Hi Richard, Well, it might be the first wide-spread of it�s kind but it�s certainly not the first to use zip to hide itself. Also it�s trendy to put malicious code inside the new rar format and spread it. I suppose it�s fairly easy to write a worm that packs itself with a random password and inserts this into a e-mail sent to the victim. This way it will pass most AV-gateway scanners since they won't have access to scan inside the zipe archive.
Also XP is quite vulnerable to this type of trick. If you attach a zip file and opens it open a Windows XP to build in zip-feature will open the zipped file in a new window from where the user can active the malicious directly without unziping the files :-( Others that have used the zip trick is bogusbear. A search on google will give you plenty hits. I diod write a article about this back in October 2002. Unfortunately it�s in Danish so many of you guys won't understand a word. Anyways, I pointed out that this would be used in future malicious code and so it happened - I guess I got "lucky". http://www.comon.dk/index.php?page=news:show,id=12315 Med venlig hilsen // Kind regards Peter Kruse Kruse Security http://www.krusesecurity.dk > -----Oprindelig meddelelse----- > Fra: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] P� vegne af > Richard M. Smith > Sendt: 26. juni 2003 13:55 > Til: [EMAIL PROTECTED] > Emne: RE: [Full-Disclosure] A worm... > > > This is the first worm that I am aware of that hides itself > inside of a .ZIP file. This trick prevents the worm > executable from being deleted by the Outlook Security Update. > Looks like Microsoft will need to now think about how to > deal with malicous code inside of attached .ZIP files. > Outlook 2002 does provide a security warning when opening the > .ZIP file. But everyone knows that .ZIP files are safe, > right? I don't believe there is any security warning when > running the .PIF file inside of the .ZIP, but I didn't try > this particular experiment. ;-) > > Richard > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of KF > Sent: Wednesday, June 25, 2003 9:11 PM > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] A worm... > > > I believe Simon is well aware of what virus this is... the > question was > in relation to the zipping of the payload. I believe he was > wondering if > > this (zipping of payload) was some new Antivirus evasion trick or if > there was something more to it (like simply hoping a retarded > user would > > unzip and run the .pif). > > >>I know what it is, but since when did the pif worm start zipping > itself? > >>did I miss something? > >> > -KF > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
