12345

1/18/2012

[Warning] Malicious file changing version.dll

1. Introduction

INCA Internet Security Response Center's Emergency Response Team detected malicious file which changes original version.dll, one of system files, to malicious file for domestic users on Jan 14, 2012.
This kind of malicious files remained various types. The most recent one was that changing ws2help.dll to malicious file.
As you know, system files are usually using on booting, and malicious system file can cause reboot infinitely.
Especially, these malicious files are spreading on weekend via famous file sharing web sites, and they can infect with various vulnerabilities.


 
Malicious attackers are aiming at internet news site, file sharing service, and forums for users whose PC are weak at security vulnerability.

[Warning] Malicious file which changes ws2help.dll(System file)
http://en-erteam.nprotect.com/2012/01/warning-malicious-file-which-changes.html 

Furthermore, it calculates real-time statistics of infected user and collects OS version info and Anti-virus SW info.

2. Infection details

This malicious file changes version.dll(Version Checking and File Installation Libraries) to malicious file and renames original version.dll to version32.dll. And then, malicious version.dll file make version32.dll(original one) to be used on boot.

First of all, it runs following procedure when host malicious file is executed, and it changes normal version.dll to malicious file(On Windows XP SP3 Korean)

A. Creates malicious file on C:\Windows\System32\safemon.dll
B. Creates malicious file on C:\Documents and Settings\[user account]\Local Settings\Temp\201211891054.dll
* Created dll file name uses this format "yyyymmddhhmmss".

C. Renames original version.dll to C:\Windows\System32\version32.dll
D. Changes C:\Windows\System32\version.dll to C:\Windows\System32\201211891054.dll (malicious file)
* Normal version.dll file will be changed malicious version.dll file.

E. Creates voor.bat, removes host exe file and voor.bat file.


Maliciously changed version.dll is forwarding its Export address to version32.dll, which works on boot itself and tries to steal online game account.



Malicious safemon.dll registers itself as a BHO (Browser Helper Objects) using registry. In this process, existing BHO values can be removed.
Once it is registered as a BHO object, malicious file will be run along with IE(Internet Explorer).

- Function name : Broswer helper object
- Data : IEHlprObj Class
- CLSID : {D36F9CA2-788F-42DE-A627-9E6EF40D8475}
- file name : C:\WINDOWS\system32\safemon.dll

- Register value : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D36F9CA2-788F-42DE-A627-9E6EF40D8475}


Malicious safemon.dll is disguised as a update module of Alyac product file, and it tries to breach user account and password on browser.


List of target sites

aion.plaync.jp
baram.nexon.com
booknlife.com
capogames.net
clubaudition.ndolfin.com
cultureland.co.kr
df.nexon.com
dragonnest.nexon.com
elsword.nexon.com
fifaonline.pmang.com
hangame.com
happymoney.co.kr
id.hangame.com
itembay.com
itemmania.com
maplestory.nexon.com
netmarble.net
plaync.co.kr
pmang.com
pmang.com/game_top.nwz?ssn
pmang.com/game_top.nwz?ssn=14
pmang.com/game_top.nwz?ssn=17
pmang.com/game_top.nwz?ssn=18
pmang.com/game_top.nwz?ssn=19
pmang.com/game_top.nwz?ssn=2
pmang.com/game_top.nwz?ssn=23
pmang.com/game_top.nwz?ssn=24
pmang.com/game_top.nwz?ssn=25
pmang.com/game_top.nwz?ssn=26
pmang.com/game_top.nwz?ssn=3
pmang.com/game_top.nwz?ssn=40
pmang.com/game_top.nwz?ssn=43
poker.hangame.com/baduki.nhn
poker.hangame.com/duelpoker.nhn
poker.hangame.com/highlow2.nhn
poker.hangame.com/hoola3.nhn
poker.hangame.com/laspoker.nhn
poker.hangame.com/poker7.nhn
samwinfo.capogames.net
teencash.co.kr
tera.hangame.com

Changed version.dll as a malicious file works to bother Anti-Virus SWs and tries to kill certain process.

[Korean product]
- ALYac : AYAgent.aye, AYUpdSrv.aye, AYRTSrv.aye
- Naver : NaverAgent.exe
- AhnLab SiteGuard : SgRun.exe, SgSvc.exe, Sgui.exe
- AhnLab V3 Lite : V3LTray.exe, V3LRun.exe, V3LSvc.exe

[Overseas product]
- AVAST : AvastUI.exe, ashUpd.exe, AvastSvc.exe, avwsc.exe
- AVG : avgupd.exe, avgwdsvc.exe, avgfrw.exe, avgrsx.exe, avgnsx.exe, avgemc.exe, avgam.exe
- AVIRA : avupgsvc.exe, avscan.exe, avguard.exe, avcenter.exe, avgnt.exe
- BitDefender : bdreinit.exe, bdagent.exe, seccenter.exe, vsserv.exe, updatesrv.exe
- Kaspersky : avp.exe
- McAfee : UdaterUI.exe, Mctray.exe, shstat.exe
- Microsoft : msseces.exe
- Eset : ekrn.exe, egui.exe
- Symantec : Navw32.exe, ccSvcHst.exe

If infected system has installation of Alyac, V3 product, it changes driver files to temp. File name changing sequence is SrMac(number).dat , see the following file list.

[V3 product]
- AhnFlt2k.sys
- AhnFltNt.sys
- AhnRec2k.sys
- AhnRecNt.sys
- AhnRghNt.sys
- ahnsze.sys
- v3core.sys
- v3engine.sys

[Alyac product]
- EstRtw.sys

3. How to prevent manually

Close applications for interrupt. Changing malicious files' extension and removing malicious registry value can make infected PC safe from malicious files.

A. Rename C:\Windows\System32\version.dll.
ex) version.dll-> version.dll-

Normal version.dll file : 18,994 bytes
Malicious version.dll file : 66,560 bytes (depends on its variants)


B. WFP(Windows File Protection) will recover normal version.dll file from (C:\Windows\System32\dllcache\version.dll).


Since malicious file(version.dll-) is running, it can be removed after reboot.


C. In case of safemon.dll, it runs along with Explorer.exe. So, it can't be removed immediately. To erase safemon.dll, force kill Explorer.exe file or rename file name as following then reboot and remove.
ex) safemon.dll-> safemon.dll-


D. Remove malicious registry values.



Following lists of registry values need to be removed.

- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F9CA2-788F-42DE-A627-9E6EF40D8475}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\HOOK_DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\HOOK_ID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D36F9CA1-788F-42DE-A627-9E6EF40D8475}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D36F9CA8-788F-42DE-A627-9E6EF40D8475}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D36F9CA2-788F-42DE-A627-9E6EF40D8475}

E. Reboot and remove following files.

- C:\Documents and Settings\user account\Local Settings\Temp\2012(mmddhhmmss).dll-
- C:\WINDOWS\system32\2012(mmddhhmmss).dll
- C:\WINDOWS\system32\safemon.dll-
- C:\WINDOWS\system32\version32.dll
- C:\WINDOWS\system32\version.dll-

4. How to prevent

We mentioned these malicious files which can cause various damage cases(including stealing online game account information and unknown quit of IE while using internet banking) and wide infection range.

Get the latest version on following URL


To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

1 comment:

  1. Warning has been given for the malaria for the protection of the areas of the world. This has been forced for the reforms and changes for the alternatives for the future challenges.

    ReplyDelete