Be careful on using file hosting web sites.

1. Introduction

3.3 DDoS' malicious files were troublesome for tampering update modules in Korean file hosting web sites and distributing.
This time, related web site had been attacked and tried to spread malicious files whom they didn't update latest security patch.
In case of Sharebox, one of famous Korean file hosting web sites, that site had been spreading malicious file to visited user. Hence deep inspection for management must be needed.

INCA Internet Security Center's Emergency Response Team identified that more than 8 Korean file hosting web sites had been spreading malicious files, and emergency update had been completed.

Based on our analysis, to be visited by many users seems one of the biggest reason why those sites had been targeted.

2. Spreading path and symptoms of infection

Accessing Sharebox web site

Malicious code injected in JavaScript will activate only just visiting web site.


In case of other web sites, similar malicious codes are injected as following.

(Other file hosting web site)

Decoded code of injected in Sharebox is as following.


Decoded code of another file hosting web site is as following.

(Other file hosting web site)

It was coded to connect certain domain through iframe command.
Upon executed main.htm, CVE-2010-0806/MS10-018 Exploit Code, one of Internet Explorer vulnerability, and Scripts between the tag <script src="K.Js"></script> will be activated.

Upon executed the area of Exploit Code, malicious file from Taiwan, "biz.exe", will be installed and perform malicious behavior.


Since this malicious biz.exe is encrypted XOR operation on web, it is not the type of PE Header, which can be executed as soon as downloaded. It will be installed as a normal EXE file.

Following figure is comparison of "a.exe"'s Hex values between biz.exe files on web and on user's PC.
biz.exe will be converted normal executable a.exe with 0xA2 XOR operation Key.
Based on our analysis, the reason registering encrypted file on web seems for bypassing of Anti-Virus SW's real-time scanning option.

Upon downloaded and infected by malicious file, it will create a.exe on Application Data path then execute.

C:\Documents and Settings\(user account)\Application Data

And then, it will change imm32.dll in System folder to malicious file and create malicious nt32.dll file as a hidden.
Tampering technique can be vary depending on each PC's Anti-virus SW and condition.

Installed malicious file will perform stealing online game user's information on certain condition.

Except for we described above, many other file hosting web sites were tampered and our nProtect Anti-Virus can detect those malicious files.

[Our diagnosis name]
ad.jpg -> Script-JS/W32.Agent.VN
expomody.exe -> Trojan/W32.Klone.265728
images.jpg -> Script-JS/W32.Agent.VM
ain.htm -> Script-JS/W32.Agent.BNE
nt32.dll -> Trojan/W32.Agent.69632.AVN
reutkc.htm -> Script-JS/W32.Agent.BNI
revtkl.htm -> Script-JS/W32.Agent.BNF
yveqer.htm -> Script-JS/W32.Agent.BNG


  1. So good i like your Blogspot and i have blog to talking about Web Hosting and a lot of thing related to Web Hébergement as hébergeurs hébergement,site hébergement,comparatif hébergement,ecommerce hébergement,asp hébergement,joomla hébergement,spip hébergement,hébergement web gratuit and thanks a lot again admin ,,, 4Web-Hosting.Info

  2. I will come to you to know about the Spreading path and symptoms of infection which is very essential for me as well. I must follow the content for me as well. Keep it up.
    web hosting

  3. I am very glad to get this I am so excited to get this.
    $1 a month web hosting

  4. Learn about good sat score and how to achieve it via the link I've provided, guys. Should be helpful!

  5. With thousands of events at a time, managers need to send out invitations in real-time. Mass Texting is the smartest way to do that with everyone attached to the cell phones at all times. They might not pick up call, check emails or social media but they will definitely read their text messages atleast once.

  6. Whenever you shop from an ecommerce store or order food online, you instantly receive a notification on your phone in reference to that purchase. Today, any business can integrate SMS into their website or software application using a text API to send messages to customers.

  7. other circumstances in which the customer is forced to store the loaf in the company's stores.

    Al Mamlaka For Home Services Company
    ارخص شركة نقل اثاث

  8. Amazing Article! To read about the Major and Minor Arcana Card Meaning, you may go through yourtarotlife.com

  9. The firm gives cost-effective Nursing Research Paper Services that are impressive and you do not have to drain your pockets in the quest of Nursing Research Paper Writing Help and all your Academic Nursing Research Paper Writing Services.

  10. You really are so good at this. Please help us by providing some information on Couchtuner.

    couchtuner movies

  11. Though some follow the guidelines, one has to check the quantity of consumption because at any point, too much of something is unhealthy to the body.ebook writing service

  12. Thanks For this great content. Really Enjoyed. Keep It up. We are a group of content writing services and running a community in the same niche.If anyone want content writing services then hire content writer and increase conversions for your online store. You have done a extraordinary job!

  13. You really are so good at this. Please help us by providing some information on guest posting
    Globex Outreach

  14. Online psychology essay writing services are very difficult to complete and many students are always searching for Help with Psychology Coursework Writing services to help them complete their psychology research paper writing services and psychology case study writing services.

  15. Accounting assignment writing services have become very popular for students studying finance & accounting coursework writing services as they engage the best online Accounting Writing Services.