12345

7/05/2011

[Warning] An error occurred on booting while being infected tampering system files.

1. Introduction
 

It's a been a long time to had been spread malicious file with the purpose of stealing online game account.
Recently we got unique and bothersome malicious file(being tampered of ws2help.dll) which try to fail booting normally, it’s an uncommon case as usual and needs a big caution for general user.
The malicious file uses main route via file hosting web site and has been tampering with various web site and uses it, therefore its speed of spreading seems so rapid and have a wide range.

nProtect family supports "Generic Detection / Repair" features to diagnose and cure similar to new and variant malicious files without additional pattern update. nProtect user can prevent this malicious file. Their related diagnosis name is as follows:

* Trojan/W32.Forwarded.Gen

2. Spreading path and symptoms of infection

These malicious files usually spread through file hosting web site, famous social commerce site, and internet news site. In addition, the infected range has been being spread with using vulnerability of Adobe Flash Player, Microsoft OS’.

First, this malicious file hacks ordinary web site and injects malicious Script clandestinely. From the injected Script, various vulnerabilities are being used, finally they let user try to download and execute various malicious file to steal famous online game user’s account. 

When infected by a malicious file, an abnormal operation can cause the side effects as following.
     
a. Kills Internet Explorer forcibly
b. Makes slow computer executing speed
c. Makes Blue Screen of Death (BSOD)
d. Makes rebooting endlessly
e. Not allows safe mode booting.

 This following images are malicious Script code and SWF file code of malicious files.

* Symptoms are same!!


* Malicious SWF file and code in Script




We can see that it uses CVE-2011-2110 vulnerability and leads to download following malicious file (0122.exe).

After downloaded and infected by malicious file, we mentioned above, it creates another malicious file (8906506370856890.exe), which can create other malicious files (ws2help.dll 33,611,784) to steal specific online game account.

 
* Generated file

- (Windows\system32)\ws2help.dll (33,611,784 bytes, Malicious file)
- (Windows\system32)\ws3help.dll (19,968 bytes, Normal file)
- (Windows\system32)\(yyyymdhhmmss).dll (19,968 bytes, Normal file)

* The path “Windows\system32” might be differed depending on its OS type.

Generated as described above, the malicious file, the picture below, make you easy to understand.


ws2help.dll file is a normal Windows system files. As you can see looking at the picture above malicious file changes file name original ws2help.dll to ws3help.dll and it changed its name ws2help.dll for masquerading itself.

* BSOD occurs, repeating the symptoms of an infinite reboot

Described above, after infection process, you are infected and got a malicious file to steal specific online game account information.

However, the biggest problem of this variant is showing user blue screen on rebooting.


Moreover, if its blue screen has been shown once, it can occur infinite reboot on loading memory and show blue screen intinitely.

3. How to prevent

These malicious file is already infected several times over a wide range, we mentioned several times before in our Korean blog not translated though, and various cases of damage occurred such as hijacking online gaming account information and shutting down Internet browser occasionally when using Internet banking.

However, this variant was found that if the user's PC is infected, it can cause fatal damage and leads disk formatting.

Fortunately, nProtect family supports "Generic Detection / Repair" features to diagnose and cure similar to new and variant malicious files without additional pattern updates of  "2011-06-23.01 pattern version". nProtect user can prevent this malicious file.
 

Currently, for our paid users who have using the nProtect family version, they can prevent with just updating the latest engine and pattern (2011-07-05.01) updates from the malicious file infection. So be sure to keep the latest engine and pattern.
But we got a good news for general member. We will let you know some process to avoid instead of disk formatting. These following images will help you to recover.

* How to recover from infected PC.

1. Prepare Windows installation CD. Then insert in CD tray and reboot. Press any key while this page is shown "Press any key to boot from CD...".
 


2. Press <R> to recover on this screen.
 


3. You can see this image on recovery console.
 



First, select the Windows to recover (in case of mine, drive D: has been infected). Pressed “2” enter.
They can require administrator password or yours, type your password if set, or just press enter if not.

4. Enter the following command sequence.

* Enter following commends

- "del ws2help.dll" (Delete malicious file)
- "ren ws3help.dll ws2help.dll" (Rename normal file to normal file name)
- "exit" (exit)

5. Try rebooting after input commends.

To avoid damage from unwanted damage to occur, such as the following"Managing Security Tips"Such as to comply with what the user's own interests and efforts can be more important.

Not only for this but plenty of possibilities to have similarity to the malicious file can emerge. Therefore, we recommend keep "Security management tips" from avoidance of those behaviors.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.
 

No comments:

Post a Comment