12345

3/02/2011

Lpk.dll and Usp10.dll are emerging

1. Introduction

Recently, malicious files stealing online game account are being spread in South Korea.
These malicious files are being made and spreading its variants with generated simple toolkit.
Among various malicious files, we will let you know how to protect from being infected worm.


2. Spreading path and symptoms of infection

Likewise, most of online game account stealing malicious files, this malicious file seems to be generated from China.
It uses normal system file "Lpk.dll, Usp10.dll", these host files can be downloaded from tampered web site, attachment of e-mail, SNS, or messenger.
Hosts files can be set various file names and can create additional malicious files after being infected.

* Generated files
- (Window system folder)\(6-length random alphabets).exe (copy of host file, it will be registered as a service.)
- (Window system folder)\hra33.dll (Creating Lpk.dll, Usp10.dll)
- (all folder)\Lpk.dll
- (all folder)\Usp10.dll

* Window system folder is C:\WINDOWS\SYSTEM on Windows 95, 98, and ME, C:\WINNT\SYSTEM32 on , Windows 2000, C:\WINDOWS\SYSTEM32 on Windows XP

Upon infected, among generated additional malicious files, hra33.dll will work as a host file and will generate "Lpk.dll, Usp10.dll" continuously. Those generated file will steal online game account. Besides, it can be spread itself as a worm on same IP range or Shared folder.

Furthermore, (6-length random alphabets).exe is a cloned file of host file and can be work on booting registered as a service.



"Lpk.dll, Usp10.dll" to steal online game account and to work as a network worm can't be easily figured out .



* Difference between "Lpk.dll" and "Usp10.dll"


1. Normal file locates "Window system folder", "Window system folder\dllcache".
- Usp10.dll can be located depending on its installed program.


2. About the sizes.
- Normal Lpk.dll (about 22KB, 22,016 bytes)
- Malicious Lpk.dll (about 88KB, 89,600 bytes)
- Normal Usp10.dll (about 397KB, 406,016 bytes)
- Malicious Usp10.dll (about 88KB, 89,600 bytes)

* malicious files Lpk.dll, Usp10.dll are same.

* Window system folder is C:\WINDOWS\SYSTEM on Windows 95, 98, and ME, C:\WINNT\SYSTEM32 on , Windows 2000, C:\WINDOWS\SYSTEM32 on Windows XP.

Or we can find it on command prompt.

* Input on cmd.exe
- dir lpk.dll usp10.dll /a /s


This will find all HDDs in a row, and if searching result is less than 4, it will be normal.
If this malicious file is located on user's PC, you can do this following process unless installed anti-virus SW.

* Input on cmd.exe
- del lpk.dll usp10.dll /a /s


Malicious files will be removed.

3. How to prevent

General user can hardly notice something happened in his PC.
To use PC safely from security threats of these malicious files, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

1 comment:

  1. I read about this issue on Fix4dll because i like to play video games sometimes. It's easy to loose your account, there are a lot of scammers. Follow this tips to protect yourself.

    ReplyDelete