Unlike executable files(EXE, SCR) or document files(HWP, DOC, PPT, XLS, PDF), using HLP exploit is uncommon.
Spreading malicious file through e-mail has been widely used.
Especially, some clever distributors use Zero-Day Exploit or social engineering.
With using Microsoft OS/Application, Flash Player, and JAVA exploits, malicious attackers are trying to invade certain famous web site. Especially, malicious file spreading trend is becoming sophisticated psychological warfare.
2. HLP file exploit case
Following e-mail is reported that it was sent on December 29, 2011, and it induces user to open its attachment.
Attachment file "Call for Application at fundation.rar" contains a help file "Call for Applications at fundation.hlp".
Upon executed attachment file, it opens Windows help and contains aberrant characters and link (http://www.molihua.org).
This malicious file is coded to create and execute A.VBS from row 7 of Visual Basic Script with WScript.Shell command. Therefore, at the same time to see the help page, user's PC will be infected by malicious Script code.
Upon executed A.VBS, it will create setup.exe, which is performing as a root file, and will create folder "360" on Application data folder and install "Live360.exe". And then, A.VBS and setup.exe will be removed.
At the time we analyzed, malicious file was additionally infecting PASS.exe and tries to breach personal information including e-mail account saved as cache file.
Saved passwords were recorded on C:\Windows\System\xhyj.htm which collects Resource, Type, Account and Password and tries to breach external server.
3. How to prevent
To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.