[Warning] Found malicious file aiming at Korean online banking user.

1. Introduction

Together with sprawling “Zeus” source code aimed at overseas internet banking web site, fortifying financial service on internet seems to be widely accepted in public.
Since, both to reduce and possibilities being leaked financial information and to avoid these emerging various threats on using financial internet service, we need more attention against those critical threats.

Especially, found malicious file lately is the first official case being made for aiming at Korean online banking user, with the reason of set default language as Korean, including 27 domestic internet banking site are being regarded as a shocking accident.

We, mainly servicing security components in financial area, are monitoring the first influx date of malicious file and getting various variants samples.
Furthermore, based on our own “Malicious file integrated management automation system”, various variants had been being spread; some of those were already infected on September, 2010. And we are inspecting those samples.

* Anti-virus for Trojan-Spy/W32.KRBanker (For Korean Financial Supervisory Service)


* Related code in malicious file about online banking

* Trojan-Spy/W32.KRBanker malicious file’s target list

01. Kookmin Bank (bank.kbstar.com)
02. Woori Bank (http://www.wooribank.com/)
03. Korea Exchange Bank (http://www.keb.co.kr/)
04. Korea Industrial Bank (http://www.ibk.co.kr/)
05. Hana Bank (http://www.hanabank.com/)
06. Shinhan Bank (http://www.shinhan.com/)
07. Citibank (http://www.citibank.co.kr/)
08. Standard charted (http://www.scfirstbank.com/)
09. Daegu Bank (http://www.dgb.co.kr/)
10. Kyungnam Bank (http://www.knbank.co.kr/)
11. Jeonbuk Bank (http://www.jbbank.co.kr/)
12. Kwangju Bank (http://www.kjbank.com/)
13. Busan Bank (http://www.busanbank.co.kr/)
14. Jeju Bank (banking.e-jejubank.com)
15. HK Saving Bank (http://www.hksb.co.kr/)
16. Nonghyup (banking.nonghyup.com)
17. Suhyup (http://www.suhyup-bank.com/)
18. Hyundai Swiss Saving Bank (http://www.hsb.co.kr/)
19. Jeil Saving Bank (http://www.jeilbank.co.kr/)
20. Community Credit (http://www.kfcc.co.kr/)
21. Credit Union (http://www.cu.co.kr/)
22. Korea Industry Bank (http://www.kdb.co.kr/)
23. Post Office Bank (http://www.epostbank.go.kr/)
24. Solomon Saving Bank (http://www.solomonbank.com/)
25. Seoul Saving Bank (http://www.seoulbanking.co.kr/)
26. Tomato Saving Bank (http://www.tomatobank.co.kr/)
27. Pureun Bank (http://www.pureunbank.co.kr/)

We found that this malicious file tries to steal or tamper user’s certificates, password, account password, security card number, OTP(one time password.
Collected information may be used to malicious behaviors, such as withdrawing balance without noticing real owner.

In addition, it contains certain functions to kill some of famous Korean anti-virus SWs and looks like well customized in Korean environment.

2. Malicious code activating scenario

INCA Internet security response team tested whole information leakage process as a real environment.

* Active process of this malicious file

If this malicious file activated, it senses activating Internet Explorer window concerning Korean online banking sites after certain conditions.
Besides it was also designed to perform malicious behaviors per each bank, which means that malicious developer coded as many type as the number of each banking systems.

%ProgramFiles%\Common Files\CommonDirs\runmode.dll
%ProgramFiles%\Common Files\CommonDirs\winnet.exe

If this malicious file performs, this will create folder on sub path of Windows system folder as a hidden preference. And it monitors usage history.


Folder name "np" seems to be abridged form of NPKI(National Public Key Infrastructure), it creates another folder and tries to steal certificates located in local disk or removable disk.

.NLS file is captured screen on user by time to time. It sometimes can be saved as .DAT file.
This malicious file seems to perform another additional malicious behavior with those captured files.
This following figure is one of .NLS files containing screen and mouse position.

