[Caution] Malicious file about North Korea's nuclear test

1. Information

INCA Internet response team detected malicious file about Kwangmyongsong-3(Bright Star-3). This malicious file is disguised as a document file about the experiment of Kwangmyongsong-3, and tries to infect additional malicious file with using some security holes.

With this issue, users need to be careful on using internet.

2. Cases

Sorean intelligence officials say North Korea may be preparing for nuclear test.doc

The content of this document is disguised as nuclear test of North Korea. But it is malicious file using MS Office security vulnerability.

This malicious DOC uses CVE-2010-3333 and it will create malicious WORD.exe and normal Wor.doc and execute when victim's PC is vulnerable to security threats.

It runs normal document file and shows contents about North Korean nuclear test.

Besides, it will create MSN Talk Start on starting program for running on every boot.

North Korea.doc

It contains normal contents as following and tries to access malicious site due to SWF code on MS DOC file.

When accessing malicious web site, following HTML code, which induces PC to download ZA102498414.JPG with using CVE-2012-0507 exploit, will be executed. This file is EXEcutable file but disguised its file name as a image file.
Besides, original file name is "javacpl.exe" (JAVA Control Panel) and its icon is also similar as JAVA file.

When exploit code is executed, IE will be directed MS Office web site. This redirection is one of methods to deceive users.

Infected malicious file is trying to access certain host and waits additional command.

Furthermore, INCA Internet response team added various patterns including "North Korea satellite launch eclipses that of Iran.doc".

3. Summary

With this Kwangmyongsong-3, various contents can be used as a route of spreading maliciuos files.

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.