12345

4/14/2011

imm32.dll, its unforeseeable evolution (1)

1. Introduction

Recently, spread of malicious file to steal Korean online game account information is prevalent in here.
Besides, this malicious file adopted these methods changing "imm32.dll" file, located in Windows folder, to new type of malicious file or generate itself.
Therefore, general user who plays online game needs to be careful of infection.


2. Spreading path and symptoms of infection

This case of spreading infected malicious file related normal imm32.dll patch is frequently found. And its techniques are various. One of these main purposes is giving financial damage of infected user. One of spread malicious file found lately is using vulnerability of IE and induces to leak personal information.

Currently, this malicious file is redirected from certain web site, and following image shows download window to be spread so far.


Upon execution downloaded "aa.exe", it will create additional malicious file on following path.
Furthermore, it will rename normal imm32.dll to another name and patch.

Normally patched malicious imm32.dll will try to leak user account information and forcibly stop to certain anti-virus software.

* Generated files

C:\WINDOWS\system32\imm32.dll (86,016 bytes, Malicious)
C:\WINDOWS\system32\imm32B.dll (86,016 bytes, Malicious)
C:\WINDOWS\system32\imm32A.dll (110,080 bytes, Normal)


* Comparison information between normal and malicious imm32.dlls



* Control flow of malicious file and patching imm32.dll



3. How to prevent

To use your PC safely from security threats of these malicious applications, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

No comments:

Post a Comment