본문 바로가기

벌새::Analysis

Spam 이메일 - Recovery KEYS for your account


자신의 개인 계정을 복구하기 위하여 첨부 파일을 실행하도록 유도하는 스팸 이메일을 확인하였습니다.

[이메일 내용]

Greating, Dotori
There are the keys to recover your personal account. In order to use them later, please, preserve them in a sure place.
Best regards, Robert Mack

해당 첨부 파일(the_Keys.zip)에는 The_Keys.doc.exe 파일을 압축하고 있습니다.

[The_Keys.doc.exe]

Antivirus Version Last Update Result
AhnLab-V3 2008.11.4.3 2008.11.05 -
AntiVir 7.9.0.10 2008.11.04 -
Authentium 5.1.0.4 2008.11.04 W32/Trojan3.HI
Avast 4.8.1248.0 2008.11.04 -
AVG 8.0.0.161 2008.11.05 Pakes.ALL
BitDefender 7.2 2008.11.05 -
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.04 Trojan.Agent-59561
DrWeb 4.44.0.09170 2008.11.05 -
eSafe 7.0.17.0 2008.11.04 -
eTrust-Vet 31.6.6189 2008.11.04 -
Ewido 4.0 2008.11.04 -
F-Prot 4.4.4.56 2008.11.04 -
F-Secure 8.0.14332.0 2008.11.04 Trojan.Win32.Agent.alur
Fortinet 3.117.0.0 2008.11.04 -
GData 19 2008.11.05 -
Ikarus T3.1.1.45.0 2008.11.05 Win32.SuspectCrc
K7AntiVirus 7.10.516 2008.11.04 -
Kaspersky 7.0.0.125 2008.11.05 Trojan.Win32.Agent.alur
McAfee 5424 2008.11.04 -
Microsoft 1.4005 2008.11.05 -
NOD32 3583 2008.11.04 -
Norman 5.80.02 2008.11.04 -
Panda 9.0.0.4 2008.11.05 -
PCTools 4.4.2.0 2008.11.04 -
Prevx1 V2 2008.11.05 Malicious Software
Rising 21.02.12.00 2008.11.04 -
SecureWeb-Gateway 6.7.6 2008.11.04 -
Sophos 4.35.0 2008.11.05 Mal/EncPk-CZ
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.05 W32.SillyFDC
TheHacker 6.3.1.1.138 2008.11.04 -
TrendMicro 8.700.0.1004 2008.11.04 -
VBA32 3.12.8.9 2008.11.03 -
ViRobot 2008.11.4.1451 2008.11.04 -
VirusBuster 4.5.11.0 2008.11.04 -
Additional information
File size: 43008 bytes
MD5...: 2efc88afc9d653155a2a3b3632cc29b8
SHA1..: a2718360073762b95f98b0692434f764586e5569


해당 악성코드 정보는 다음과 같습니다.

1. 파일 생성

%ProgramFiles%\Microsoft Common\wuauclt.exe

2. 레지스트리 생성

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
 - Debugger = "%ProgramFiles%\Microsoft Common\wuauclt.exe"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
 - ProxyEnable = 0x00000000

3. 레지스트리 수정

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
 - Cookies = "%System%\config\systemprofile\Cookies"
 - Cache = "%System%\config\systemprofile\Local Settings\Temporary Internet Files"
 - History = "%System%\config\systemprofile\Local Settings\History"

4. 러시아 서버 연결 및 추가 악성코드 다운로드 (moreshiki.exe)

추가 다운로드되는 moreshiki.exe 파일에 대한 진단상태를 살펴보겠습니다.

[moreshiki.exe]

