12345

5/17/2011

[Warning] Identified malicious file stealing online game account information disguised as v3lite file name

1. Introduction

Recently, various type of malicious files generated to steal online game account information has been spreading in Korea these days.
Among those files, variants of “lpk.dll” are quite prevalent. This file name is masqueraded as a Korean famous anti-virus installation file. Therefore, users who try to install "v3 anti-virus" need special attention about prevalent malicious file.

In this case, it is hard to recognize that whether being infected from malicious file or not, therefore consecutive infection can occur.
Since malicious file for targeting online game account can damage financially, user need to be careful from this kind of malicious file.

2. Spreading path and symptoms of infection

This malicious file can have various spreading path. One of prevalent method is tampering website in which have a link for download with using vulnerability. Of course it can be spread via attached form in e-mail, instant messenger, shorten URL, and so on.

The most common and prevalent file for stealing online game account information is malicious file used “lpk.dll”.

To seduce user into spreading and being infected from malicious file, developers usually tries any methods that user can be succumbed to temptation.
This found malicious file changed its name as a Korean famous anti-virus’ file name to allure common user.


It just changed its name as a Korean famous anti-virus file though; file name, icon and file preference can also be disguised. User needs to careful while downloading via web site.

As soon as executing this malicious file, PC can be infected for leaking online game account. And the file name will be same as normal file “lpk.dll”.

* Generated file

- C:\Program Files\%TOOYUAMER%\66621.exe (33,629,048 bytes)
- (Windows system folder)\lpk.dll (47,250 bytes)
- (Windows system folder)\lpk32.dll (22,016 bytes) -> normal “lpk.dll” file


* (Windows system folder) is generally C:\WINDOWS\SYSTEM in Windows 95,98, and ME C:\WINNT\SYSTEM32 in Windows 2000 and NT, and C:\WINDOWS\SYSTEM32 in WindowsXP.

You can find that lpk32.dll file has been created. And this file has been changed its file name.

If infected from this malicious file, it will change the name of normal lpk.dll file to lpk32.dll and replace the file name malicious file to lpk32.dll. Following figure will help you to understand.



                      <Normal lpk.dll file>                                            <Malicious lpk.dll file>

3. How to prevent

In case of malicious file related “lpk.dll”, it can make its clone masqueraded as an Usp10.dll and spread to various folders. To find and remove whole folders including cloned file is difficult against its spreading speed.

As we described above, for malicious file developer, it’s a big trend using social engineering to easily distribute malicious files in these days. So we need to be careful while using PC to avoid security threats.

Since malicious file developers are always trying to make more sophisticated methods than generally expected, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function runs responding system 24 hours against various security threats.

1 comment: