Security Info

  • Security Center
    • Virus
  • Security Dictionary
  • Security Service
  • Free Download!!

Threats DB


Typical Symptoms  
Discovered  [korea] 2014-01-20
 [Foreign] 2014-01-20
Type  Trojan Horse ActiveField  Win32
Origin  others Encryption  NO
Location  None Memory residence  YES
Scan engine needed
-- [Able to detect & repair]
  • Free trial download


ko.dll (MD5 : E2B7364425133698236EDE46460D1F27, SIZE : 55,296)


A. Main symptoms of infection

It collects computer information and sends collected data to a specific email.


B. Analysis information

1) It loads APIs that are necessary to run Malicious code.



2) It collects computer information(e.g. OS version/Product ID/Host name...) and saves the information to the path(%temp%nls303kr.lex)


3) It bypasses firewall.



4) It tries to connect following mail server and login.

- Domain :
- ID : ********* PW : ****************



5) It reads nls303kr.lex file and encrypts the inside contents.
The encrypted file is saved in the path(%temp%1.pdf).


- Decoding logic


6) If it succeeds to login, it sends 1.pdf via email.



7) It downloads files from Email inbox and run the files, but it doesn't download the files currently.

Path: %temp%kmplayer.exe


Removal Instructions

[How to repair]

Reparable by ViRobot engine ver.2014-02-13 or above.

Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap