12345

7/15/2012

[Information] Malicious e-mail disguised as sent from wine company


1. Introduction

INCA Internet response team detected malicious e-mail disguised as sent from one of premium wine and spirits distributors. This malicious e-mail has real name and mail address on sender field of Denmark branch. The main feature is that it uses link file for its infection. Besides, once infected, it forcibly stops on certain Anti-Virus programs and shows main screen of certain messenger including MSN. Those files were written in Spanish and it hasn't been found in Korea so far.

With booming of being spread these kinds of malicious files, users need to be careful on using internet and be safe from malicious e-mails.



2. Spreading cases and symptom of infection

This malicious file is disguised as sent from wine company and induces user to download malicious file. Once infected, it collects victim's mail contacts and tries to spread same mail to collected address.


It shows that sender's address is from Denmark branch. Users can be easily dazzled. Following image is real "Jacob Hertz".


Malicious functions are as following.

Malicious functions

- Downloads additional malicious file
- Forcibly kills Anti-Virus program(Avira)
- Changes start page
- Registers malicious link file on start-up program
- Activates remote desktop
- Deactivates Task manager
- Continuous linking on certain external site(It can work as a Bot on sometimes)
- Changes all folder's property as hidden and creates link file as same name as existed folder

We can find 2 Ink files after extracting.


2 lnk files


- Informacion Importante.lnk (1,778 bytes)
- Mejores Amigos.lnk (1,762 bytes)

These icons are being looked like as help file and messenger. On running, both can download additional malicious file with using "mshta.exe", application related executable file. Following figure shows commands.


On executing additional malicious file(msnmsgr.tpl) by certain command, it will download various script file and malicious files.

Downloaded malicious script files download other malicious files to be shown as a MSN messenger(Spainish version).


Besides, it changes start page, deactivates task manager, activates remote desktop and sets shell script command.


With using certain command, it kills Anti-Virus(Avira) and browsersIt tries to access on certain external server and can download additional malicious file and be worked as a bot by certain command from remote server.


It changes all folders property to hidden and creates link files on being infected.


These new link files looked same as previous folders. Users can click these files.

Following malicious behavior also can be worked.


3. How to prevent

Spreading malicious file with e-mail is very traditional. But a lot of users are still trying to open its attachment and being infected. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

5 comments:

  1. You are looking for a tracking software and still have doubts about installing mobistealth? Well, read some mobistealth reviews than!

    ReplyDelete
  2. Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.
    akinator.ooo
    xender.vip
    kik.onl

    ReplyDelete
  3. This is beautiful place i really like her dress thank you so much. Meowchat Nomao camera Cartoon Camera

    ReplyDelete
  4. If you receive the error message “The program cannot start because MSVCP140.dll is missing MSVCP140.dll is missing on the computer” or “The code execution cannot be continued because the system did not detect the MSVCP140.dll” while trying to open a program such as WAMP Server, Skype.
    We need to remove the old unnecessary driver versions and install new ones from the manufacturer. How to remove old drivers in Windows.Every time a driver is updated time after time, then old backup copies of the drivers remain in the system
    Does your computer freeze after connecting a USB device or Computer or laptops works slowly Computer or laptops works slowly?? If this is the case, the faulty device may be the culprit of why the computer turns off and then freezes.
    This situation becomes a mystery to many users because they cannot identify it. What is ACPI INT33A0 0 .What is ACPI INT33A0 0?Device Manager shows a list of devices installed in Windows 10, but sometimes you see a yellow triangle with an exclamation mark, marked as “Other device”.
    How to solve How to fix Black Screen after updating Windows 10Installing the patch KB4043292 solves the problem with a black screenMicrosoft has released a patch designed to solve this problem and ensure the normal operation of computers.
    However, sometimes, when you connect a USB flash drive to a computer, the disk may not appear in “my computer”, this also applies to SD and microSD memory cards.If The flash drive does not appear in “My Computer in the explorer, you can try the solutions below to re-enable the external drive in Explorer
    If we can find out on the computer that the hard disk needs to be defragmented, then we will not identify significant problems in the RAM of the computer or laptop. How to check the RAM for errors in Windows . RAM errors are hard to fix.

    How to enter the safe mode of Windows 10 .Step 1. Hold down the windows + X buttons, select Restart and hold the left Shift button until the diagnostic parameters enter.
    The most common error is the ACPI_BIOS_ERROR error , followed by the value 0x000000A5. If you are one of those who encountered this error, we will show below some of the actions or recommendations for eliminating this error.
    Causes and troubleshooting IRQL_GT_ZERO_AT_SYSTEM_SERVICE in Windows 10. IRQL_GT_ZERO error in Windows .May occur due to hardware drivers, devices. If any devices are connected to the USB ports, then pull them out, especially for flash drives.




    ReplyDelete