12345

1/05/2011

Be careful on malicious e-mail disguised as sent by Microsoft.

1. Introduction

Spreading malicious e-mail disguised as sent by Microsoft has been reported on Jan 04, 2011.
This e-mail has its title as "Update your Windows" and contains malicious file.
Besides, this mail is disguised as sent by Microsoft and induces user to download its attachment.


[Fake Microsoft security update spreads Autorun worm]
http://nakedsecurity.sophos.com/2011/01/04/fake-microsoft-update-spreads-worm/

2. Spreading path and symptoms of infection

Detail is as following.


Furthermore, this mail is disguised as Windows Update related contents and induces user to download attachment for updating. The rumor has that "Steve Lipner is a name of Microsoft's employee."


Upon downloading attachment, victim can see ZIP file and get exe file as same as ZIP file's name.
Its name is same as normal Windows update file.

Upon executed exe file, its clone will be generated on certain path and it will change registry value.

- Generated files

(Driver root)\SecurityUSB.2.8.exe (217,600 bytes)
(Driver root)\boot.inf (43 bytes)

- Modify registry value
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Value name : "Hidden"
Value data : 0

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

No comments:

Post a Comment