Fake Archiver Product Found in Korea

A fake installer for the Korean version of ALZIP – a commercial archiver application and a component of the ALTOOLS series created by ESTsoft Corp – was recently discovered, which Symantec detects as Trojan.Dropper.

When the fake installer is executed, it displays the same window as the genuine application and then installs the genuine archiver. During installation, it drops another executable file, which in turn drops Backdoor.Trojan and Hacktool.Keylogger. These two files are hidden by a third dropped file detected as Hacktool.Rootkit.

The rootkit does not hide the files in Safe Mode however. The files are:
%System%\yoorycom.d1l
%System%\yoorycom.dll
%System%\drivers\yoorycom.sys

A user can determine whether his or her computer is infected with the malware by creating a file with the name 'yoorycom.txt'. One of two things will happen: Either an error will occur immediately when the file is saved, or the file will become invisible within a few seconds. If either phenomenon is observed, it is an indication that the fake ALZIP installer has been used, and not the genuine one.

The genuine installer has a digital signature while the fake version does not, so users should check to see if their copy of the ALZIP installer has the digital signature before going ahead with the installation. Furthermore, as substituting a genuine installer for a fake installer is a common practice, we recommend that users download applications from genuine Web sites.

Norton Antivirus 2007 auto-protect will catch and remove Backdoor.Trojan when it executes. To remove the remaining malicious files, Symantec recommends that users restart their computers in Safe Mode and perform a full scan.