Virus with encrypted zip file - Important notify about your e-mail account.
sunder
sunder at sunder.net
Wed Mar 3 10:12:08 PST 2004
Interesting virus - anyone know what this one is called and what it's
payload does? Haven't seen this one before today...
It attaches a zip file with a password containing an executable. (No
worries, I've not run it, and only extracted it on a SPARC machine, so it
can't use buffer overflows designed for intel in unzip -- if any exist.)
I've seen several of these from various cypherpunk nodes, and initially
thought someone was attacking cypherpunks nodes again...
So what it is likely grabbing the domian name and capitalizing the first
letter and inserting "The" and "team." around it to make it look like it's
from the ISP... It's also using various random reasons (mailbox is full,
spamming, account about to expire, account abuse, can't go out with you
tonight, have to wash hamster's hair, etc.)
Interesting that a virus would use an encrypted ZIP file. Of course it
does a dumb thing in terms of "security purposes" of sending the password
with the attachment. Certainly that isn't something a security wise person
would do, *BUT* the true purpose of this ploy is likely an attempt for it
to get past virus scanners which demime/unzip files through multiple
layers, and would be able to detect the attachment is malware.
So this thing is probably carrying code to ZIP+encrypt files as well as
MIME and possibly it's own SMTP client... Pretty amazing for a 12K
binary... Well, not really. :) I guess I'm used to seeing bloatware like
Office 2000 - oh, yeah, forgot, MSFT products are virii.. :-D
Many, many, years ago, I recall there were polymorphic virii which
encrypted their main body, but used various methods to build the extractor
such that you (as an antivirus writer) couldn't easily get signatures from
the extractor portion. I believe they used permutations of opcodes which
did the same thing under x86, but enough random combinations to prevent
getting a useful virus signature.
It probably won't be long before we'll start seeing those again in modern
virii...
Certainly email virus scanners shouldn't allow .EXE - even if inside of
.ZIP archives anyway, but it's still interesting to see how the evil virus
writers find new ways to push their crud on the "If it's got dancing nude
hippos, I'll click on it gladly, safety be damned" sheeple. Now it's just
exploiting the "I'll obey any instruction from any so called authority if
you throw in the magic word 'reasons of security' in it."
What's really funny to me personally is that at my last job we were asked
to send self decrypting PGP EXE's that contained the actual data to clients
who didn't have PGP, and wouldn't know it from a hole in a wall. We'd then
tell them the (usually lame) password over the phone. If any of those
clients receive one of these, I can absolutely guarantee that they'll open
it and spread this evil crap.
A virus pretending to be administration at minder.net wrote:
> For security reasons attached file is password protected. The password is "10361".
>
> Kind regards,
> The Minder.net team http://www.minder.net
More information about the cypherpunks-legacy
mailing list