Be careful on malicious file disguised as a MS Office's DOCX file

1. Introduction

On Feb 24, 2011, one of malicious files disguised as DOCX file, MS office document file, has been found from overseas web site.
This document includes EXE file with PE structure, which can infect user's PC on executing.
Therefore, general users need to be careful on executing file on downloaded DOCX files.

2. Spreading path and symptoms of infection

Downloaded DOCX file is named "satna.docx". Besides, its file name can be changed and spread with various techniques.
Following figure is downloadable malicious DOCX file.

You can see this message written in English and Arabic.

Furthermore, it induces to click notepad icon.
Double clicking will execute EXE file(PE structured) with this warning page.

We extracted this EXE file with drag and drop and inspected its internal structure.

To click execute button, it will create malicious file disguised TXT file on following path.

Generated svchosts.exe file will be registered in certain registry value and re-infect on booting.

[Register registry value for running on boot]

- Value name : "HKCU Key"
- Value data : "C:\Documents and Settings\Administrator\Application Data\svchosts.exe"

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

No comments:

Post a Comment