12345

7/15/2011

[Warning] Spreads malicious file disguised as a “ALYAC” product.

1. Introduction 
 
Malicious program made for sponser's advertisement and masqueraded as a domestic security products "ALYAC" is spreading throughout public local web portals, blogs and forums.
Therefore, users need special attention about prevalent malicious file.








2. Spreading path and symptoms of infection

This kind of malicious program adopted its download and installation methods through using shorten URL in any part of internet. We can easily see bunch of shorten URLs and even click those in case of.
Therefore, users who click those links without thinking need special attention about those malicious files.

In particular, this malicious program is masqueraded as one of Korean anti-virus software.


Downloaded malicious file is a set of SFX(self-extracting executable file), and shows brief additional adware explanation.


With the figure above, this connects certain domain server and tries to install.


After extracted, 2 files will be existed in following path. And several shortcuts for accessing affiliate marketing site will be created in Desktop.

* Generated file information

C:\Documents and Settings\(user account)\Desktop\temp.zip
C:\Documents and Settings\(user account)\My Documents\alyac2.0\alyac2.0.jpg

Downloaded temp.zip(zip file) contains "alyac2.0.jpg" file and explanation and download path of "alyac V2.0 beta".

알약2.0.jpg
* Registry information (Auto start on boot)
  
  
1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- Value name : SmartToolUDF
- Value data : C:\Documents and Settings\(user account)\Local Settings\Application Data\Microsoft\SmartTool\SmartToolUDF.exe
2. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : AntiDefendMain
- value data : C:\Program Files\AntiDefend\AntiDefend.exe /Boot
3. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : PrivacyView
- value data : C:\Program Files\PrivacyView\PrivacyView.exe /run1
4. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : sevenlink
- value data : C:\Program Files\Sevenlink\sevenlink.exe
5. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : SmartTool
- value data : C:\Program Files\SmartTool\SmartTool.exe
6. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : SearchNQ
- value data : C:\Program Files\SearchNQ\SearchNQ.exe

3. How to prevent

In this kind of malicious program is generated for advertisement and benefit of the company, it can damage or cost user.
To keep safe from this kind of malicious file we recommend user obey the safety precautions as following :
 
* Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Be careful on clicking shorten URL.
4. Download applications from its official site directly.

INCA Internet (Security Response Center / Emergency Response Team)  provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.
 
* nProtect Anti-Virus/Spyware 3.0 diagnosis screen

- Trojan-Clicker/W32.Agent.802816.E

1 comment: