On Fri, 3 Aug 2001 04:15:47 -0400 (EDT), Thomas Mueller wrote:
> What kind of file was pearl_harbor.zip.bat ? Was it a ZIP file or did it look
> like a text .BAT file? Certainly not a well-named DOS .BAT file!
and Glenn McCorkle responded:
It was an actual .ZIP file.
The sircam worm grabbed it from the temp dir on the sending computer and
wrote the worm portion of the code into an already existing file.
It the renamed it from pearl_harbor.zip to pearl_harbor.zip.bat and sent
the new file out to everyone it could fined in the senders address book.
The .bat was added to the file extension so that the "worm" would the
be automatically run by any receiving computer on which the owner had
not turned-off the default setting of MS-outlook express.
Yes... MSOE is so STUPID that the default setting just goes right ahead
and runs ANY file which can be run.
(.BAT, .EXE, .PIF, .DOC, .LNK, perhaps several others that I'm not
remembering right at this moment)
I tried unzipping the file after cleaning the infection out of it.
Most of the stuff was corrupted.
What I was able to unzip turned-out to be a windows wallpaper changer
program. (and most of its associated files)
The sender was infected by the Sircam worm and then it began sending
itself out to everyone it could.
That's how these worms are able to continue spreading themselves.
(the owner of the machine has no idea what's going on untill it's too late)
(end of quote)
How does MSOE or Windows know that README.txt.pif is a .pif while
pearl_harbor.zip.bat is a .zip and not a .bat? I thought the portion of the
file name after the last dot determined the file type or category, allowing for
the fact that a .COM file can be really an .EXE and vice versa. I received two
messages from one sender with Badtrans-viral attachments, s3msong.MP3.pif and
README.txt.pif, which were .pif files but which are listed as safe-looking
README.txt and s3msong.MP3 in the Windows software. These .pif files couldn't
do anything to me in DR-DOS 7.03.
Maybe valid DOS/Windows-console commands were included in the .zip file as
comments so it could run as a .bat?
