12345

5/10/2011

[Warning] Identified malicious file disguised sent from FBI

1. Introduction

From the top of May 2011, malicious e-mails masqueraded as sent by FBI(Federal Bureau of Investigation), so users need special attention about  prevalent malicious e-mails.
The main feature of this e-mail is that the sender name is "FBI", and sender's e-mail address is tampered "fbi.gov".
If the receiver downloads and executes attached compressed file, user PC can be infected by malicious file.

* The main feature of malicious e-mail

Usually this kind of e-mail spreading technique, attaching malicious file, tries to deceive with various tricks, such as look like being sent from government organization or certain official department, to be believed by user.
When you open e-mail, you have to be careful while opening it which especially contains including social engineering, containing link on mail body, or attached certain file.
This following mail content is lately found. To recognize about this kind of malicious e-mail will help you avoid similar e-mails.

2. Spreading path and symptoms of infection

Sender's "*****" consists of random numbers and it changes each time.

Sender :
FBI (info*****@fbi.gov)
Subject :
You visit illegal websites

Body :
Sir/Madam, we have logged your IP-address on more than 40 illegal Websites. Important: Please
answer our questions! The list of questions are attached.

Attachments :
document.zip



"document.zip", e-mail attachments, contains "document.exe" its decompressed form.

"document.exe" is disguised as a document type file and using PDF file's icon to deceive user.



The user will be infected after executing "document.exe", and this malicious file will access certain web site and try to download and install pusk.exe inducing user to pay.

* Download additional malicious file
http://(~)ntov.com/pusk.exe



Installed malicious program is masqueraded as a Windows recovery program, which tries to show fake error detection and treatment requiring screen. Finally it will induce user to pay.

Fake Anti-Virus program is also well known form of these malicious programs. This usually induces user to pay for treatment with showing fake windows' status being infected from malicious file. Recently, it shows fatal error screen in user's PC, therefore users have to be careful using internet.

3. How to prevent

To use PC safely from security threats of these malicious files, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Be careful on clicking shorten URL.
4. Download applications from its official site directly.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

document.exe : Trojan-Downloader/W32.FraudLoad.18432.AY
pusk.exe : Trojan/W32.Agent.510976.AB

No comments:

Post a Comment