Malicious files are spreading through MSN messenger.

1. Introduction

A malicious file has been found in South Korea through MSN(Live) messenger on Feb 21, 2011.
Accessing certain URL will infect user's PC.
General users who use MSN frequently need to be careful on clicking URL.



2. Spreading path and symptoms of infection

This malicious file can infect on clicking URL.

On clicking link, (DSC002502011.JPG.scr), a malicious file disguised as a image file, will be downloaded.

http://www.*****academy.**/image.php?img=DSC002502011.JPG

Downloaded DSC002502011.JPG.src is masqueraded as a image file.

Furthermore, upon executed this malicious file, it will download additional malicious file.

http://bistrode*****.com/kbn.exe

Downloaded malicious kbn.exe will be saved as a winrsvn.exe on following path and will register in registry for running on boot.

[Generated File]

User account\Microsoft-Driver-[Random numbers]\winrsvn.exe

[Registry Information]

HKEY_CURRENT_USER\Sofrware\Microsoft\Windows\CurrentVersion\Run
"Microsoft(R) Service Update="%User account&Microsoft-Driver-[Random numbers]\winrsvn.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
"%User account%\Microsoft-Driver-[Random numbers]\winrsvn.exe"

 This malicious file will deliver following message and malicious file link to certain user.

[Message]


hab ich dir das foto schon gezeigt?
wie findest du das foto?
das foto solltest du wirklich sehen
so will ich nicht aussehen wenn ich alt bin
kennst du die person aufm foto?
kennst du das foto schon?
schau mal das foto an
unglaublich welche fotos leute von sich machen schau mal
die sieht aus wie angela merkel
tell me what you think of this picture i edited
i cant believe i still have this picture of you from last winter
should i make this my default picture?
this is the funniest photo ever!
tell me what you think of this photo
i don't think i will ever sleep again after seeing this photo
my parents are going to kill me if they find this picture

3. How to prevent
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

* Diagnosis name

 - Trojan-Downloader/W32.Agent.18944.FE
 - Trojan-Downloader/W32.Agent.38912.CM