Users can be infected by the technique adding malicious file on installation file.
Therefore, for users who recently installed KMPlayer need to check security on his computer.
The most recent version of KMPlayer is KMPlayer_KR_3.0.0.1442_R2.exe noticed its official web site and posted on September 21st.
However, downloaded file on November 26th was tampered by someone and contained malicious file to install additionally. Tampered file looked like normal KMPlayer, but its file information contains Chinese language. Based on our analysis, creator of this program seems to be used Binder program, combine 2 execution files to 1 file.
Tampered KMPlayer_KR_3.0.0.1442_R2.exe contains malicious file SOURCE which contains "malicious resource code", and it will be installed on certain name and executed. Finally it will be infected by malicious file for attacking DDoS.
2. Spreading path and symptoms of infection
On executing tampered KMPlayer_KR_3.0.0.1442_R2.exe, it will create both normal and malicious install files on temp folder.
Since, both files are designated its name by (fixed+changeable alphabet), its name will be created differently every time.
* Combination of generating normal file(EXE) : e+(fixed)+a+(fixed)+l+(fixed)+r.exe
* Combination of generating malicious file(EXE) : l+(fixed)+a+(fixed)+l+(fixed)+r.exe
* Combination of generating malicious file(DLL) : T+(fixed)+m+(fixed)+t+(fixed)+D.dll
* Combination of generating malicious file(EXE) : l+(fixed)+a+(fixed)+l+(fixed)+r.exe
* Combination of generating malicious file(DLL) : T+(fixed)+m+(fixed)+t+(fixed)+D.dll
Upon executing normal KMPlayer installation file, it will ask user install language.
Malicious file will insert certain DLL file with hidden property in system folder
This malicious file is also masqueraded as Which Battery Meter Helper
Malicious file will insert certain DLL file with hidden property in system folder
This malicious file is also masqueraded as Which Battery Meter Helper
The latest version of nProtect Anti-Virus can detect it as Trojan/W32.DoS.67584.B.
Once infected by this kind of malicious file, attacker can connect victim's IP address and control with using remote management program.
Following figure is list of Zombie PCs. Numerous PCs can be infected and work as a DDoS Agent even be leaked personal information.
3. How to prevent
To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
Security management tips
1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.
1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.
Diagnosis name
- Virus/W32.Patched.V
- Trojan/W32.DoS.67584.B