This kind of malicious files remained various types. The most recent one was that changing ws2help.dll to malicious file.
As you know, system files are usually using on booting, and malicious system file can cause reboot infinitely.
Especially, these malicious files are spreading on weekend via famous file sharing web sites, and they can infect with various vulnerabilities.
Malicious attackers are aiming at internet news site, file sharing service, and forums for users whose PC are weak at security vulnerability.
Furthermore, it calculates real-time statistics of infected user and collects OS version info and Anti-virus SW info.
2. Infection details
This malicious file changes version.dll(Version Checking and File Installation Libraries) to malicious file and renames original version.dll to version32.dll. And then, malicious version.dll file make version32.dll(original one) to be used on boot.
First of all, it runs following procedure when host malicious file is executed, and it changes normal version.dll to malicious file(On Windows XP SP3 Korean)
A. Creates malicious file on C:\Windows\System32\safemon.dll
B. Creates malicious file on C:\Documents and Settings\[user account]\Local Settings\Temp\201211891054.dll
* Created dll file name uses this format "yyyymmddhhmmss".
C. Renames original version.dll to C:\Windows\System32\version32.dll
D. Changes C:\Windows\System32\version.dll to C:\Windows\System32\201211891054.dll (malicious file)
* Normal version.dll file will be changed malicious version.dll file.
E. Creates voor.bat, removes host exe file and voor.bat file.
Maliciously changed version.dll is forwarding its Export address to version32.dll, which works on boot itself and tries to steal online game account.
Malicious safemon.dll registers itself as a BHO (Browser Helper Objects) using registry. In this process, existing BHO values can be removed.
Once it is registered as a BHO object, malicious file will be run along with IE(Internet Explorer).
Malicious safemon.dll is disguised as a update module of Alyac product file, and it tries to breach user account and password on browser.
Changed version.dll as a malicious file works to bother Anti-Virus SWs and tries to kill certain process.
- ALYac : AYAgent.aye, AYUpdSrv.aye, AYRTSrv.aye
- Naver : NaverAgent.exe
- AhnLab SiteGuard : SgRun.exe, SgSvc.exe, Sgui.exe
- AhnLab V3 Lite : V3LTray.exe, V3LRun.exe, V3LSvc.exe
- AVAST : AvastUI.exe, ashUpd.exe, AvastSvc.exe, avwsc.exe
- AVG : avgupd.exe, avgwdsvc.exe, avgfrw.exe, avgrsx.exe, avgnsx.exe, avgemc.exe, avgam.exe
- AVIRA : avupgsvc.exe, avscan.exe, avguard.exe, avcenter.exe, avgnt.exe
- BitDefender : bdreinit.exe, bdagent.exe, seccenter.exe, vsserv.exe, updatesrv.exe
- Kaspersky : avp.exe
- McAfee : UdaterUI.exe, Mctray.exe, shstat.exe
- Microsoft : msseces.exe
- Eset : ekrn.exe, egui.exe
- Symantec : Navw32.exe, ccSvcHst.exe
If infected system has installation of Alyac, V3 product, it changes driver files to temp. File name changing sequence is SrMac(number).dat , see the following file list.
3. How to prevent manually
Close applications for interrupt. Changing malicious files' extension and removing malicious registry value can make infected PC safe from malicious files.
A. Rename C:\Windows\System32\version.dll.
ex) version.dll-> version.dll-
B. WFP(Windows File Protection) will recover normal version.dll file from (C:\Windows\System32\dllcache\version.dll).
Since malicious file(version.dll-) is running, it can be removed after reboot.
C. In case of safemon.dll, it runs along with Explorer.exe. So, it can't be removed immediately. To erase safemon.dll, force kill Explorer.exe file or rename file name as following then reboot and remove.
ex) safemon.dll-> safemon.dll-
D. Remove malicious registry values.
Following lists of registry values need to be removed.
E. Reboot and remove following files.
- C:\Documents and Settings\user account\Local Settings\Temp\2012(mmddhhmmss).dll-
4. How to prevent
We mentioned these malicious files which can cause various damage cases(including stealing online game account information and unknown quit of IE while using internet banking) and wide infection range.
Get the latest version on following URL
To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.