[Notice]
Hello,
If you can't speak Korean, Please read this notice.
Recently I realized a lof of foreigners read this posting.
Yes. you just received a worm file.
But don't panic !!
If you didn't execute it, please delete the photo album.zip file.
If you was already infected with this worm.
Please update your anti-virus program.
If you don't use any anti-virus program, you can try to install the AhnLab V3 Internet Security 2007 Platinum trivial version to cure it.
(http://global.ahnlab.com/)
Sorry, my English is not perfect.
Thanks.
ps.
I'm an Anti-Virus Researcher at AhnLab, Korean anti-virus vendor.
-------------------------------------------------------------
MSN 메신저로 전파되는 악성 IRC봇이 발견되었다.
[발견상황]
* 2007년 3월 26일 오전에 발견 (안랩에 10건 보고)
- 파일명 : photo album.zip (photo+album2007.pif 포함)
- 파일길이 : 18,944 바이트
- MD5 : 383FA8F31BC56113DBB9F5B7527A6D0D
- 생성 파일명 : rdshost.dll (14,848 바이트) : V3에서 Win-Trojan/ShadoBot.14848로 진단
- V3 진단명 : Win32/ShadoBot.worm.18944 (2007.03.26.01)
* 2007년 3월 27일 오전에 새로운 발견 (안랩에 3건 보고)
- 파일명 : photo album.zip (photo album2007.pif 포함)
- 파일길이 : 21,504 바이트
- MD5 : cd32ff331a2ea7d2a22fd11a952fb1c2
- 생성 파일명 : rdfhost.dll (20,992 바이트)
- V3 진단명 : Win32/ShadoBot.worm.21504 (2007.03.27.00)
* 2007년 3월 27일 오후에 발견
본체는 발견되지 않고 DLL 파일만 발견
rdihost.dll (20,992 바이트) : 길이는 동일하지만 내용은 많이 다름
[메신저 출력 메시지]
* Win32/ShadoBot.worm.18944 에서 MSN 메신저로 악성코드 전달 화면
ShadowBot 이 메신저로 파일 전송하는 모습
- HEY lol i've done a new photo album !:) Second ill find file and send you it.
- Hey wanna see my new photo album?
- Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
- Hey just finished new photo album! :) might be a few nudes ;) lol...
- hey you got a photo album? anyways heres my new photo album :) accept k?
- hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..
* Win32/ShadoBot.worm.21504 에서 MSN 메신저로 전송하는 메시지
- Hey i been doing photo album! Should see em loL! accept please mate :)
- HEY lol i've done a new photo album !:) Second ill find file and send you it.
- Hey wanna see my new photo album?
- OMG just accept please its only my photo album!!
- Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
- Hey just finished new photo album! :) might be a few nudes ;) lol...
- hey you got a photo album? anyways heres my new photo album :) accept k?
- hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..
* 27일 오후에 발견된 변형에서 MSN 메신저에 출력하는 메시지
- Lmfao hey im sending my new photo album, Some bare funny pictures!
- lol my sister wants me to send you this photo album
- loooooooooooool :D
- looooook :p
- Hey i been doing photo album! Should see em loL! accept please mate :)
- HEY lol i've done a new photo album !:) Second ill find file and send you it.
- Hey wanna see my new photo album?
- OMG just accept please its only my photo album!!
- Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
- Hey just finished new photo album! :) might be a few nudes ;) lol...
- hey you got a photo album? anyways heres my new photo album :) accept k?
- hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..
[관련 사이트]
- 메신저로 급속 확산되는 웜 주의보 (2007-03-27)
http://kr.ahnlab.com/ahnlabReportview.ahn?num=50006422
- Win32/ShadoBot.worm.18944
http://kr.ahnlab.com/info/smart2u/virus_detail_7404.html
- Win32/ShadoBot.worm.21504 정보
'보안위협 (악성코드) > 악성코드 소식' 카테고리의 다른 글
| 로그온 후 다시 로그오프되는 문제 - exe.exe (다운로더) (0) | 2007.03.29 |
|---|---|
| Dellboy 변형 (0) | 2007.03.28 |
| 안랩 ASP 폴더명을 바꿔 무력화 시도하는 악성코드 (0) | 2007.03.13 |
| EPSON 포토 스토리지에 악성코드 포함 (0) | 2007.03.07 |
| 국산 조크 프로그램 생성기 (0) | 2007.03.07 |