12345

1/03/2012

[Warning] Malicious file is spreading through HLP file's exploit.

1. Information

INCA Internet Security Response Center's Emergency Response Team has detected malicious file using HLP(Help file)'s exploit.
Unlike executable files(EXE, SCR) or document files(HWP, DOC, PPT, XLS, PDF), using HLP exploit is uncommon.
Spreading malicious file through e-mail has been widely used.
Especially, some clever distributors use Zero-Day Exploit or social engineering.



 With using Microsoft OS/Application, Flash Player, and JAVA exploits, malicious attackers are trying to invade certain famous web site. Especially, malicious file spreading trend is becoming sophisticated psychological warfare.

[Warning] Malicious file masqueraded as a picture of Kim Jong Il's sister
http://en-erteam.nprotect.com/2011/12/warning-malicious-file-masqueraded-as.html

[Information] Continuous appearances of malicious file with using HWP exploit
http://en-erteam.nprotect.com/2011/11/information-continuous-appearance-of.html

2. HLP file exploit case

Following e-mail is reported that it was sent on December 29, 2011, and it induces user to open its attachment.


Attachment file "Call for Application at fundation.rar" contains a help file "Call for Applications at fundation.hlp".


Upon executed attachment file, it opens Windows help and contains aberrant characters and link (http://www.molihua.org).


This malicious file is coded to create and execute A.VBS from row 7 of Visual Basic Script with WScript.Shell command. Therefore, at the same time to see the help page, user's PC will be infected by malicious Script code.


Upon executed A.VBS, it will create setup.exe, which is performing as a root file, and will create folder "360" on Application data folder and install "Live360.exe". And then, A.VBS and setup.exe will be removed.


Live360.exe's icon is disguised as Word file of Microsoft. When it is executed, it will connect certain host in Shanghai (In China) and will be performed Command and Control(C&C) through winlogon.exe.

At the time we analyzed, malicious file was additionally infecting PASS.exe and tries to breach personal information including e-mail account saved as cache file.


Saved passwords were recorded on C:\Windows\System\xhyj.htm which collects Resource, Type, Account and Password and tries to breach external server.


3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

No comments:

Post a Comment