12345

5/31/2011

[Warning] Identified malicious file masqueraded as an e-mail attachment file.

1. Introduction

It is prevalent technique spreading malicious file masqueraded as an e-mail file.
Because general user receives various kinds of mails every day, they do not usually hesitate to download and execute attached file from e-mail.
We are going to introduce this case, masqueraded as an email sent by DHL, one of international mail express company.


2. Spreading path and symptoms of infection

As its name is, spreading technique of these malicious files is that it masqueraded as a normal attached file. And lead receiver to download for getting informed details.



You can see a “ZIP file” at the attached area, a fool hacker wrote the year as 2010’s though.
Because this mail has been sent at May 17, 2011.

Based on content, this mail said that it was sent due to wrong recipients’ address and this mail tries to induce user to download and install attached file.
After extracting compressed file, you can see the executable icon such as following image.


Its file name also has been disguised as DHL and related stuffs, “DHL-Notification-print-copy-Delivery”.
It will generate file this following path and modify certain registry value.

* Generated file
- (User account folder)\Application Data\(Random alphabets)\(4 random alphabets).exe

* Generate and modify registry
- Name : [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Data : (User account folder)\Application Data\(Random alphabets)\(4 random alphabets).exe

* (User account folder) usually means C:\Documents and Settings\(User account). 

Furthermore, it will try to access external site and can download additional malicious file or perform Bot function through “explorer.exe”.



3. How to prevent

In this case of malicious file disguised as a normal e-mail can be downloaded and executed easily. We can say this kind of security threat as a Social Engineering. And the range of exposure is getting wider.
To use your PC safely from security threats of these malicious applications, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

Diagnosis name

- Trojan/W32.Agent.171008.GM


tips

2 comments: