Its spreading technique is more sophisticated and sophisticated.
2. Spreading path and symptoms of infection
Infected user will send message including malicious link.
If uninfected user clicks that link, depending on the applied status of Microsoft security patch, and web brower(Internet Explorer, Firefox).
Message contains certain URL and user can access with clicking that link.
This forum consists of malicious html files.
Furthermore, this forum is deduced from the exposure of zeroboard vulnerability
Decoded script contains malicious URL as following.
kr1.html will download malicious 38.jpg file with using vulnerability of MS10-018, kr2.html will use MS09-002's.
Following figure is decoded Script file of kr1.html, kr2.html. We can find malicious URL.
User can access to ff10.htm from in.js.
ff10.htm can perform malicious behavior with using vulnerability of certain web browser.
On certain web browser, it can download cosplay.swf.
Downloaded cosplay.swf seems to be normal Flash file, however, it contains malicious code and can download malicious 38.jpg file.
38.jpg file will perform malicious behavior.
Downloaded 38.jpg will create files on following path.
winweng.exe generated by 38.jpg.exe will kill certain Anti-Virus program. Besides, it will run winweng.exe to kill following Anti-Virus Softwares on every booting.
Besides, this malicious file can perform malicious behavior with injecting winpingying.ime on iexplorer.exe, including stealing online game account as following games.
4. How to prevent
Since this kind of malicious file can perform on internet and can cause financial damage, latest patch including MS Windows is essential.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.