악성코드/악성코드 소식

MSN 메신저를 통해 photo album.zip 파일을 전송하는 ShadoBot

쿨캣7 2007. 3. 26. 17:45
728x90
반응형

[Notice]

Hello,

If you can't speak Korean, Please read this notice.
Recently I realized a lof of foreigners read this posting.
Yes. you just received a worm file.

But don't panic !!
If you didn't execute it, please delete the photo album.zip file.

If you was already infected with this worm.
Please update your anti-virus program.

If you don't use any anti-virus program, you can try to install the AhnLab V3 Internet Security 2007 Platinum trivial version to cure it.
(http://global.ahnlab.com/)

Sorry, my English is not perfect.

Thanks.

ps.

I'm an Anti-Virus Researcher at AhnLab, Korean anti-virus vendor.


-------------------------------------------------------------

MSN 메신저로 전파되는 악성 IRC봇이 발견되었다.

[발견상황]

* 2007년 3월 26일 오전에 발견 (안랩에 10건 보고)

- 파일명 : photo album.zip (photo+album2007.pif 포함)
- 파일길이 : 18,944 바이트
- MD5 : 383FA8F31BC56113DBB9F5B7527A6D0D
- 생성 파일명 : rdshost.dll (14,848 바이트) : V3에서 Win-Trojan/ShadoBot.14848로 진단
- V3 진단명 : Win32/ShadoBot.worm.18944 (2007.03.26.01)

* 2007년 3월 27일 오전에 새로운 발견 (안랩에 3건 보고)

- 파일명 : photo album.zip (photo album2007.pif 포함)
- 파일길이 :  21,504 바이트
- MD5 : cd32ff331a2ea7d2a22fd11a952fb1c2
- 생성 파일명 : rdfhost.dll (20,992 바이트)
- V3 진단명 : Win32/ShadoBot.worm.21504 (2007.03.27.00)

* 2007년 3월 27일 오후에 발견

본체는 발견되지 않고 DLL 파일만 발견
rdihost.dll (20,992 바이트) : 길이는 동일하지만 내용은 많이 다름



[메신저 출력 메시지]

* Win32/ShadoBot.worm.18944  에서 MSN 메신저로 악성코드 전달 화면

사용자 삽입 이미지

ShadowBot 이 메신저로 파일 전송하는 모습

- HEY lol i've done a new photo album !:) Second ill find file and send you it.
- Hey wanna see my new photo album?
- Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
- Hey just finished new photo album! :) might be a few nudes ;) lol...
- hey you got a photo album? anyways heres my new photo album :) accept k?
- hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..



* Win32/ShadoBot.worm.21504 에서 MSN 메신저로 전송하는 메시지

- Hey i been doing photo album! Should see em loL! accept please mate :)
- HEY lol i've done a new photo album !:) Second ill find file and send you it.
- Hey wanna see my new photo album?
- OMG just accept please its only my photo album!!
- Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
- Hey just finished new photo album! :) might be a few nudes ;) lol...
- hey you got a photo album? anyways heres my new photo album :) accept k?
- hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..

* 27일 오후에 발견된 변형에서 MSN 메신저에 출력하는 메시지

- Lmfao hey im sending my new photo album, Some bare funny pictures!
- lol my sister wants me to send you this photo album
- loooooooooooool :D
- looooook :p
- Hey i been doing photo album! Should see em loL! accept please mate :)
- HEY lol i've done a new photo album !:) Second ill find file and send you it.
- Hey wanna see my new photo album?
- OMG just accept please its only my photo album!!
- Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
- Hey just finished new photo album! :) might be a few nudes ;) lol...
- hey you got a photo album? anyways heres my new photo album :) accept k?
- hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..



[관련 사이트]

- 메신저로 급속 확산되는 웜 주의보 (2007-03-27)

http://kr.ahnlab.com/ahnlabReportview.ahn?num=50006422

- Win32/ShadoBot.worm.18944

http://kr.ahnlab.com/info/smart2u/virus_detail_7404.html

- Win32/ShadoBot.worm.21504 정보

http://kr.ahnlab.com/info/smart2u/virus_detail_7405.html

728x90
반응형