<User can choose certificates and must insert password to be proven himself at Kookmin Bank>

<At KEB bank>

.XCD file is a type of TXT file and which contains the name of drives information in local PC. It can help to copy NPKI saved folder.

NPKI file was copied and saved in f2nk14677.1171875 folder.
Sometimes it created various name depending on user environment.

Infected user’s certificates will be captured and moved at C:\Windows\Help\iishelp\common\ dllimage.bmp on signing in online banking service.

Saved dllImage.bmp will be used as a background image on signing in with certificates.

At the next time, it will activate Script page or fake error, and try to deceive user by re-inputting certificates and password.

Following image is as same as Shinhan Bank’s error page.

You can find artificial blue box to snatch password in at the input form.

<Additional form is overwrited in current form>

And it also shows a form to get password, OTP, and security card number in a certain case.

Inputted information is saved C:\Windows\inf\d3dx9_94_x.inf with the time and date.

This malicious file also has other functions such as sending e-mail, using FTP, checking IP, collecting system information, p2p, setting windows firewall, hiding browser, masquerading as a nProtect security module, and interrupting anti-virus.

Since we identified our nProtect Netizen has been blocked, we updated its variant on May 25, 2011.
This following image describes the test result of nProtect Netizen against that malicious file.
Our Netizen can scan and treat malicious file flawlessly.

3. How to prevent

Those financial security threats must be prohibited. One of our recommend methods is to change signing in form regularly.
To use online banking safely from security threats of these malicious behaviors, we recommend following tips "Online banking security management tips" for general users.

※ Online banking security management tips

1. Maintain the latest security update on OS and applications
2. Use security components on using online banking (about keyboard, anti-virus, and so on).
3. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
4. Be careful on clicking shorten URL
5. Save NPKI to removable disk.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.


  1. That is indeed a malicious code. On closer inspection, this is a small script that can be exploited for more malware.

  2. You should look here for some information on how to write great essay. All this information could be pretty helpful next time you will write your essay.

  3. with the help of free coin master you will get a free spin and in spin you can win many coins and you can use those coins in your game.

  4. Any numbers of tokens can be drawn. All you need to do is to choose with the type of Chaturbate tokens that you need the most.

  5. It is important for online biology assignment writing service students to seek Biology Case Study Writing Services from a reputable custom biology research paper service company so as to be assured of good grades in their biology research paper services.

  6. Online political science essay writing help services are very common nowadays since there are very many students seeking Political Science Writing Services and political science research paper writing services.

  7. پزشکا
    بهترین کلینیک لیزر موهای زائد محلی است

  8. Writing a dissertation is difficult , because the amount of work is large, and preparation for work and other procedures related to the protection of such a complex work are not very simple. That is why writing dissertation to order from best essay company is what you need. Experienced specialists work with they and satisfied customers speak about them.

  9. This comment has been removed by the author.

  10. Your individual essay will be deleted during a very short term after delivery to you ready to work from college essay writing services. He has no chance of ever to appear on the net, and you may not worry about what you may be suspected in plagiarism.

  11. سرطان معده که به سرطان شکمی هم معروف است، سرطانی است که در ناحیه معده و ناحیه بالایی شکم شما رخ می‌دهد. میزان شیوع سرطان معده در کشور آمریکا نسبتا کم است و این سرطان در کشورهایی از جمله چین و ژاپن شایع‌تر می‌باشد. سرطان معده در صورتیکه بموقع تشخیص داده شود، ممکن است درمان شود، اما متاسفانه در مراحل پیشرفته بیماری نتیجه خیلی رضایت بخش نیست. سرطان معده بوسیله یکی از این راهها و یا ترکیب آنها درمان می‌شود: جراحی برداشتن معده (gastrectomy) که برای برداشتن کل معده و یا بخشی از معده و همچنین نواحی اطراف آن انجام می‌شود، شیمی درمانی، پرتو درمانی.

  12. All our products use real silicone and TPE materials to provide a safe and realistic user experience. Product qualities are strictly controlled during production and delivered to you with comprehensive quality inspections. https://zlovedoll.com/collections/big-boobs-sex-doll