Recently we got unique and bothersome malicious file(being tampered of ws2help.dll) which try to fail booting normally, it’s an uncommon case as usual and needs a big caution for general user.
The malicious file uses main route via file hosting web site and has been tampering with various web site and uses it, therefore its speed of spreading seems so rapid and have a wide range.
nProtect family supports "Generic Detection / Repair" features to diagnose and cure similar to new and variant malicious files without additional pattern update. nProtect user can prevent this malicious file. Their related diagnosis name is as follows:
2. Spreading path and symptoms of infection
These malicious files usually spread through file hosting web site, famous social commerce site, and internet news site. In addition, the infected range has been being spread with using vulnerability of Adobe Flash Player, Microsoft OS’.
First, this malicious file hacks ordinary web site and injects malicious Script clandestinely. From the injected Script, various vulnerabilities are being used, finally they let user try to download and execute various malicious file to steal famous online game user’s account.
When infected by a malicious file, an abnormal operation can cause the side effects as following.
This following images are malicious Script code and SWF file code of malicious files.
* Symptoms are same!!
* Malicious SWF file and code in Script
We can see that it uses CVE-2011-2110 vulnerability and leads to download following malicious file (0122.exe).
Generated as described above, the malicious file, the picture below, make you easy to understand.
ws2help.dll file is a normal Windows system files. As you can see looking at the picture above malicious file changes file name original ws2help.dll to ws3help.dll and it changed its name ws2help.dll for masquerading itself.
* BSOD occurs, repeating the symptoms of an infinite reboot
Described above, after infection process, you are infected and got a malicious file to steal specific online game account information.
However, the biggest problem of this variant is showing user blue screen on rebooting.
Moreover, if its blue screen has been shown once, it can occur infinite reboot on loading memory and show blue screen intinitely.
3. How to prevent
These malicious file is already infected several times over a wide range, we mentioned several times before in our Korean blog not translated though, and various cases of damage occurred such as hijacking online gaming account information and shutting down Internet browser occasionally when using Internet banking.
However, this variant was found that if the user's PC is infected, it can cause fatal damage and leads disk formatting.
Fortunately, nProtect family supports "Generic Detection / Repair" features to diagnose and cure similar to new and variant malicious files without additional pattern updates of "2011-06-23.01 pattern version". nProtect user can prevent this malicious file.
Currently, for our paid users who have using the nProtect family version, they can prevent with just updating the latest engine and pattern (2011-07-05.01) updates from the malicious file infection. So be sure to keep the latest engine and pattern.
But we got a good news for general member. We will let you know some process to avoid instead of disk formatting. These following images will help you to recover.
* How to recover from infected PC.
1. Prepare Windows installation CD. Then insert in CD tray and reboot. Press any key while this page is shown "Press any key to boot from CD...".
2. Press <R> to recover on this screen.
3. You can see this image on recovery console.
First, select the Windows to recover (in case of mine, drive D: has been infected). Pressed “2” enter.
They can require administrator password or yours, type your password if set, or just press enter if not.
4. Enter the following command sequence.
5. Try rebooting after input commends.
To avoid damage from unwanted damage to occur, such as the following"Managing Security Tips"Such as to comply with what the user's own interests and efforts can be more important.
Not only for this but plenty of possibilities to have similarity to the malicious file can emerge. Therefore, we recommend keep "Security management tips" from avoidance of those behaviors.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.