반응형
자신의 개인 계정을 복구하기 위하여 첨부 파일을 실행하도록 유도하는 스팸 이메일을 확인하였습니다.
[이메일 내용]
Greating, Dotori
There are the keys to recover your personal account. In order to use them later, please, preserve them in a sure place.
Best regards, Robert Mack
Greating, Dotori
There are the keys to recover your personal account. In order to use them later, please, preserve them in a sure place.
Best regards, Robert Mack
해당 첨부 파일(the_Keys.zip)에는 The_Keys.doc.exe 파일을 압축하고 있습니다.
[The_Keys.doc.exe]
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2008.11.4.3 | 2008.11.05 | - |
| AntiVir | 7.9.0.10 | 2008.11.04 | - |
| Authentium | 5.1.0.4 | 2008.11.04 | W32/Trojan3.HI |
| Avast | 4.8.1248.0 | 2008.11.04 | - |
| AVG | 8.0.0.161 | 2008.11.05 | Pakes.ALL |
| BitDefender | 7.2 | 2008.11.05 | - |
| CAT-QuickHeal | 9.50 | 2008.11.04 | - |
| ClamAV | 0.94.1 | 2008.11.04 | Trojan.Agent-59561 |
| DrWeb | 4.44.0.09170 | 2008.11.05 | - |
| eSafe | 7.0.17.0 | 2008.11.04 | - |
| eTrust-Vet | 31.6.6189 | 2008.11.04 | - |
| Ewido | 4.0 | 2008.11.04 | - |
| F-Prot | 4.4.4.56 | 2008.11.04 | - |
| F-Secure | 8.0.14332.0 | 2008.11.04 | Trojan.Win32.Agent.alur |
| Fortinet | 3.117.0.0 | 2008.11.04 | - |
| GData | 19 | 2008.11.05 | - |
| Ikarus | T3.1.1.45.0 | 2008.11.05 | Win32.SuspectCrc |
| K7AntiVirus | 7.10.516 | 2008.11.04 | - |
| Kaspersky | 7.0.0.125 | 2008.11.05 | Trojan.Win32.Agent.alur |
| McAfee | 5424 | 2008.11.04 | - |
| Microsoft | 1.4005 | 2008.11.05 | - |
| NOD32 | 3583 | 2008.11.04 | - |
| Norman | 5.80.02 | 2008.11.04 | - |
| Panda | 9.0.0.4 | 2008.11.05 | - |
| PCTools | 4.4.2.0 | 2008.11.04 | - |
| Prevx1 | V2 | 2008.11.05 | Malicious Software |
| Rising | 21.02.12.00 | 2008.11.04 | - |
| SecureWeb-Gateway | 6.7.6 | 2008.11.04 | - |
| Sophos | 4.35.0 | 2008.11.05 | Mal/EncPk-CZ |
| Sunbelt | 3.1.1783.2 | 2008.11.05 | - |
| Symantec | 10 | 2008.11.05 | W32.SillyFDC |
| TheHacker | 6.3.1.1.138 | 2008.11.04 | - |
| TrendMicro | 8.700.0.1004 | 2008.11.04 | - |
| VBA32 | 3.12.8.9 | 2008.11.03 | - |
| ViRobot | 2008.11.4.1451 | 2008.11.04 | - |
| VirusBuster | 4.5.11.0 | 2008.11.04 | - |
| Additional information | |||
| File size: 43008 bytes | |||
| MD5...: 2efc88afc9d653155a2a3b3632cc29b8 | |||
| SHA1..: a2718360073762b95f98b0692434f764586e5569 | |||
해당 악성코드 정보는 다음과 같습니다.
