[Warning] Detected malicious file using HWP file’s vulnerability

1. Introduction

Recently, user needs special attention about prevalent malicious file using vulnerability of Hangul Word Processer file.
This malicious file looks almost same to a normal file, so it seems hard to distinguish with a view of general user.
In addition, the biggest feature of this malicious file is that it can print documents and behave as usual.

[About HWP]

Hangul Word Processor (also known as HWP) is a proprietary word processing application published by the South Korean company Hancom Inc..
 It is used extensively in South Korea, especially by the government.
HWP's support for the special needs of the Korean written language has gained it widespread use in South Korea. Microsoft Word and Hangul are used alongside each other in many South Korean companies.

[Get more details of HWP]

[HWP Code Execution Vulnerability Security Update Advisory]

2. Spreading path and symptoms of infection.

The malicious file using HWP’s vulnerability can be spread via SMS, instant messenger, attachment in mail, which is the contents of a purported internal document, or information contained in the social interest is likely to be masqueraded.
Some malicious files collected by INCA Internet Response Team as follows: "2011.hwp". And a number of variants have been found.

Depending on the variant, some of those use HWP 2.x, 3.x binary format, and HWP 2010 documents compatible format also.

* Resources
Haansoft opened to public HWP’s document type to be easily available to everyone on on June 29, 2010..


HWP 2.x/3.x version had been used from the "Hangul 97" to "Hangul 2.1".
HWP 5.x has been used from “Hangul 2002” to so far.

When it runs as normal after infected with malicious file using HWP Document vulnerability, it will install additional malicious file, included internally, and execute.

* Generated files

 - (Temporary folder)\svchost.exe (17,920 bytes; malicious File)
 - (Temporary folder)\2.hwp (14,336 bytes; normal File)
 - (Windows System Folder)\ieprotect.dll (9,728 bytes; malicious File)

* (user's temporary folder) generally refers to C:\Documents and Settings\(User Account)\Local Settings\Temp
* (Windows System Folder) typically 95, 98, ME in the C:\WINDOWS\SYSTEM,
And, 2000, NT in C:\WINNT\SYSTEM32,

When these infections are underway, a normal document "2.hwp" File as shown below is executed, the normal Hangul allows users to print a document to be mistaken as to create normal.

Content is written Korean and contains about "Worries about stuxnet, Zeroday vulnerability, Booming mobile environment and its effects" What a ironical situdation!! Actually it spreads malicious behavior though.

In addition, the generated dll file, as shown in the figure below, was injected the normal process and working clandestinely. And the precise analysis of the malicious file is in progress now.

3. How to prevent
Currently, Haansoft provides security patches for preventing the malicious file, and the latest security patches must be performed under a similar secure PC from malicious files for HWP users.

* How to patch the latest security patches (in HWP 2007)

1. Hangul as shown below after running ->"Help" -> "Haansoft Automatic Update (U)" (red box)

2. After the first process, as shown below, security configuration update window will be printed. Click "Update (U)" Button to proceed.

3. If the latest security patches installation has been done, the output screen while executing malicious file will be shown like below, and Normal execution of malicious file will be denied.

To keep safe from this kind of malicious file, the most important thing is updating and maintaining latest security patch, and we recommend user obey the safety precautions as following :
Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security response center / response team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

This following image is a result of scanning; there are many files and other variants.

- Trojan/W32.Hwp-Exploit.52116

- Trojan/W32.Hwp-Exploit.40960
- Trojan/W32.Agent.393160.ADX and so on

Because HWP uses in Korea, supports Korean strongly and is not of main interest for foreigner, we have hesitated to upload this post. But domestic market is also a big portion to each company. Hope you beneficial for enhancing your sight you've never expected.


  1. I think that information on how to write great research paper article you can find here. You should check it out

  2. This comment has been removed by the author.

  3. Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.

  4. The way you start your essay would tell a teacher more than you think! Follow this link and learn how to make it better.

  5. It's a great and useful review. Your audience will love that. Thanks a lot!

  6. The way you start your essay would tell a teacher more than you think! Follow this link and learn how to make it better.thanks here

  7. One factor that stands out most about our law essay writing services is that every time our writers formulate a law essay, they make it a point to incorporate as many sources and references as prompted by the client. All efforts are exerted to consult all the resources and collect as much valuable information as possible. With these remarkable qualities, pay to write essay has garnered an exceptionally high reputation in the industry that is still undisputed to this day!

  8. Nice post with lots of information! You can watch videos on VidMate official website VidMate apk download too. Many people enjoy it daily.

  9. Thanks for sharing this post, it was great reading this article! would like to know more! keep in touch and stay connected! Also Check here
    gbwhatsapp apk


    Vidmate App

    Vidmate Apk

    Vidmate For Pc

  10. Really nice and awesome and very sophisticated post I've ever seen in my entire existence brother from another mother.
    Buy Tartan Kilts Online

  11. Nice Article!I would like to recommend a free video downloader for Android: Vidmate. You may also download from its official websiteVidmate app

  12. Really awesome and dope post I enjoyed reading it. It's the perfect amount of words that make up for such an interesting article! Thanks :)
    outlander costumes kilt

  13. Thanks for sharing this post, it was great reading this article! would like to know more! keep in touch and stay connected! Also Check here
    Click Here








  14. This is a nice blog to watch out for and we provided information on unique interview questions to ask the employer make sure you can check it out and keep on visiting and please share our blog.

  15. Download Smadav 2020 for PC | Smadav can convert two or three new viruses that are not recognized on USB regardless of whether the virus is obtained temporarily in the database. Not only for cowl, on the other hand, Smadav also allows you to install a USB Flashdisk from a virus and recover hidden / contaminated files via a USB Flashdisk. Download Smadav Antivirus 2020 for PC

  16. Thanks for sharing such an awesome information with us.

    Learn the world leading technology from the best industry certified Professionals of python training in bangalore who can help you to learn the technology from scratch to advanced level.

  17. I found one so useful website which provides Real Estate, transport service, job and event notification, directory and many more on just one platform only for Malawi check outMalawi News

  18. VivaVideo is one of the best video camera & video editor apps in Android For Download CLick Here

  19. A great software. Thanks for sharing! You could download one of the most popular short video app Likee app for funny videos, musics and movie videos and more.

  20. Malicious files can easily be removed once noticed, just you need to have a guide on how to do this step, we learned all these steps on Showbox app, you need to visit this website to have a complete guide on it...

  21. This is awesome to read this blog. I am very glad to see how easily you put the words into your blog. Very Nice. Thanks for sharing this kind of blog. New Zealand Dedicated Server

  22. Welcome to the Banjara Hills Escorts Service,
    Her you can find Call Girls in Banjara Hills,High Profile Escort in Banjara Hills, Model Escorts in ...