The one of biggest features of this malicious file is that it can infect victim's PC continuously even if this file had been removed by Anti-Virus SW.
2. Spreading path and symptoms of infection
This malicious file can be spread via file hosting web sites as same as malicious files for stealing online game account information, attachment of e-mail, and SNS.
This malicious file has the same symptom of stealing online game account information, including infecting normal file such as imm32.dll, lpk.dll to malicious.
But, tampering MBR and causing re-infecting symptom is the difference against previous version.
* MBR before tampered
* Tampered MBR
Figures above describes between before tampering and after tampering. Once MBR has been tampered, it can infect on every booting.
* Tampered MBR including reinfection code
Furthermore, additional malicious files can be generated and downloaded after being infected.
After infected additionally generated malicious files, it can steal online game account information by lpk.dll and monitor process of certain Anti-Virus SWs by FileEngine.sys.
3. How to prevent
Since, this kind of malicious file can tamper MBR, complete removing can be difficult.
In this case, we must recover MBR first as following.
* How to treat from tampered MBR
1. Use "Windows installation CD" and go to recovery mode.
2. Choose the directory to recover and type "fixmbr" Enter. And create new MBR.
3. MBR will be recovered, and malicious files can be deleted by Anti-Virus SW.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.