Since this malicious file can work on clicking URL link included in instant messenger, general user needs to be careful about being infected malicious file from those malicious file.
2. Spreading path and symptoms of infection
As we mentioned above, this malicious file will infect user's PC on clicking URL link with using vulnerability on web browser such as Internet Explorer.
Message, being spread so far, contains uncertain URL as following.
Additional malicious file will be download and being installed with that malicious Script code on accessing URL. This infection is caused by vulnerabilities such as "CVE-2010-0806, MS10-018".
After checking PC's status, if it found vulnerability, it will try to access "1.html" through included malicious code, and download normal image file to induce user against malicious file's infection.
Download figure is as following.
When we open "1.html", it had been encoded as following.
We decoded it to be seen easily.
Decoded "1.html" contains URL address to download executable .EXE file in its inside.
Downloaded "adjku.exe" contains "Fake Digital Signature" and "Version Information" to be seen as a normal file.
When the downloading "adjku.exe" is complete, it will create malicious file on following path.
* Control flow of malicious file infection and works
3. How to prevent
In this case of spreading technique, infection can appear without applying latest patch, so user must apply patches including MS Windows secure patch and each application's latest patch.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.