12345

5/02/2011

[Warning] Malicious e-mail masqueraded as a resume written in Korean

1. Introduction

Recently, malicious e-mail is masqueraded as a resume written in Korean was found. 
Since this e-mail already contains executable malicious file in itself, executing that attachment will infect user's PC.
Therefore, user needs to be careful while downloading or executing attachments.

2. Spreading path and symptoms of infection

This e-mail looks like containing normal but is actually masqueraded as an ordinary one including resume file and personal profile and induces user to download and decompress.



"Resume.chm(101,511 bytes)" locates inside of "Resume.rar(98,006 bytes)".
Upon running "Resume.chm", malicious "svchost.exe" will also be run at the same time.

* What is CHM File?

Microsoft Compiled HTML Help is a Microsoft proprietary online help format. It was introduced as the successor to Microsoft WinHelp with the release of Windows 98, and is still supported in Windows 7.
Help is delivered as a binary file with the .chm. It contains a set of HTML files, a hyperlinked table of contents, and an index file.

To decompress .chm file, you can see these files as following:



When executing "Resume.chm", you can find resume and personal information such as following figure.



On executing chm file, THE malicious "svchost.exe" including Active Content will be executed according to "launch.htm".



When "svchost.exe" is executed, it will overwrite itself and each path of executing normal processes will be backed up without its extensions.
After the process, since infected malicious file will be associated with normal file, if an infected user tries to execute malicious file, actually overwritten of normal file, it will work as a normal file but behave malicious functions.

This following figure briefs infected method and symptoms.



* Infected symptoms of malicious "Svchost.exe"



Upon execution, it will generate another malicious file in this following path.

[Information of generated file]
C:\Windows\Downloaded Program Files\svchost.exe (307,200 bytes)

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.

No comments:

Post a Comment