12345

8/29/2012

[Information] 2012 London Olympic schedule, or a malicious file.

1. Introduction

London 2012 Olympic Games will be held, and the world's attention has been focused on the Olympics. Athletes are playing games and malicious attackers are spreading malicious files disguised as Olympic schedule. This malicious file uses PDF font exploit and it can print Olympic schedule. Therefore, general users can't recognize whether they were infected or not.



2. Spreading path and symptom of infection

This file can be spread via attachment of e-mail, SNS, link on messenger. It uses PDF font exploit and following is affected versions.

Affect-able versions

- Adobe Reader 9.3.4 or lower
- Adobe Acrobat 9.3.4 or lower

In case of this malicious file, it used exploit which can cause stack overflow with using certain table of encrypted TTF(TrueTypeFont) stream on PDF file. Code is as following.


Upon executing this application program, it shows PDF file as following.


Besides, it creates additional malicious file on following path.

Created files

- (User temp folder)\~temqp.tmp (53,248 bytes)
- (User temp folder)\explorer.exe (53,248 bytes)
- (User temp folder)\~vmdmc.exe (484,864 bytes, copy of normal cmd.exe)

Registry values

- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Name : "arun"
- Data : "(User temp folder)\explorer.exe"

(User temp folder) is generally "C\Documents and Settings\(User account)\Local Settings\Temp".

These malicious files have WORD file's icon.


And, these malicious files tried to access on certain external site of China, but that site can't be connected no more.


3. How to prevent

In case of these malicious files using document file exploit, precaution is almost impossible. Furthermore, these can be combined with social engineering technique. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

- Diagnosis names

- Trojan/W32.Agent.53248.CYM
- Trojan-Exploit/W32.Pidief.291556.JVF
- Trojan/W32.Agent.53248.DDR

2 comments:

  1. Are you excited for NBA 2K18 Game? NBA 2k18 Game will feature NBA basketball games with real effects and customized players and teams. This game created with latest designed, game commentary, halftime shows and even various visual features and lighting, player animations and camera angles will be improved than previous series. NBA 2K18 Release Date

    ReplyDelete
  2. Chào các bạn !!
    Mình đến từ Công ty van chuyen hang thai lan pusa asia nếu các bạn đang cần tìm nguồn hàng giá rẻ sỉ thì liên hệ chúng tôi ngay . PUSA ASIA chúng tôi sẽ giúp bạn dat hang thai lan online về cho bạn một cách đơn giản dễ dàng. Chỉ cần bên bạn ( quý khách hàng , người tiêu dùng v.v..) đưa thông tin sản phẩm cho PUSA ASIA chúng tôi , thì công ty chúng tôi sẽ tìm đến và mua , vận chuyển về Viêt Nam . Ngoài ra chúng tôi hỗ trợ bạn về ship hàng thái giá rẻ nhanh chóng uy tín .
    Thông tin liên hệ :
    CÔNG TY TNHH DV VẬN TẢI PUSA ASIA
    +Thái Lan: +66.805586763 (Call,Viber,Zalo,Line. Người việt)
    +Việt Nam: +84.949.456.968 - Email: pusa.asia@gmail.com
    Lưu ý bên vận chuyển hàng thái lan pusa asia chúng tôi còn có chuyển hàng : thời trang, quần áo , hàng gia dụng , hàng điện tử , nhạc cụ âm nhạc (đàn tỳ bà) và những hàng nặng như xe đạp điện , xe máy v.v..
    => chuyển hàng thái lan về bến tre

    ReplyDelete