Virus with encrypted zip file - Important notify about your e-mail account.

sunder sunder at sunder.net
Wed Mar 3 10:12:08 PST 2004 

Interesting virus - anyone know what this one is called and what it's 
payload does?  Haven't seen this one before today...

It attaches a zip file with a password containing an executable.  (No 
worries, I've not run it, and only extracted it on a SPARC machine, so it 
can't use buffer overflows designed for intel in unzip -- if any exist.)


I've seen several of these from various cypherpunk nodes, and initially 
thought someone was attacking cypherpunks nodes again...

So what it is likely grabbing the domian name and capitalizing the first 
letter and inserting "The" and "team." around it to make it look like it's 
from the ISP...  It's also using various random reasons (mailbox is full, 
spamming, account about to expire, account abuse, can't go out with you 
tonight, have to wash hamster's hair, etc.)


Interesting that a virus would use an encrypted ZIP file.  Of course it 
does a dumb thing in terms of "security purposes" of sending the password 
with the attachment.  Certainly that isn't something a security wise person 
would do, *BUT* the true purpose of this ploy is likely an attempt for it 
to get past virus scanners which demime/unzip files through multiple 
layers, and would be able to detect the attachment is malware.

So this thing is probably carrying code to ZIP+encrypt files as well as 
MIME and possibly it's own SMTP client...  Pretty amazing for a 12K 
binary...  Well, not really. :)  I guess I'm used to seeing bloatware like 
Office 2000 - oh, yeah, forgot, MSFT products are virii..  :-D


Many, many, years ago, I recall there were polymorphic virii which 
encrypted their main body, but used various methods to build the extractor 
such that you (as an antivirus writer) couldn't easily get signatures from 
the extractor portion.  I believe they used permutations of opcodes which 
did the same thing under x86, but enough random combinations to prevent 
getting a useful virus signature.

It probably won't be long before we'll start seeing those again in modern 
virii...

Certainly email virus scanners shouldn't allow .EXE - even if inside of 
.ZIP archives anyway, but it's still interesting to see how the evil virus 
writers find new ways to push their crud on the  "If it's got dancing nude 
hippos, I'll click on it gladly, safety be damned" sheeple.  Now it's just 
exploiting the "I'll obey any instruction from any so called authority if 
you throw in the magic word 'reasons of security' in it."

What's really funny to me personally is that at my last job we were asked 
to send self decrypting PGP EXE's that contained the actual data to clients 
who didn't have PGP, and wouldn't know it from a hole in a wall.  We'd then 
tell them the (usually lame) password over the phone.  If any of those 
clients receive one of these, I can absolutely guarantee that they'll open 
it and spread this evil crap.


A virus pretending to be administration at minder.net wrote:

> For security reasons attached file is password  protected. The password is "10361".
>
> Kind regards,
>     The Minder.net  team                                http://www.minder.net

More information about the cypherpunks-legacy mailing list