1. 파일 생성
%ProgramFiles%\Microsoft Common\wuauclt.exe
2. 레지스트리 생성
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
- Debugger = "%ProgramFiles%\Microsoft Common\wuauclt.exe"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- ProxyEnable = 0x00000000
3. 레지스트리 수정
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- Cookies = "%System%\config\systemprofile\Cookies"
- Cache = "%System%\config\systemprofile\Local Settings\Temporary Internet Files"
- History = "%System%\config\systemprofile\Local Settings\History"
4. 러시아 서버 연결 및 추가 악성코드 다운로드 (moreshiki.exe)
%ProgramFiles%\Microsoft Common\wuauclt.exe
2. 레지스트리 생성
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
- Debugger = "%ProgramFiles%\Microsoft Common\wuauclt.exe"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- ProxyEnable = 0x00000000
3. 레지스트리 수정
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- Cookies = "%System%\config\systemprofile\Cookies"
- Cache = "%System%\config\systemprofile\Local Settings\Temporary Internet Files"
- History = "%System%\config\systemprofile\Local Settings\History"
4. 러시아 서버 연결 및 추가 악성코드 다운로드 (moreshiki.exe)
추가 다운로드되는 moreshiki.exe 파일에 대한 진단상태를 살펴보겠습니다.
[moreshiki.exe]
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2008.11.4.3 | 2008.11.05 | Win-Trojan/Ultimatedefender.42496.J |
| AntiVir | 7.9.0.10 | 2008.11.04 | Worm/Autorun.nuz |
| Authentium | 5.1.0.4 | 2008.11.04 | W32/FakeAV.FH |
| Avast | 4.8.1248.0 | 2008.11.04 | Win32:FakeAlert-AJ |
| AVG | 8.0.0.161 | 2008.11.05 | SHeur2.HY |
| BitDefender | 7.2 | 2008.11.05 | Trojan.Fakealert.ALU |
| CAT-QuickHeal | 9.50 | 2008.11.04 | - |
| ClamAV | 0.94.1 | 2008.11.04 | - |
| DrWeb | 4.44.0.09170 | 2008.11.05 | - |
| eSafe | 7.0.17.0 | 2008.11.04 | - |
| eTrust-Vet | 31.6.6189 | 2008.11.04 | - |
| Ewido | 4.0 | 2008.11.04 | - |
| F-Prot | 4.4.4.56 | 2008.11.04 | W32/FakeAV.FH |
| F-Secure | 8.0.14332.0 | 2008.11.04 | Backdoor.Win32.UltimateDefender.gkw |
| Fortinet | 3.117.0.0 | 2008.11.04 | - |
| GData | 19 | 2008.11.05 | Trojan.Fakealert.ALU |
| Ikarus | T3.1.1.45.0 | 2008.11.05 | Virus.Win32.FakeAlert.AJ |
| K7AntiVirus | 7.10.516 | 2008.11.04 | - |
| Kaspersky | 7.0.0.125 | 2008.11.05 | Backdoor.Win32.UltimateDefender.gkw |
| McAfee | 5424 | 2008.11.04 | Generic BackDoor |
| Microsoft | 1.4005 | 2008.11.05 | TrojanDropper:Win32/Renos |
| NOD32 | 3583 | 2008.11.04 | Win32/TrojanDownloader.FakeAlert.PL.Gen |
| Norman | 5.80.02 | 2008.11.04 | W32/UltimateCleaner.DH |
| Panda | 9.0.0.4 | 2008.11.05 | - |
| PCTools | 4.4.2.0 | 2008.11.04 | - |
| Prevx1 | V2 | 2008.11.05 | Malicious Software |
| Rising | 21.02.12.00 | 2008.11.04 | - |
| SecureWeb-Gateway | 6.7.6 | 2008.11.04 | Worm.Autorun.nuz |
| Sophos | 4.35.0 | 2008.11.05 | Mal/EncPk-EQ |
| Sunbelt | 3.1.1783.2 | 2008.11.05 | - |
| Symantec | 10 | 2008.11.05 | Trojan.Virantix.C |
| TheHacker | 6.3.1.1.138 | 2008.11.04 | - |
| TrendMicro | 8.700.0.1004 | 2008.11.04 | - |
| VBA32 | 3.12.8.9 | 2008.11.03 | - |
| ViRobot | 2008.11.4.1451 | 2008.11.04 | Trojan.Win32.Clicker.230912.D |
| VirusBuster | 4.5.11.0 | 2008.11.04 | - |
| Additional information | |||
| File size: 42496 bytes | |||
| MD5...: 45d5534682aeb775864521a1a21a278c | |||
| SHA1..: 26cce1b00b010b9d93dad0a4b9ecf1dafa49b108 | |||
해당 악성코드는 해외 허위 보안 제품으로 허위 진단 정보를 이용하여 금전 결제를 유도하는 것으로 보입니다.
