12345

9/22/2011

[Warning] HWP document file including malicious file

1. Introduction

Malicious file using vulnerability of HWP(but it looked like normal) has been found again, therefore, general users who use Hangul Word Process need to be careful on using.
Since this malicious file contains its contents, user can't be figured out whether is it malicious or not.
Besides, once infected, it can create additional malicious file on using vulnerability of certain application.

2. Spreading path and symptoms of infection

User can be infected on downloading and executing attachment of uncertain user, or link.
Furthermore, because the content of file seems like as normal, user can be far easily induced by this malicious file.


Recently found malicious name has its file name "(Tripping Point).hwp" and various variants are being expected.



Also, generated "hidaapi.dll" will perform after injected in normal process secretly. Additional analysis is on progress.



* Generated files
- (Window Systems folder)\System32\Msvcr.exe (55,636 bytes)
- (Window Systems folder)\hidaapi.dll (17,920 bytes / File name will be random)

* (Window Systems folder) is C:\WINDOWS\SYSTEM on Windows 95,98,ME, 2000, C:\WINNT\SYSTEM32 on Windows NT, and C:\WINDOWS\SYSTEM32 on Windows XP.

* Control flow of malicious file



3. How to prevent

Applying latest patch of its application and OS is the most important to avoid from this kind of malicious file.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan/W32.Hwp-Exploit.79360
- Trojan/W32.Agent.17920.QQ





1 comment:

  1. You should probably be careful of what you're downloading. It's a good idea to use an antivirus to scan the software you're about to download.

    Laptop Repair

    ReplyDelete