12345

1/17/2011

Malicious files for leaking personal information are getting evolved.

1. Introduction

Recently, malicious files for aiming at leaking personal information are being spread through various ways.
In the midst of spreading, peculiar malicious files tampering Windows System files or bypassing anti-virus SW are found, so users need to be careful on using internet, and urgent response strategy is needed.


2. Spreading path and symptoms of infection

Currently, this malicious file will be performed on certain PC which is exposed Microsoft's security vulnerability. Malicious file, variant form of normal Comres.dll, can infect victim's PC when a victim is trying to access suspicious URL.

* Control flow of spreading malicious file



This malicious file, known as a Nateon malicious file, adopted more sophisticated technique for its spreading and infected.
This kind of malicious infection won't be spreading on after patching latest Microsoft security updates.


Downloaded 01.exe and 3.exe will create files on certain path on executed. Besides, if infected by this malicious file, it will tamper normal comres.dll and imm32.dll.

[Generated files]
(Windows System folder)\ComResA.dll
(Windows System folder)\imm32.dll(Random alphanumeric.tmp)
(Windows System folder)\nt32.dll.(Random alphanumeric.tmp)
(Windows System folder)\systemInfo.ini
(Windows System folder)\systemInfomations.ini

 - (Windows System folder) is C:\WINDOWS\system32 in a common.

If normal Comres.dll is being deleted, it can cause system abnormalities; therefore, recovering process of normal system files is needed.

* Size differences of normal and malicious files

A. normal Comres.dll file
     C:\WINDOWS\system32\comres.dll (16,232 bytes)

B. malicious Comres.dll file
     C:\WINDOWS\system32\comres.dll  (7,168 bytes)

nt32.dll generated by 3.exe is designed to aiming at stealing certain online game account.
 
Pmang.com
Netmarble.net
Nexon.com
Lineage.plaync.co.kr
Hangame.com

* Comparison between normal Comres.dll, Imm32.dll file and tampered Comres.dll, Imm32.dll file





Left one is normal, right one is tampered form.

3. How to prevent

A lot of variants of comres.dll and imm32.dll are getting spread these days.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Downloader/W32.Small.7168.FG
- Trojan/W32.Agent.7168.LX
- Trojan/W32.Agent.23040.PA
- Trojan/W32.Agent.53248.AXC
- Virus/W32.Patched.P

15 comments: