12345

2/17/2011

Malicious files using ARP Spoofing are spreading.

1. Introduction

Since ARP Spoofing malicious files are rapidly spreading these days, additional damages including infection of additional malicious file and stealing online game account can be accumulated.
If infected, internet speed can be reduced and malicious files can be infected through its network.
Therefore, general users need to careful on using internet.

Furthermore, this ARP Spoofing malicious file is widely infecting under the certain management program.

2. Spreading path and symptoms of infection

The place of origin hasn't been figured out so far, however, spreading technique of this malicious file is not as usual.

The biggest difference between previous malicious files and recently found malicious file is including iframe for download additional malicious file. In other words: infected PC can work as a spreading server.
Upon infected ARP Spoofing, it can generate following files.

* Generated and downloaded files

C:\WINDOWS\system32\wbem\AdmDll.dll
C:\WINDOWS\system32\wbem\H1A1-DNA.dna
C:\WINDOWS\system32\wbem\H1A1.exe
C:\WINDOWS\system32\wbem\H1A1.html
C:\WINDOWS\system32\wbem\H1A1_NDA_8.exe
C:\WINDOWS\system32\wbem\PCBangMng.exe
C:\WINDOWS\system32\wbem\TIMEDNA.dna
C:\WINDOWS\system32\wbem\UpdateService.exe
C:\WINDOWS\system32\wbem\dllhost.exe
C:\WINDOWS\system32\wbem\mongoose.conf
C:\WINDOWS\system32\wbem\mongoose.exe
C:\WINDOWS\system32\wbem\sys.rna
C:\WINDOWS\system32\wbem\translator.dll



Besides, it can launch certain file through ActiveX which was injected Script file on iframe.



This file can try to download additional certain file on infected PC.


Furthermore, it can set certain folder to shared folder.



This malicious file can kill certain anti-virus software with using taskkill.exe, can make Windows firewall exception on certain service on registering registry, and can control infected PC remotely with using "UpdateService.exe"(Remote control module).

3. How to prevent

If a PC infected, PCs in same IP range can be infected in a row.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

1 comment: