| |
Á¦ ¸ñ : procmailÀ» ÀÌ¿ëÇؼ ¸¶ÀÌµÒ ¿ú(MyDoom Worm) ÇÊÅ͸µ
ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
ÀÛ¼ºÀÏ : 2004.01.31
¸¶ÀÌµÒ ¿ú(MyDoom Worm)ÀÌ ±â½ÂÀ» ºÎ¸®°í ÀÖ½À´Ï´Ù. MyDoom.A, MyDoom.B¿¡ ÀÌÀº ¶Ç´Ù¸¥
º¯Á¾±îÁö ÇöÀç 4Á¾·ùÀÇ MyDoom ¿úÀÌ ¹ß°ßµÇ¾ú½À´Ï´Ù.
1. ÇÊÅ͸µ
procmailÀ» ÅëÇØ °£´ÜÈ÷ ¸·´Â ¹æ¹ýÀ» ¾Ë¾Æº¾½Ã´Ù.
/etc/procmailrc ¿¡ ´ÙÀ½À» Ãß°¡Çؼ º°µµ ÆÄÀÏ·Î ÀúÀåÇϰųª »èÁ¦ÇÒ ¼ö ÀÖ½À´Ï´Ù. (ºóÁÙ Æ÷ÇÔ 9ÁÙ)
| |
WORM_LOG = "/var/log/worm.log"
:0HB
* > 25000
* < 45000
* ^Subject: ($|error|status|server report|mail (transaction failed|delivery subsystem)|hello|hi|test)
* charset=.?Windows-1252.?
* (file)?name=.*\.(bat|cmd|com|exe|pif|scr|zip)
$WORM_LOG
| |
¸ÞÀÏ ³»¿ëÀº $WORM_LOG ·Î ¸ðµÎ ÀúÀå. ÇÊ¿ä¾øÀ¸¸é /dev/null ·Î Çϼ¼¿ä.
- ¸ÞÀÏ Å©±â´Â 25K~45K±îÁö
- Á¦¸ñÀÌ ¾ø´Â °ÍºÎÅÍ ´ë¼Ò¹®ÀÚ ±¸º°¾øÀÌ Hi, Hello, Test, ... µî ±îÁö
- º»¹®Áß¿¡ charset="Windows-1252" À» Æ÷ÇÔÇÏ°í
- ÷ºÎÆÄÀÏÀÌ .bat, .cmd, .com, .exe, .pif, .scr, .zipÀÎ °ÍÀ»
¸¶ÀÌµÒ ¿úÀ¸·Î ÆÇ´ÜÇÏ¿© ÇÊÅ͸µÇÕ´Ï´Ù.
2. Âü°í±Û
* Procmail·Î Worm/MyDoom.A ÇÊÅ͸µ
http://groups.google.co.kr/groups?selm=bv6920%24gdh%241%40FreeBSD.csie.NCTU.edu.tw&oe=UTF-8&output=gplain
* [C±Þ] Worm_MIMAIL.R(Worm_Mydoom.A) ¿¹º¸
http://www.certcc.or.kr/cvirc/Alert/warning/2004/Worm_mimail_r.html
* Win32/MyDoom.worm.22528 (MyDoom.A)
http://info.ahnlab.com/smart2u/virus_detail_1298.html
* Win32/MyDoom.worm.29184 (MyDoom.B, º¯Á¾)
http://info.ahnlab.com/smart2u/virus_detail_1299.html
* Win32/MyDoom.worm.32768 (º¯Á¾)
http://info.ahnlab.com/smart2u/virus_detail_1302.html
* Win32/MyDoom.worm.40448 (º¯Á¾)
http://info.ahnlab.com/smart2u/virus_detail_1303.html
|
