In the midst of spreading, peculiar malicious files tampering Windows System files or bypassing anti-virus SW are found, so users need to be careful on using internet, and urgent response strategy is needed.
2. Spreading path and symptoms of infection
Currently, this malicious file will be performed on certain PC which is exposed Microsoft's security vulnerability. Malicious file, variant form of normal Comres.dll, can infect victim's PC when a victim is trying to access suspicious URL.
* Control flow of spreading malicious file
This malicious file, known as a Nateon malicious file, adopted more sophisticated technique for its spreading and infected.
This kind of malicious infection won't be spreading on after patching latest Microsoft security updates.
Downloaded 01.exe and 3.exe will create files on certain path on executed. Besides, if infected by this malicious file, it will tamper normal comres.dll and imm32.dll.
If normal Comres.dll is being deleted, it can cause system abnormalities; therefore, recovering process of normal system files is needed.
* Size differences of normal and malicious files
nt32.dll generated by 3.exe is designed to aiming at stealing certain online game account.
* Comparison between normal Comres.dll, Imm32.dll file and tampered Comres.dll, Imm32.dll file
Left one is normal, right one is tampered form.
3. How to prevent
A lot of variants of comres.dll and imm32.dll are getting spread these days.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.