Identified malicious file disguised as an Anti-virus SW for DDoS

1. Introduction

Recently, an erratic malicious file disguised as an Anti-Virus SW for DDoS has been found. This malicious file has been revealed that it doesn't have a function to DDoS attack, however, appearance of malicious file used social engineering technique can cause additional damage related DDoS.

2. Spreading path and symptoms of infection

First of all, recently found malicious file, known as spreading from Korean public web portal and forums, can also be spread as an attachment of e-mail or link in SNS.


General user can be seduced with its familiar icon. Furthermore, it was known of using "ALYAC"'s digital signature. Its various variants can be created and spread until now.

With the figure above, it pirated its icon and even set its company name as "Microsoft Corporation".
Upon infected, it will create additional malicious files.

* Generated files

- (Windows system folder)\inpleqlxa.exe (179,181 bytes)
- (User account folder)\Temp\(7~8digits number)_lang.dll (125,570 bytes)

Also, it registered registry value and makes generated files run on booting.

* Generated registry value

- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\its CLSID]
- Value name : "stubpath"
- Value data : (Window System folder)\inldtepix.exe

* (Window System folder) is C:\WINDOWS\SYSTEM on Windows95,98, and ME,

C:\WINNT\SYSTEM32 on Windows2000 and NT, C:\WINDOWS\SYSTEM32 on WindowsXP.

* (User account folder) is C:\Documents and Settings\(User account).

Based on our analysis, this malicious file is expected to steal account information with using keylogging. Detailed analysis is on progress.

3. How to prevent

The most important thing is that user must have a big eye to avoid from malwares.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect AVS” and runs responding system against various security threats. 

1 comment: