Trojan Horse
[korea] 2014-01-20 [Foreign] 2014-01-20
-- [Able to detect & repair]


ko.dll (MD5 : E2B7364425133698236EDE46460D1F27, SIZE : 55,296)


A. Main symptoms of infection

It collects computer information and sends collected data to a specific email.


B. Analysis information

1) It loads APIs that are necessary to run Malicious code.



2) It collects computer information(e.g. OS version/Product ID/Host name...) and saves the information to the path(%temp%nls303kr.lex)


3) It bypasses firewall.



4) It tries to connect following mail server and login.

- Domain :
- ID : ********* PW : ****************



5) It reads nls303kr.lex file and encrypts the inside contents.
The encrypted file is saved in the path(%temp%1.pdf).


- Decoding logic


6) If it succeeds to login, it sends 1.pdf via email.



7) It downloads files from Email inbox and run the files, but it doesn't download the files currently.

Path: %temp%kmplayer.exe


[How to repair]

Reparable by ViRobot engine ver.2014-02-13 or above.