Antivirus Version Last Update Result
AhnLab-V3 2008.11.4.3 2008.11.05 Win-Trojan/Ultimatedefender.42496.J
AntiVir 7.9.0.10 2008.11.04 Worm/Autorun.nuz
Authentium 5.1.0.4 2008.11.04 W32/FakeAV.FH
Avast 4.8.1248.0 2008.11.04 Win32:FakeAlert-AJ
AVG 8.0.0.161 2008.11.05 SHeur2.HY
BitDefender 7.2 2008.11.05 Trojan.Fakealert.ALU
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.04 -
DrWeb 4.44.0.09170 2008.11.05 -
eSafe 7.0.17.0 2008.11.04 -
eTrust-Vet 31.6.6189 2008.11.04 -
Ewido 4.0 2008.11.04 -
F-Prot 4.4.4.56 2008.11.04 W32/FakeAV.FH
F-Secure 8.0.14332.0 2008.11.04 Backdoor.Win32.UltimateDefender.gkw
Fortinet 3.117.0.0 2008.11.04 -
GData 19 2008.11.05 Trojan.Fakealert.ALU
Ikarus T3.1.1.45.0 2008.11.05 Virus.Win32.FakeAlert.AJ
K7AntiVirus 7.10.516 2008.11.04 -
Kaspersky 7.0.0.125 2008.11.05 Backdoor.Win32.UltimateDefender.gkw
McAfee 5424 2008.11.04 Generic BackDoor
Microsoft 1.4005 2008.11.05 TrojanDropper:Win32/Renos
NOD32 3583 2008.11.04 Win32/TrojanDownloader.FakeAlert.PL.Gen
Norman 5.80.02 2008.11.04 W32/UltimateCleaner.DH
Panda 9.0.0.4 2008.11.05 -
PCTools 4.4.2.0 2008.11.04 -
Prevx1 V2 2008.11.05 Malicious Software
Rising 21.02.12.00 2008.11.04 -
SecureWeb-Gateway 6.7.6 2008.11.04 Worm.Autorun.nuz
Sophos 4.35.0 2008.11.05 Mal/EncPk-EQ
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.05 Trojan.Virantix.C
TheHacker 6.3.1.1.138 2008.11.04 -
TrendMicro 8.700.0.1004 2008.11.04 -
VBA32 3.12.8.9 2008.11.03 -
ViRobot 2008.11.4.1451 2008.11.04 Trojan.Win32.Clicker.230912.D
VirusBuster 4.5.11.0 2008.11.04 -
Additional information
File size: 42496 bytes
MD5...: 45d5534682aeb775864521a1a21a278c
SHA1..: 26cce1b00b010b9d93dad0a4b9ecf1dafa49b108


해당 악성코드는 해외 허위 보안 제품으로 허위 진단 정보를 이용하여 금전 결제를 유도하는 것으로 보입니다.

[설치되는 해외 허위 보안 제품 Antivirus Pro 2009 분석]

AhnLab SpyZero - Win-Downloader/RogueAnti.125883

Antivirus Version Last Update Result
AhnLab-V3 2008.11.4.3 2008.11.05 Win-Trojan/Fakeav.125883
AntiVir 7.9.0.10 2008.11.04 TR/Fakealert.ald.4
Authentium 5.1.0.4 2008.11.04 W32/Trojan3.GX
Avast 4.8.1248.0 2008.11.04 Win32:FakeAlert-AJ
AVG 8.0.0.161 2008.11.05 Fake_AntiSpyware.AIX
BitDefender 7.2 2008.11.05 Trojan.FakeAlert.ALD
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.04 -
DrWeb 4.44.0.09170 2008.11.05 Trojan.Packed.1214
eSafe 7.0.17.0 2008.11.04 Suspicious File
eTrust-Vet 31.6.6188 2008.11.03 -
Ewido 4.0 2008.11.04 -
F-Prot 4.4.4.56 2008.11.04 W32/Trojan3.GX
F-Secure 8.0.14332.0 2008.11.04 Trojan.Win32.Pakes.lnh
Fortinet 3.117.0.0 2008.11.04 -
GData 19 2008.11.05 Trojan.FakeAlert.ALD
Ikarus T3.1.1.45.0 2008.11.05 Virus.Win32.Virut.au
K7AntiVirus 7.10.516 2008.11.04 -
Kaspersky 7.0.0.125 2008.11.05 Trojan.Win32.Pakes.lnh
McAfee 5424 2008.11.04 -
Microsoft 1.4005 2008.11.05 TrojanDownloader:Win32/FakeRean
NOD32 3583 2008.11.04 Win32/TrojanDownloader.FakeAlert.PL.Gen
Norman 5.80.02 2008.11.04 W32/Smalldoor.CTWY
Panda 9.0.0.4 2008.11.05 -
PCTools 4.4.2.0 2008.11.04 -
Prevx1 V2 2008.11.05 Malicious Software
Rising 21.02.12.00 2008.11.04 -
SecureWeb-Gateway 6.7.6 2008.11.04 Trojan.Fakealert.ald.4
Sophos 4.35.0 2008.11.05 Mal/EncPk-EQ
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.05 AntiVirus2009
TheHacker 6.3.1.1.138 2008.11.04 -
TrendMicro 8.700.0.1004 2008.11.04 -
VBA32 3.12.8.9 2008.11.03 -
ViRobot 2008.11.4.1451 2008.11.04 -
VirusBuster 4.5.11.0 2008.11.04 -
Additional information
File size: 125883 bytes
MD5...: 544e073ad476bc186bf1f0787049b80f
SHA1..: e95860e24afc467c89d35d49c9442f292133b8ee


이처럼 하나의 악성코드가 추가적으로 이어지면서 컴퓨터를 감염시킬 수 있으므로 수상한 이메일에 첨부된 파일은 보안업체에 신고하는 태도를 가지며, 호기심에 열지 말고 삭제하시길 바랍니다.