Malicious files for leaking personal information are getting evolved.

1. Introduction

Recently, malicious files for aiming at leaking personal information are being spread through various ways.
In the midst of spreading, peculiar malicious files tampering Windows System files or bypassing anti-virus SW are found, so users need to be careful on using internet, and urgent response strategy is needed.

2. Spreading path and symptoms of infection

Currently, this malicious file will be performed on certain PC which is exposed Microsoft's security vulnerability. Malicious file, variant form of normal Comres.dll, can infect victim's PC when a victim is trying to access suspicious URL.

* Control flow of spreading malicious file

This malicious file, known as a Nateon malicious file, adopted more sophisticated technique for its spreading and infected.
This kind of malicious infection won't be spreading on after patching latest Microsoft security updates.

Downloaded 01.exe and 3.exe will create files on certain path on executed. Besides, if infected by this malicious file, it will tamper normal comres.dll and imm32.dll.

[Generated files]
(Windows System folder)\ComResA.dll
(Windows System folder)\imm32.dll(Random alphanumeric.tmp)
(Windows System folder)\nt32.dll.(Random alphanumeric.tmp)
(Windows System folder)\systemInfo.ini
(Windows System folder)\systemInfomations.ini

 - (Windows System folder) is C:\WINDOWS\system32 in a common.

If normal Comres.dll is being deleted, it can cause system abnormalities; therefore, recovering process of normal system files is needed.

* Size differences of normal and malicious files

A. normal Comres.dll file
     C:\WINDOWS\system32\comres.dll (16,232 bytes)

B. malicious Comres.dll file
     C:\WINDOWS\system32\comres.dll  (7,168 bytes)

nt32.dll generated by 3.exe is designed to aiming at stealing certain online game account.

* Comparison between normal Comres.dll, Imm32.dll file and tampered Comres.dll, Imm32.dll file

Left one is normal, right one is tampered form.

3. How to prevent

A lot of variants of comres.dll and imm32.dll are getting spread these days.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Downloader/W32.Small.7168.FG
- Trojan/W32.Agent.7168.LX
- Trojan/W32.Agent.23040.PA
- Trojan/W32.Agent.53248.AXC
- Virus/W32.Patched.P


  1. This article is great. I like it very much. Thank you.
    โปรโมชั่นGclub ของทางทีมงานตอนนี้แจกฟรีโบนัส 50%
    เพียงแค่คุณสมัคร Gclub กับทางทีมงานของเราเพียงเท่านั้น
    สมัครสล็อตออนไลน์ >>> goldenslot
    สนใจร่วมลงทุนกับเรา สมัครเอเย่น Gclub คลิ๊กได้เลย

  2. Thank you for making me realize this. It's great.
    เว็บไซต์คาสิโนออนไลน์ที่ได้คุณภาพอับดับ 1 ของประเทศ
    เป็นเว็บไซต์การพนันออนไลน์ที่มีคนมา สมัคร Gclub Royal1688
    และยังมีหวยให้คุณได้เล่น สมัครหวยออนไลน์ ได้เลย
    สมัครสมาชิกที่นี่ >>> Gclub Royal1688

  3. if you want to keep your work with more security then you can use the office suite. you can get the office setup at office.com/setup.


  4. شركه عزل فوم بالرياض

    أيضاً تسبب في سقوط الطلاء وظهور التشققات، ولكن من الآن لا داعي

    شركه تنظيف منازل بالقطيف

    شركه تنظيف منازل بالجبيل

    شركه تنظيف منازل بالدمام
    للقلق لأن شركة عزل أسطح تقدم لعملائها الكرام في كافة أنحاء المملكة العربية السعودية .
    افضل شركة عزل أسطح

    شركه تنظيف مكيفات بالرياض

  5. This blog is definitely entertaining and also factual. I have picked a bunch of helpful advices out of this source. I ad love to come back again and again. Thanks!

    idn poker

  6. بموقع مؤسسة الحرمــين فخدماتنا ليس لها بديل واسعارنا ليس لها مثيل ،ولدينا فريق عمل يتصل مع العملاء على جسور الثقه

    والصدق والامانه فى العمل ، وهدفنا هو ارضاؤك وراحتك ، لا تقلق ونحن معك

    شركه عزل فوم بالجبيل
    لا تجهد نفسك ونحن تحت امرك ورهن اشارتك .
    أبرز خدمات مؤسسة الحرمــين للمقاولات العامة بالدمام والرياض

    شركه عزل فوم بالدمام

    شركه كشف تسربات المياه بالاحساء