12345

4/15/2011

imm32.dll, its unforeseeable evlution (2)

1. Introduction

We already posted about imm32.dll file related patch type malicious file before.
However, we are posting again after finding another malicious file which creates malicious svchost.exe.
Since this malicious file can leak personal information, user needs special attention to be careful on downloading and executing from the internet.

2. Spreading path and symptoms of infection

Found malicious file at this time has its new features with creating another malicious svchost.exe in Windows system folder and acting except normal imm32.dll patch.
Besides, this, injected in certain online games, messenger, Internet Explorer, tries to sniff login information and send to certain external site.

Currently, this malicious file, as we mentioned earlier post, is being infected after downloaded from hacked web page or vulnerability of certain web browser.

This following figure is one of spread malicious files..


Upon execution downloaded lala.exe, it will create malicious svchost.exe in Windows system folder. Generated svchost.exe file will download .TXT file which contains server path to download additional malicious files and download files from that path.



* Information file containing malicious file distribution server


* Malicious file spreading Domain IP



Malicious svchost.exe and imm32.dll files are injected certain file generated by lala.exe. And it will be working after injected certain online game, messenger, and Internet Explorer.



Furthermore, malicious svchost.exe can incapacitate some of Korean anti-virus softwares. This following figure is the list of process.


* Before and after process status on being infected by malicious files



Upon execution those malicious files, it will create additional malicious file and set itself work on rebooting.

[Generated file information]

C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\imm32A.dll
C:\Documents and Settings\User account folder\Local Setting\Temp\(random 6 numbers).tmp

* Preferences of normal and malicious imm32.dll file



* Preference of malicious svchost.exe



[Registry information]

HKLM\WOFTWARE\Microsoft\Windows\CUrrentVersion\RUN
▣ Value name : Rundll32.exe
▣ Value data : "C:\WINDOWS\system\svchost.exe"

* Registry registered information 



3. How to prevent

To use your PC safely from security threats of these malicious applications, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

2 comments: