Since this e-mail already contains executable malicious file in itself, executing that attachment will infect user's PC.
Therefore, user needs to be careful while downloading or executing attachments.
2. Spreading path and symptoms of infection
This e-mail looks like containing normal but is actually masqueraded as an ordinary one including resume file and personal profile and induces user to download and decompress.
"Resume.chm(101,511 bytes)" locates inside of "Resume.rar(98,006 bytes)".
Upon running "Resume.chm", malicious "svchost.exe" will also be run at the same time.
To decompress .chm file, you can see these files as following:
When executing "Resume.chm", you can find resume and personal information such as following figure.
On executing chm file, THE malicious "svchost.exe" including Active Content will be executed according to "launch.htm".
When "svchost.exe" is executed, it will overwrite itself and each path of executing normal processes will be backed up without its extensions.
After the process, since infected malicious file will be associated with normal file, if an infected user tries to execute malicious file, actually overwritten of normal file, it will work as a normal file but behave malicious functions.
This following figure briefs infected method and symptoms.
* Infected symptoms of malicious "Svchost.exe"
Upon execution, it will generate another malicious file in this following path.
3. How to prevent
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.