12345

9/19/2011

[Caution] Tricky MBR(Master Boot Record) tampered malicious file

1. Introduction

In the midst of spreading various malicious files for stealing online game account through file hosting web sites, a variants of MBR tampered has been discovered. Therefore, general users need to be careful on using internet.
The one of biggest features of this malicious file is that it can infect victim's PC continuously even if this file had been removed by Anti-Virus SW.
  
2. Spreading path and symptoms of infection

This malicious file can be spread via file hosting web sites as same as malicious files for stealing online game account information, attachment of e-mail, and SNS.
This malicious file has the same symptom of stealing online game account information, including infecting normal file such as imm32.dll, lpk.dll to malicious.
But, tampering MBR and causing re-infecting symptom is the difference against previous version.

* MBR before tampered



* Tampered MBR



Figures above describes between before tampering and after tampering. Once MBR has been tampered, it can infect on every booting.

* Tampered MBR including reinfection code



Furthermore, additional malicious files can be generated and downloaded after being infected.

* Generated files
- C:\Windows\lpk.dll
- C:\Windows\system32\DiskSystem.exe
- C:\Windows\system32\halc.dll
- C:\Windows\system32\imm32.dll
- C:\Windows\system32\ws2sock.dll
- C:\Windows\system32\dnetcom.dll
- C:\Windows\system32\drivers\FileEngine.sys

After infected additionally generated malicious files, it can steal online game account information by lpk.dll and monitor process of certain Anti-Virus SWs by FileEngine.sys.

3. How to prevent

Since, this kind of malicious file can tamper MBR, complete removing can be difficult.
In this case, we must recover MBR first as following.
  
* How to treat from tampered MBR

1. Use "Windows installation CD" and go to recovery mode.



2. Choose the directory to recover and type "fixmbr" Enter. And create new MBR.



3. MBR will be recovered, and malicious files can be deleted by Anti-Virus SW.

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

1 comment: