[Warning] Malicious e-mails disguising as image file were found.

1. Introduction

INCA Internet response team detected various malicious e-mails disguising as image file. In recent years, the number of domestic e-mails is increasing, so extra care is needed. These types of security threats from abroad written in English .the most common form, and e-mail subject and body, attached file have been changed from time to time. In order to deceive, attacker chose compressed file, which contains executable file, for the type of attachment. If you have suspicious file, you can send that file for being diagnosed.

2. Spreading cases and symptom of infection

[Warning] Malicious personal message from fake LinkedIn friend
http://en-erteam.nprotect.com/2012/06/warning-malicious-personal-message-from.html

[Warning] Malicious file about portrait infringement
http://en-erteam.nprotect.com/2012/05/warning-malicious-file-about-portrait.html

[Caution] Malicious e-mail about BBB(Better Business Bureau)
http://en-erteam.nprotect.com/2012/05/caution-malicious-e-mail-about.html

Recently this type is various and its title and contents are continuously changing.
Therefore, users need to be careful on these types of e-mails.

Attachment compressed file contains EXE file disguising as image file, upon executing user will be infected by malicious file.

Some of these malicious files use general application icon, other uses Bart Simpson's icon.

Upon starting, it will create "svchost.exe" on All Users folder and will run.

And then, it will modify registry as following.

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name : SunJavaUpdateSched
Data : C:\Documents and Settings\All Users\svchost.exe

This malicious file hasn't tried to connect on certain host; however, it waits TCP connecting. Malicious file can be expected to be worked as a bot by various commands.

3. Summary

Spreading malicious file with e-mail is very traditional. But a lot of users are still trying to open its attachment and being infected. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.