[Warning] Detected malicious file using HWP file’s vulnerability

1. Introduction

Recently, user needs special attention about prevalent malicious file using vulnerability of Hangul Word Processer file.
This malicious file looks almost same to a normal file, so it seems hard to distinguish with a view of general user.
In addition, the biggest feature of this malicious file is that it can print documents and behave as usual.

[About HWP]

Hangul Word Processor (also known as HWP) is a proprietary word processing application published by the South Korean company Hancom Inc..
 It is used extensively in South Korea, especially by the government.
HWP's support for the special needs of the Korean written language has gained it widespread use in South Korea. Microsoft Word and Hangul are used alongside each other in many South Korean companies.

[Get more details of HWP]

[HWP Code Execution Vulnerability Security Update Advisory]

2. Spreading path and symptoms of infection.

The malicious file using HWP’s vulnerability can be spread via SMS, instant messenger, attachment in mail, which is the contents of a purported internal document, or information contained in the social interest is likely to be masqueraded.
Some malicious files collected by INCA Internet Response Team as follows: "2011.hwp". And a number of variants have been found.

Depending on the variant, some of those use HWP 2.x, 3.x binary format, and HWP 2010 documents compatible format also.

* Resources
Haansoft opened to public HWP’s document type to be easily available to everyone on on June 29, 2010..


HWP 2.x/3.x version had been used from the "Hangul 97" to "Hangul 2.1".
HWP 5.x has been used from “Hangul 2002” to so far.

When it runs as normal after infected with malicious file using HWP Document vulnerability, it will install additional malicious file, included internally, and execute.

* Generated files

 - (Temporary folder)\svchost.exe (17,920 bytes; malicious File)
 - (Temporary folder)\2.hwp (14,336 bytes; normal File)
 - (Windows System Folder)\ieprotect.dll (9,728 bytes; malicious File)

* (user's temporary folder) generally refers to C:\Documents and Settings\(User Account)\Local Settings\Temp
* (Windows System Folder) typically 95, 98, ME in the C:\WINDOWS\SYSTEM,
And, 2000, NT in C:\WINNT\SYSTEM32,

When these infections are underway, a normal document "2.hwp" File as shown below is executed, the normal Hangul allows users to print a document to be mistaken as to create normal.

Content is written Korean and contains about "Worries about stuxnet, Zeroday vulnerability, Booming mobile environment and its effects" What a ironical situdation!! Actually it spreads malicious behavior though.

In addition, the generated dll file, as shown in the figure below, was injected the normal process and working clandestinely. And the precise analysis of the malicious file is in progress now.

3. How to prevent
Currently, Haansoft provides security patches for preventing the malicious file, and the latest security patches must be performed under a similar secure PC from malicious files for HWP users.

* How to patch the latest security patches (in HWP 2007)

1. Hangul as shown below after running ->"Help" -> "Haansoft Automatic Update (U)" (red box)

2. After the first process, as shown below, security configuration update window will be printed. Click "Update (U)" Button to proceed.

3. If the latest security patches installation has been done, the output screen while executing malicious file will be shown like below, and Normal execution of malicious file will be denied.

To keep safe from this kind of malicious file, the most important thing is updating and maintaining latest security patch, and we recommend user obey the safety precautions as following :
Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security response center / response team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

This following image is a result of scanning; there are many files and other variants.

- Trojan/W32.Hwp-Exploit.52116

- Trojan/W32.Hwp-Exploit.40960
- Trojan/W32.Agent.393160.ADX and so on

Because HWP uses in Korea, supports Korean strongly and is not of main interest for foreigner, we have hesitated to upload this post. But domestic market is also a big portion to each company. Hope you beneficial for enhancing your sight you've never expected.


  1. I think that information on how to write great research paper article you can find here. You should check it out

  2. This comment has been removed by the author.

  3. Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.