12345

8/29/2012

[Information] 2012 London Olympic schedule, or a malicious file.

1. Introduction

London 2012 Olympic Games will be held, and the world's attention has been focused on the Olympics. Athletes are playing games and malicious attackers are spreading malicious files disguised as Olympic schedule. This malicious file uses PDF font exploit and it can print Olympic schedule. Therefore, general users can't recognize whether they were infected or not.



2. Spreading path and symptom of infection

This file can be spread via attachment of e-mail, SNS, link on messenger. It uses PDF font exploit and following is affected versions.

Affect-able versions

- Adobe Reader 9.3.4 or lower
- Adobe Acrobat 9.3.4 or lower

In case of this malicious file, it used exploit which can cause stack overflow with using certain table of encrypted TTF(TrueTypeFont) stream on PDF file. Code is as following.


Upon executing this application program, it shows PDF file as following.


Besides, it creates additional malicious file on following path.

Created files

- (User temp folder)\~temqp.tmp (53,248 bytes)
- (User temp folder)\explorer.exe (53,248 bytes)
- (User temp folder)\~vmdmc.exe (484,864 bytes, copy of normal cmd.exe)

Registry values

- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Name : "arun"
- Data : "(User temp folder)\explorer.exe"

(User temp folder) is generally "C\Documents and Settings\(User account)\Local Settings\Temp".

These malicious files have WORD file's icon.


And, these malicious files tried to access on certain external site of China, but that site can't be connected no more.


3. How to prevent

In case of these malicious files using document file exploit, precaution is almost impossible. Furthermore, these can be combined with social engineering technique. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

- Diagnosis names

- Trojan/W32.Agent.53248.CYM
- Trojan-Exploit/W32.Pidief.291556.JVF
- Trojan/W32.Agent.53248.DDR

No comments:

Post a Comment