Full Disclosure mailing list archives

RE: A worm...

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Thu, 26 Jun 2003 09:43:41 -0400

Hi Peter,

Thanks for the background info.  Because of the password issue, any
security protections for .ZIP files need to be built into a unzipper
program.  As a minimum, Microsoft needs to put a warning dialog in the
Windows unzipper when double-clicking on an executable file in a .ZIP
file that comes attached to an email message.  Better yet, don't allow
.ZIP files to be opened from an email message.  Force people to save
them first.  Netscape had this second basic protection scheme in
Communicator years ago.

Richard

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Peter Kruse
Sent: Thursday, June 26, 2003 8:57 AM
To: full-disclosure () lists netsys com
Subject: SV: [Full-disclosure] A worm...


Hi Richard,

Well, it might be the first wide-spread of it´s kind but it´s certainly
not the first to use zip to hide itself. Also it´s trendy to put
malicious code inside the new rar format and spread it. I suppose it´s
fairly easy to write a worm that packs itself with a random password and
inserts this into a e-mail sent to the victim. This way it will pass
most AV-gateway scanners since they won't have access to scan inside the
zipe archive. 

Also XP is quite vulnerable to this type of trick. If you attach a zip
file and opens it open a Windows XP to build in zip-feature will open
the zipped file in a new window from where the user can active the
malicious directly without unziping the files :-(

Others that have used the zip trick is bogusbear. A search on google
will give you plenty hits.

I diod write a article about this back in October 2002. Unfortunately
it´s in Danish so many of you guys won't understand a word. Anyways, I
pointed out that this would be used in future malicious code and so it
happened - I guess I got "lucky".
http://www.comon.dk/index.php?page=news:show,id=12315

Med venlig hilsen // Kind regards

Peter Kruse
Kruse Security
http://www.krusesecurity.dk

-----Oprindelig meddelelse-----
Fra: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] På vegne af 
Richard M. Smith
Sendt: 26. juni 2003 13:55
Til: full-disclosure () lists netsys com
Emne: RE: [Full-Disclosure] A worm...


This is the first worm that I am aware of that hides itself 
inside of a .ZIP file.  This trick prevents the worm 
executable from being deleted by the Outlook Security Update. 
 Looks like Microsoft will need to now think about how to 
deal with malicous code inside of attached .ZIP files.  
Outlook 2002 does provide a security warning when opening the 
.ZIP file.  But everyone knows that .ZIP files are safe, 
right?  I don't believe there is any security warning when 
running the .PIF file inside of the .ZIP, but I didn't try 
this particular experiment. ;-)

Richard

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of KF
Sent: Wednesday, June 25, 2003 9:11 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] A worm...


I believe Simon is well aware of what virus this is... the 
question was 
in relation to the zipping of the payload. I believe he was 
wondering if

this (zipping of payload) was some new Antivirus evasion trick or if 
there was something more to it (like simply hoping a retarded 
user would

unzip and run the .pif).

I know what it is, but since when did the pif worm start zipping

itself?

did I miss something?

-KF


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

A worm... ATD (Jun 25)
- RE: A worm... Phillip A Jaeger (Jun 25)
- RE: A worm... gml (Jun 25)
- <Possible follow-ups>
- Re: A worm... golddog (Jun 25)
  - Re: A worm... KF (Jun 25)
    - Re: A worm... ATD (Jun 25)
    - RE: A worm... Richard M. Smith (Jun 26)
    - SV: A worm... Peter Kruse (Jun 26)
    - RE: A worm... Richard M. Smith (Jun 26)
    - RE: A worm... ATD (Jun 26)
    - Re: A worm... Nexus (Jun 26)
    - Re: A worm... ATD (Jun 26)
    - RE: A worm... Richard M. Smith (Jun 26)
    - RE: A worm... Ron DuFresne (Jun 26)
    - Re: A worm... Roy S. Rapoport (Jun 26)
    - Re: A worm... morning_wood (Jun 26)
    - SV: A worm... Peter Kruse (Jun 26)
    - Re: A worm... ATD (Jun 26)
- RE: A worm... *Hobbit* (Jun 25)

(Thread continues...)