Zip files and malware

[EdP]

I haven't been able to find information on whether a zipped file can be automatically invoked when its zip file is opened.

I use an ancient (V2.6) copy of PKZip which displays a list of its zipped files when it's run. It requires my intervention to unzip and save the files. If there's an executable or anything else that's suspect among the files when I'm expecting, say, all JPGs or TXTs, I can simply close the zip file and delete it.

How safe is that?
Incidentally, I do have NOD32 and SASPro running.

EdP

[CloneRanger]

As long as you don't click on any files you're 99.99999% safe.

Until a few months ago i would have said 100%, but due to the .LNK vulnerability, that's now fixed, it just goes to show nothings 100%

Having said that, i would say you would be very unlucky to experience another such exploit

If you have Anti Executable software it would help, as would something like SandboxIE and/or Returnil

[dw426]

Nothing can automatically execute from zipped files, so no worries there. I've dealt with malware, mixed in with legit files within archives for a long time. If I come across such a situation, I simply delete the offending file and keep the rest.

[CloneRanger]

@ dw426

Quote:

whether a zipped file can be automatically invoked when its zip file is opened.

From that, i thought he was asking about a file/s that he Unzipped, ie Opened ?

If he means just looking at the list, then yes i agree with you

[dw426]

Quote:

Originally Posted by CloneRanger

@ dw426



From that, i thought he was asking about a file/s that he Unzipped, ie Opened ?

If he means just looking at the list, then yes i agree with you

The way I read it, and the OP can correct me please, if I'm wrong, is this: Invoked to me=executed/ran. It seems he/she was asking if a file contained inside the zipped archive could be executed just by extracting the contents of the archive. It's my opinion that no, it cannot. I'm not sure the lnk vulnerability would apply here, as, unless I am mistaken, does not the program related to an infected lnk file have to be ran/installed first in order for the infection to take place?

If that is so, I don't believe an infection could take place just by having the offending file/program sitting on the computer without touching it. I'm a fairly young person who admittedly doesn't experiment with the latest and greatest in malware, and I sure haven't seen everything. But, in the years I've been computing, never has a file magically ran just by opening an archive.

[EdP]

Thanks for the quick replies.

As I indicated, I spent 45 minutes searching and reading and could not find anything about a zipped file automatically being invoked. If that were a problem, I would expect to find quite a few topics on it.

Thanks for the verification.

EdP

[EdP]

What I (he) meant - if a zip file is run (invoked) can that, in itself, initiate one of the contained files to automatically run?

I don't see why a clever and malevolent programmer couldn't design a zip file to do that. And if not actually run the contained file, automatically store it in a folder where it is sure to be run.

Is that beyond the skill and imagination of those bad guys?

EdP

[Boyfriend]

-If you open normal zip, nothing can run automatically until double click.

-If you open specially crafted zip (executable zip with command to start a program/executable on unzipping), anything can happen depending on purpose of executable. Numerous legitimate applications also zip their files to reduce size. Double clicking such files --> unzips and starts installation automatically.

A normal zip file can execute attack code if the program you open it with is vulnerable.
An old example: http://secunia.com/advisories/7198/

A quick check on PKZIP didn't reveal any such publicly know bugs but that doesn't mean it's 100% (or 99.9...%) not vulnerable.

[MikeBCda]

Most anti-viruses and other anti-malware apps have the ability to check the contents of ZIPs and other archive types, typically by expanding them into temporary files which are then scanned and deleted. Depending on your particular a-v (I use avast free), you may be able to do this before or while downloading the zip; in any event, any malware contained inside should be caught by the a-v after expansion.

(Edit) In the case of self-extracting EXEs, I typically check them twice -- the exe before installation, and the folder (typically a new one it creates) after installation.