The attacks, in which floods of computers tried to connect to a single Web site at the same time to overwhelm the server, caused outages on prominent government-run sites in both countries.
The finding adds to concern that contaminated computers were ordered to damage their own hard disks or files after the Web assaults.
Still, the new finding does not mean information was stolen from attacked Web sites, such as those of the White House and South Korea's presidential Blue House, police said. It also does not address suspicions about North Korea's involvement, they said.
Police reached those conclusions after studying a malicious computer code in an analysis of about two dozen computers - a sample of the tens of thousands of computers that were infected with the virus that triggered the attacks, said An Chan-soo, a senior police officer investigating the cyberattacks. The officer said only lists of files were extracted, not the files themselves.
"It's like hackers taking a look inside the computers," An said. "We're trying to figure out why they did this."
Extracted file lists were sent to 416 computers in 59 countries, 15 of them in South Korea. Police have found some file lists in 12 receiver computers and are trying to determine whether hackers broke into those systems and stole the lists, An said.
Investigators have yet to identify the hackers or determine for sure where they operated from. Dozens of high-profile U.S. and South Korean Web sites were targeted.
There have been no new Web attacks since the last wave launched Thursday evening.
South Korea's spy agency, the National Intelligence Service, lowered the country's cyberattack alert Monday as affected Web sites returned to normal.
The agency's National Cyber Security Center told ruling party lawmakers Tuesday that the attacks were presumed to have been either a practice run or of a preliminary nature, Yonhap news agency said. No details were given on whether another attack was expected.
North Korea is suspected of involvement. The spy agency told lawmakers last week that a North Korean military research institute had been ordered to destroy the South's communications networks, local media reported.
The agency said in a statement Saturday that it has "various evidence" of North Korean involvement, but cautioned it has yet to reach a final conclusion.
Seoul's state-run Korea Communications Commission said Tuesday that it has blocked an IP address in Britain following a report from a Vietnamese antivirus firm that the address was used to distribute last week's virus.
However, the identity of the IP address - the Web equivalent of a street address or phone number - does not clarify much. It is likely the hackers used the address to disguise themselves - for instance, by accessing the computers from a remote location. IP addresses can also be faked or masked, hiding their true location.
Get Action News on your website
