Users can be infected by the technique adding malicious file on installation file.
Therefore, for users who recently installed KMPlayer need to check security on his computer.
The most recent version of KMPlayer is KMPlayer_KR_220.127.116.112_R2.exe noticed its official web site and posted on September 21st.
However, downloaded file on November 26th was tampered by someone and contained malicious file to install additionally. Tampered file looked like normal KMPlayer, but its file information contains Chinese language. Based on our analysis, creator of this program seems to be used Binder program, combine 2 execution files to 1 file.
Tampered KMPlayer_KR_18.104.22.1682_R2.exe contains malicious file SOURCE which contains "malicious resource code", and it will be installed on certain name and executed. Finally it will be infected by malicious file for attacking DDoS.
2. Spreading path and symptoms of infection
On executing tampered KMPlayer_KR_22.214.171.1242_R2.exe, it will create both normal and malicious install files on temp folder.
Since, both files are designated its name by (fixed+changeable alphabet), its name will be created differently every time.
The latest version of nProtect Anti-Virus can detect it as Trojan/W32.DoS.67584.B.
Once infected by this kind of malicious file, attacker can connect victim's IP address and control with using remote management program.
Following figure is list of Zombie PCs. Numerous PCs can be infected and work as a DDoS Agent even be leaked personal information.
3. How to prevent
To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.