12345

2/25/2011

Be careful on malicious file disguised as a MS Office's DOCX file

1. Introduction

On Feb 24, 2011, one of malicious files disguised as DOCX file, MS office document file, has been found from overseas web site.
This document includes EXE file with PE structure, which can infect user's PC on executing.
Therefore, general users need to be careful on executing file on downloaded DOCX files.



2. Spreading path and symptoms of infection

Downloaded DOCX file is named "satna.docx". Besides, its file name can be changed and spread with various techniques.
Following figure is downloadable malicious DOCX file.


You can see this message written in English and Arabic.



Furthermore, it induces to click notepad icon.
Double clicking will execute EXE file(PE structured) with this warning page.


We extracted this EXE file with drag and drop and inspected its internal structure.



To click execute button, it will create malicious file disguised TXT file on following path.



Generated svchosts.exe file will be registered in certain registry value and re-infect on booting.

[Register registry value for running on boot]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Value name : "HKCU Key"
- Value data : "C:\Documents and Settings\Administrator\Application Data\svchosts.exe"

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

1 comment:

  1. Thankful for the warning, I heard a lot about how the virus gets to the mail in the message, and clicking on the link in the document is its unpacking and unloading into the buffer. I'm pretty careful with the docs actually, and I'll not open a slightly wishy-washy mail.
    For me, to work quickly and easily and open docx file https://wikiext.com/docx exists a universal solution for Windows.
    And as for security issues, I'm encouraged to constantly update the antivirus on the PC and be careful enough. It seems to me that it's a possible way to prevent the threat of an attack from the PC.

    ReplyDelete