë»ç µµ±¸ ¸ðÀ½ (±¹³» 6°³ Á¦Ç°)