12345

12/22/2011

[Warning] Malicious file masqueraded as a picture of Kim Jong Il's sister

1. Information

 
December 21, 2011, INCA Internet's Emergency Response Team detected malicious file related Kim Jong Il's death.
Due to the time difference, our team is fortifying our emergency monitoring for overseas spreading.
In the midst of this atmosphere, we detected malicious file disguised as his sister(Kim Kyung Hee)'s picture.
Therefore, users need to be careful on using internet.



This malicious file is also showing Kim Kyung Hee picture, and it installs additional malicious file secretly. With the death of Kim Jong Il, various types of malicious files is continuously emerging.

INCA Internet Security Response Center's Emergency Response Team has detected various variants, and based on our analysis, attackers seemed to try to bypass against Anti-Virus Software.

Not only the picture of her, we found another malicious file disguised as a PDF file with the death of Kim Jong Il on December 22, 2011.


The biggest feature of this case is using social engineering and social psychology. If infected by this kind of malicious file, victim's PC can be controlled by attacker.

[Warning] Additional malicious file disguised as the pic of Kim Jong Il (Update #1)
http://en-erteam.nprotect.com/2011/12/warning-additional-malicious-file.html

[Warning] Kim Jong Il Malicious scam is spreading(Update #3)
http://en-erteam.nprotect.com/2011/12/warning-kim-jong-il-malicious-scam-is.html

[Caution]Malicious file is spreading via a Korean entertainer's porn video file.
http://en-erteam.nprotect.com/2011/12/cautionmalicious-file-is-spreading-via.html

With continuous appearances of Kim and his family related malicious files, general users need to be careful not to be seduced about those files including phishing, attachment of e-mail, unofficial news, suspicious link, or Shorten SNS URL.


It was on December 20, 2011.

Especially, be careful on attachments such as PDF, DOC, HWP, PPT, ZIP, EXE, or SCR.

2. Malicious file with a picture of Kim Kyung Hee

Our team detected additional another malicious file disguised as Kim Jong Il's sister on our monitoring.
When this malicious file "Kim Kyung-hee.scr" is executed, it will create Kim Kyung-hee.jpg and msrt.exe on Temp folder and will execute.


msrt.exe is self-extractable RAR file, which will extract wship6.tmp, server.exe on Local Settings folder. And it will change server.exe to chksrv.exe.


As user just can see the following image, victim can't notice of being infected.


3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

2 comments: