More spam viruses targeting Windows
Posted by skelter Wed, 29 Oct 2008 15:14:00 GMT
As Microsoft slowly improves its software, the viruses still target human fallibility.
My father just spent a few weeks without a fully-functioning workstation because of virus-infested Microsoft software.
This morning I got a virus sent from the comcast.net ISP, titled “Your Statement number: 330709.”
In it, we see a short message like this
Good evening
As you requested, we are sending you this report with details on your account transactions made between 9/1/2008 and 10/28/2008.
Untill we meet again
Nora Connell
Attachment: Details.zipThat details.zip is the problem. Let’s take a look at it.
~/tmp $ mv Details.zip virus/
~/tmp $ cd virus/
~/tmp/virus $ ls
Details.zip
~/tmp/virus $ unzip Details.zip
Archive: Details.zip
inflating: Details.doc .exe
~/tmp/virus $
I didn’t change or screw up the formatting. The file in the zip contains enough spaces to attempt to dis-associate the .exe extension from the rest of the Details.doc_ _ _ _ _ _ _ _ _ _ _ _ _ _ _.exe name. It’s a dirty trick, but that’s what the bad guys do. What does Details.doc.exe do? It’s most likely a trojan. f-propt, updated today (29-Oct-2008) did not find anything, but Kaspersky Labs viruslist.com identifies it as “Worm.Win32.AutoRun.rkt”. This appears to be a fresh variant, and I haven’t found a clear description of what it does. It’s 38k. Autorun indicates it probably copies it self to usb sticks, zip drives, etc. “rkt” looks suspiciously like an abbreviation for rootkit which is a mechanism for a hacker to take over the infected machine.
Also see this site and f-secure’s description of Autorun
How is the human tricked, here? Microsoft Windows software presents an icon that appears to be a document but is really an executable program. The action for opening a document and running a program are the same.
I remember in my younger days how I found UNIX to be paranoid, with its “executable” permission. It was just right.