12345

1/02/2012

[Warning] Malicious file which changes ws2help.dll(System file)

1. Information

INCA Internet Security Response Center's Emergency Response Team has detected changing ws2help.dll to malicious file from Jan 1, 2012. Malicious hackers are still distributing new malicious files for obtaining online game user's account especially on weekends. It changes normal system file to malicious, and it disturbs regular work of some Anti-Virus products.
Furthermore, it uses Flash Player and JAVA exploit, users need to be careful on using internet and must up-to-date its latest security update.


Various Patched Type malicious files, which changes core system file of Windows OS, are spreading in South Korea, especially, changing ws2help.dll file to malicious is the most popular.

INCA Internet Security Response Center's Emergency Response Team detected malicious file which changes ws2help.dll to malicious file on internet news, file sharing site.

[Warning] An error occurred on booting while being infected tampering system files.
http://en-erteam.nprotect.com/2011/07/caution-error-occurred-on-booting-while.html

[Warning] A malicious file masqueraded as a Melon player is spreading.
http://en-erteam.nprotect.com/2011/06/warning-malicious-file-masqueraded-as.html

[Warning] Variant malicious files changing Windows system files are increasing
http://en-erteam.nprotect.com/2011/06/warning-variant-malicious-files.html

[Warning] Spreads various malicious file with being tampered Korean social commerce web site
http://en-erteam.nprotect.com/2011/06/warning-spreads-various-malicious-file.html


Since INCA Internet Security Response Center added "GD(Generic Detection)" function to determine various variants of malicious file on our product, our value user will be safe from its variants without latest pattern update.

◎ Trojan/W32.Forwarded.Gen

Malicious file distributors are continuously changing malicious file for bypass against Anti-Virus'
detection. INCA Internet Security Response Center is going along with that trend.

2. Spreading path and symptoms of infection

Former malicious file we detected on Feb and Mar 2011 was type of changing normal imm32.dll system file to malicious with executing all functions on system file of normal imm32.dll.
Another type was loading normal file which was changed its file name by Push -> Call command on Export functions.

Such as these examples above, patching system DLL file is prevalent, and some of malicious files causes unexpected exception on Anti-Debugging, then it can cause BSOD finally.

Following figure is forwarding procedure of ws3help.dll with using Export Address Table function of ws2help.dll.


Anti-Virus software must replace original system files on reboot while treating malicious ws2help.dll.
If it deletes replaced malicious file and does not replace, it can cause abnormal procedure.

These malicious files are spreading over news site, file sharing site, social commerce site, and forums especially on weekends.

Especially, using JAVA exploit is prevalent these days; therefore, users need to renew for latest update.

3. How to prevent

We have mentioned various damage cases such as stealing online game account information and unexpected IE quit.

To be safe from those threats, nProtect product added "2011-06-23.01 pattern version" and can detect with "Generic diagnosis/treat technique".

Following URLs are for official web site of each product.


To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

※ Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

※ INCA Internet (Security Response Center / Emergency Response Team) provides Generic diagnosis/treat and runs responding system against various security threats.

No comments:

Post a Comment