On Fri, 3 Aug 2001 04:15:47 -0400 (EDT), Thomas Mueller wrote:
<snip>
> from Glenn McCorkle:
>> Ahhh... you mean like this one?? (the second one this week) :(
>> (this time it arrived as "pearl_harbor.zip.bat") [ over 500kb ]
> What kind of file was pearl_harbor.zip.bat ? Was it a ZIP file or did it look
> like a text .BAT file? Certainly not a well-named DOS .BAT file!
It was an actual .ZIP file.
The sircam worm grabbed it from the temp dir on the sending computer and
wrote the worm portion of the code into an already existing file.
It the renamed it from pearl_harbor.zip to pearl_harbor.zip.bat and sent
the new file out to everyone it could fined in the senders address book.
The .bat was added to the file extension so that the "worm" would the
be automatically run by any receiving computer on which the owner had
not turned-off the default setting of MS-outlook express.
Yes... MSOE is so STUPID that the default setting just goes right ahead
and runs ANY file which can be run.
(.BAT, .EXE, .PIF, .DOC, .LNK, perhaps several others that I'm not
remembering right at this moment)
I tried unzipping the file after cleaning the infection out of it.
Most of the stuff was corrupted.
What I was able to unzip turned-out to be a windows wallpaper changer
program. (and most of its associated files)
The sender was infected by the Sircam worm and then it began sending
itself out to everyone it could.
That's how these worms are able to continue spreading themselves.
(the owner of the machine has no idea what's going on untill it's too late)
--
Glenn
http://arachne.cz/
http://freedos-32.sourceforge.net/
http://www.delorie.com/listserv/mime/
http://www.angelfire.com/id/glenndoom/download.htm
