[Warning] Malicious file using Excel exploit aiming at South Korean users

1. Introduction

Recently, malicious file aiming at South Korean users using Excel exploit has been found.
Even if sender and receiver of this e-mail is South Korean, sender account seems to be fraudulent account.
Since an excel file, attachment of this e-mail, contains its Excel contents, it's difficult to figure out the status of malicious for general users.
This kind of target attacking technique is trying to attack very sophisticatedly and continuously, so general users need to be careful on downloading attachment.

2. Spreading path and symptoms of infection

This malicious file is aiming at South Korean user; it is disguised as a normal e-mail and attachment. Furthermore, it has its Excel contents and can work additional malicious behavior on executed.

Following figure is the body of e-mail.

Mail body : We are attaching contacts. Thanks.

Attachment "주소록.xls(Contacts.xls)" file exploit Excel vulnerability.
If a victim tries to open that file, additional malicious file will be downloaded.

Upon executed "주소록.xls(Contacts.xls)", victim can see the normal address book contents. But it will download additional malicious file with Excel exploit.

Usually, this kind of target attack uses social engineering with containing important or related contents for making user induce easily. It will download additional "주소록.xls(Contacts.xls)" and malicious files (tasksger.exe, 6to4vcs.dll) will be installed.

C:\Documents and Settings\(User Account)\Local Settings\Temp\주소록.xls (Normal file)
C:\Documents and Settings\(User Account)\Local Settings\Temp\tasksger.exe (Malicious file)
C:\WINDOWS\system32\6to4vcs.dll (Malicious file)

3. How to prevent

Applying latest patch of its application and OS is the most important to avoid from this kind of malicious file.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Exploit/W32.Agent.632832
- Trojan/W32.Agent.9728.MV
- Trojan/W32.Agent.19968.PU

1 comment: