Full Disclosure mailing list archives
SV: A worm...
From: "Peter Kruse" <kruse () krusesecurity dk>
Date: Thu, 26 Jun 2003 14:57:12 +0200
Hi Richard, Well, it might be the first wide-spread of it´s kind but it´s certainly not the first to use zip to hide itself. Also it´s trendy to put malicious code inside the new rar format and spread it. I suppose it´s fairly easy to write a worm that packs itself with a random password and inserts this into a e-mail sent to the victim. This way it will pass most AV-gateway scanners since they won't have access to scan inside the zipe archive. Also XP is quite vulnerable to this type of trick. If you attach a zip file and opens it open a Windows XP to build in zip-feature will open the zipped file in a new window from where the user can active the malicious directly without unziping the files :-( Others that have used the zip trick is bogusbear. A search on google will give you plenty hits. I diod write a article about this back in October 2002. Unfortunately it´s in Danish so many of you guys won't understand a word. Anyways, I pointed out that this would be used in future malicious code and so it happened - I guess I got "lucky". http://www.comon.dk/index.php?page=news:show,id=12315 Med venlig hilsen // Kind regards Peter Kruse Kruse Security http://www.krusesecurity.dk
-----Oprindelig meddelelse----- Fra: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] På vegne af Richard M. Smith Sendt: 26. juni 2003 13:55 Til: full-disclosure () lists netsys com Emne: RE: [Full-Disclosure] A worm... This is the first worm that I am aware of that hides itself inside of a .ZIP file. This trick prevents the worm executable from being deleted by the Outlook Security Update. Looks like Microsoft will need to now think about how to deal with malicous code inside of attached .ZIP files. Outlook 2002 does provide a security warning when opening the .ZIP file. But everyone knows that .ZIP files are safe, right? I don't believe there is any security warning when running the .PIF file inside of the .ZIP, but I didn't try this particular experiment. ;-) Richard -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of KF Sent: Wednesday, June 25, 2003 9:11 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] A worm... I believe Simon is well aware of what virus this is... the question was in relation to the zipping of the payload. I believe he was wondering if this (zipping of payload) was some new Antivirus evasion trick or if there was something more to it (like simply hoping a retarded user would unzip and run the .pif).I know what it is, but since when did the pif worm start zippingitself?did I miss something?-KF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- A worm... ATD (Jun 25)
- RE: A worm... Phillip A Jaeger (Jun 25)
- RE: A worm... gml (Jun 25)
- <Possible follow-ups>
- Re: A worm... golddog (Jun 25)
- Re: A worm... KF (Jun 25)
- Re: A worm... ATD (Jun 25)
- RE: A worm... Richard M. Smith (Jun 26)
- SV: A worm... Peter Kruse (Jun 26)
- RE: A worm... Richard M. Smith (Jun 26)
- RE: A worm... ATD (Jun 26)
- Re: A worm... Nexus (Jun 26)
- Re: A worm... ATD (Jun 26)
- RE: A worm... Richard M. Smith (Jun 26)
- RE: A worm... Ron DuFresne (Jun 26)
- Re: A worm... Roy S. Rapoport (Jun 26)
- Re: A worm... KF (Jun 25)
- Re: A worm... morning_wood (Jun 26)
- SV: A worm... Peter Kruse (Jun 26)
- Re: A worm... ATD (Jun 26)
