Spreading malicious file about Libyan revolution

1. Introduction

Recently, spreading malicious file related Libyan revolution, covering main page of newspaper these days, has been detected.
Big global issues, such as Japanese earthquake, are the easiest way to be used as a social engineering by cyber criminals and malicious file distributor.

[Online criminals bring the Libyan conflict to your computer]
http://blogs.paretologic.com/malwarediaries/index.php/2011/04/01/online-criminals-bring-the-libyan-conflict-to-your-computer/

2. Spreading path and symptoms of infection

This site and domain looks newly generated recently. You can get information about Libyan news on this web site.

This site provides most information through various links with reliable organizations.
Also, it can download additional malicious files through Java Applet on accessing.

* Downloaded file

- FreeLibya.jar (2,762 bytes)

Since its file name "FreeLibya.jar" is also related with Libya, users can be easily lured.
But downloading jar file depends on current installed Java JDK version.



* When JDK hasn't been installed



* When JDK has been installed







Upon executed download jar file, it will download additional malicious file, "javaclient.exe" through internal class file.



If downloaded malicious file "javaclient.exe" is executed, it will create its cloned file as following path and set preference to start itself on booting automatically.

* Generated file
- (User temporary folder)\svc21host.exe (1,130,496 bytes)

* Generated registry
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Name : svc21host
- Data : (User temporary folder)\svc21host.exe

* (User temporary folder) means "C:\Documents and Settings\(User account)\Local Settings\Temp" generally.

Furthermore, it will be still connecting to certain external site continuously such as following figure; as a result this PC can be a Botnet.



3. How to prevent

Global issues can take interest of publicity. Malicious file programmer and cyber criminals are distributing malicious files with using social engineering.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

※ Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.