Are Virus Writers Creating a Super Worm?

Discussion in 'other security issues & news' started by Notok, Jun 4, 2005.

Thread Status:
Not open for further replies.
  1. Notok

    Notok Registered Member

    May 28, 2004
    Portland, OR (USA),aid,121130,00.asp
  2. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    Good article. Here is a description of the worm from Sophos Anti-Virus site:

    W32/Mytob-CM is a mass-mailing worm and IRC backdoor Trojan.

    Message text chosen from:

    Please read the attached document and follow it's instructions.
    <snip other examples>

    The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.

    Note that its execution depends on someone clicking on the file. Why would anyone do that?


  3. diginsight

    diginsight Security Expert

    Feb 9, 2002
    Don't know. Why do users call my helpdesk, because they don't understand how zip files work, but on the other hand when they receive the mydoom worm with a password protected zip file with the password in the mail body are perfectly capable of extracting the zip file using the password in the mail body. The same applies to users not being able to open graphics attachments and on the other hand perfectly capable to find a worm zip password inside an enclosed graphics file.

    I suppose this is the same psychology which applies to users priniting documents 15 times when the printer is malfunctioning, before calling the helpdesk. I also had users trying to open attachments which were intercepted by Sophos with a clear message box: "Contact helpdesk ..." 10 times. Thankfully I always log those events. After asking why they didn't read the message box they said "I always click away those annoying messages without reading them".

    I'm still trying to convince upper managment to implement capital punishment ;)

    The 'positive' side effect of spreading worms using click-happy users is that malware doesn't need advanced infection mechanisms like 0-day or unpublished exploits to spread themselves. As long as I have an up-to-date AV, AT and AS why bother defending against advanced rootkit techniques. My point, why would a black hat waste his time on advanced techniques when sending a .pif of .scr has the same effect.

    I also read an article that some spackers are trying to keep their worms 'below the radar' to avoid mass spreading and detection by AV engines. 5000 infections was sufficient to sell their services and by avoiding detection they could reuse the same worm again when another 'customer' was in need for bots for a DDOS attack or spam run.
Thread Status:
Not open for further replies.