[Information] Continuous appearances of malicious file with using HWP exploit

1. Introduction

With continuous appearances of malicious documents using HWP vulnerability, HWP users need to be careful on using that product.
In case of recently found malicious HWP document, it is disguised as a certain official document and induces user to be threaten.
So, we are trying to let you know the case of this malicious file and security patch of Hancom Inc's.

[Advisory of security update for HWP's Stack Buffer overflows vulnerability]

* KISA BOHONARA
http://www.boho.or.kr/dataroom/data_05_dtl.jsp?u_id=217&page=1&TempNum=216

* Outline
 Stack Buffer overflow was found on 'HWP', one of Korean popular word processor.
 Attacker can terminate infected software with using vulnerability or execute malicious code.
 An earlier version user can be easily infected by malicious code and is recommended to update newest version.

* Systems
  Affected Softwares
  - HWP 2004.earlier than 6.0.5.770
  - HWP 2005.earlier than 6.7.10.1067
  - HWP 2007 earlier than 4.5.12.623
  - HWP 2010 SE earlier than 8.5.6.1131

* How to prevent
  For earlier version user
  - Visit official web site and download or use auto update
  - http://www.hancom.co.kr/downLoad.downPU.do?mcd=001
  - Auto update : Start → Programs → Hamcom → Hamcom auto update

* Hancom Inc.

http://www.hancom.co.kr/downLoad.downPU.do?mcd=001

2. Spreading path and symptoms of infection

This kind of malicious file especially from attachment of suspicious e-mail or certain web site can infect victim's system. Besides, since this document is masqueraded as an official document, general user can easily download and execute.



[File information]

[HWP2007]
- (Application Program)\Hwp70\Hwpeq9x.dll (57,344 bytes)
- (Windows\Systems)\mvcert.dll (32,768 bytes)

[Registry information]



3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan-Exploit/W32.Hwp-Exploit.322296
 - Trojan-Exploit/W32.Hwp_Exploit.439312
 - Trojan/W32.Agent.193736
 - Trojan/W32.Agent.32768.BWC
 - Trojan/W32.Agent.57344.COQ
 - Trojan/W32.Agent.65536.CBK