More spam viruses targeting Windows

Wed Oct 29 08:14:00 CDT 2008

As Microsoft slowly improves its software, the viruses still target human fallibility.

My father just spent a few weeks without a fully-functioning workstation because of virus-infested Microsoft software.

This morning I got a virus sent from the comcast.net ISP, titled "Your Statement number: 330709."

In it, we see a short message like this Good evening

As you requested, we are sending you this report with details on your account transactions made between 9/1/2008 and 10/28/2008.

Untill we meet again Nora Connell Attachment: Details.zip

That details.zip is the problem. Let's take a look at it.

~/tmp $ mv Details.zip virus/ ~/tmp $ cd virus/ ~/tmp/virus $ ls Details.zip ~/tmp/virus $ unzip Details.zip Archive: Details.zip inflating: Details.doc .exe
~/tmp/virus $

I didn't change or screw up the formatting. The file in the zip contains enough spaces to attempt to dis-associate the .exe extension from the rest of the Details.doc_ _ _ _ _ _ _ _ _ _ _ _ _ _ _.exe name. It's a dirty trick, but that's what the bad guys do. What does Details.doc.exe do? It's most likely a trojan. f-propt, updated today (29-Oct-2008) did not find anything, but Kaspersky Labs viruslist.com identifies it as "Worm.Win32.AutoRun.rkt". This appears to be a fresh variant, and I haven't found a clear description of what it does. It's 38k. Autorun indicates it probably copies it self to usb sticks, zip drives, etc. "rkt" looks suspiciously like an abbreviation for rootkit which is a mechanism for a hacker to take over the infected machine.

Also see this site and f-secure's description of Autorun

How is the human tricked, here? Microsoft Windows software presents an icon that appears to be a document but is really an executable program. The action for opening a document and running a program are the same.

I remember in my younger days how I found UNIX to be paranoid, with its "executable" permission. It was just right.