[설치되는 해외 허위 보안 제품 Antivirus Pro 2009 분석]
AhnLab SpyZero - Win-Downloader/RogueAnti.125883
AhnLab SpyZero - Win-Downloader/RogueAnti.125883
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2008.11.4.3 | 2008.11.05 | Win-Trojan/Fakeav.125883 |
| AntiVir | 7.9.0.10 | 2008.11.04 | TR/Fakealert.ald.4 |
| Authentium | 5.1.0.4 | 2008.11.04 | W32/Trojan3.GX |
| Avast | 4.8.1248.0 | 2008.11.04 | Win32:FakeAlert-AJ |
| AVG | 8.0.0.161 | 2008.11.05 | Fake_AntiSpyware.AIX |
| BitDefender | 7.2 | 2008.11.05 | Trojan.FakeAlert.ALD |
| CAT-QuickHeal | 9.50 | 2008.11.04 | - |
| ClamAV | 0.94.1 | 2008.11.04 | - |
| DrWeb | 4.44.0.09170 | 2008.11.05 | Trojan.Packed.1214 |
| eSafe | 7.0.17.0 | 2008.11.04 | Suspicious File |
| eTrust-Vet | 31.6.6188 | 2008.11.03 | - |
| Ewido | 4.0 | 2008.11.04 | - |
| F-Prot | 4.4.4.56 | 2008.11.04 | W32/Trojan3.GX |
| F-Secure | 8.0.14332.0 | 2008.11.04 | Trojan.Win32.Pakes.lnh |
| Fortinet | 3.117.0.0 | 2008.11.04 | - |
| GData | 19 | 2008.11.05 | Trojan.FakeAlert.ALD |
| Ikarus | T3.1.1.45.0 | 2008.11.05 | Virus.Win32.Virut.au |
| K7AntiVirus | 7.10.516 | 2008.11.04 | - |
| Kaspersky | 7.0.0.125 | 2008.11.05 | Trojan.Win32.Pakes.lnh |
| McAfee | 5424 | 2008.11.04 | - |
| Microsoft | 1.4005 | 2008.11.05 | TrojanDownloader:Win32/FakeRean |
| NOD32 | 3583 | 2008.11.04 | Win32/TrojanDownloader.FakeAlert.PL.Gen |
| Norman | 5.80.02 | 2008.11.04 | W32/Smalldoor.CTWY |
| Panda | 9.0.0.4 | 2008.11.05 | - |
| PCTools | 4.4.2.0 | 2008.11.04 | - |
| Prevx1 | V2 | 2008.11.05 | Malicious Software |
| Rising | 21.02.12.00 | 2008.11.04 | - |
| SecureWeb-Gateway | 6.7.6 | 2008.11.04 | Trojan.Fakealert.ald.4 |
| Sophos | 4.35.0 | 2008.11.05 | Mal/EncPk-EQ |
| Sunbelt | 3.1.1783.2 | 2008.11.05 | - |
| Symantec | 10 | 2008.11.05 | AntiVirus2009 |
| TheHacker | 6.3.1.1.138 | 2008.11.04 | - |
| TrendMicro | 8.700.0.1004 | 2008.11.04 | - |
| VBA32 | 3.12.8.9 | 2008.11.03 | - |
| ViRobot | 2008.11.4.1451 | 2008.11.04 | - |
| VirusBuster | 4.5.11.0 | 2008.11.04 | - |
| Additional information | |||
| File size: 125883 bytes | |||
| MD5...: 544e073ad476bc186bf1f0787049b80f | |||
| SHA1..: e95860e24afc467c89d35d49c9442f292133b8ee | |||
이처럼 하나의 악성코드가 추가적으로 이어지면서 컴퓨터를 감염시킬 수 있으므로 수상한 이메일에 첨부된 파일은 보안업체에 신고하는 태도를 가지며, 호기심에 열지 말고 삭제하시길 바랍니다.
728x90
반응형