12345

7/15/2012

[Information] Malicious e-mail disguised as sent from wine company


1. Introduction

INCA Internet response team detected malicious e-mail disguised as sent from one of premium wine and spirits distributors. This malicious e-mail has real name and mail address on sender field of Denmark branch. The main feature is that it uses link file for its infection. Besides, once infected, it forcibly stops on certain Anti-Virus programs and shows main screen of certain messenger including MSN. Those files were written in Spanish and it hasn't been found in Korea so far.

With booming of being spread these kinds of malicious files, users need to be careful on using internet and be safe from malicious e-mails.



2. Spreading cases and symptom of infection

This malicious file is disguised as sent from wine company and induces user to download malicious file. Once infected, it collects victim's mail contacts and tries to spread same mail to collected address.


It shows that sender's address is from Denmark branch. Users can be easily dazzled. Following image is real "Jacob Hertz".


Malicious functions are as following.

Malicious functions

- Downloads additional malicious file
- Forcibly kills Anti-Virus program(Avira)
- Changes start page
- Registers malicious link file on start-up program
- Activates remote desktop
- Deactivates Task manager
- Continuous linking on certain external site(It can work as a Bot on sometimes)
- Changes all folder's property as hidden and creates link file as same name as existed folder

We can find 2 Ink files after extracting.


2 lnk files


- Informacion Importante.lnk (1,778 bytes)
- Mejores Amigos.lnk (1,762 bytes)

These icons are being looked like as help file and messenger. On running, both can download additional malicious file with using "mshta.exe", application related executable file. Following figure shows commands.


On executing additional malicious file(msnmsgr.tpl) by certain command, it will download various script file and malicious files.

Downloaded malicious script files download other malicious files to be shown as a MSN messenger(Spainish version).


Besides, it changes start page, deactivates task manager, activates remote desktop and sets shell script command.


With using certain command, it kills Anti-Virus(Avira) and browsersIt tries to access on certain external server and can download additional malicious file and be worked as a bot by certain command from remote server.


It changes all folders property to hidden and creates link files on being infected.


These new link files looked same as previous folders. Users can click these files.

Following malicious behavior also can be worked.


3. How to prevent

Spreading malicious file with e-mail is very traditional. But a lot of users are still trying to open its attachment and being infected. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

No comments:

Post a Comment