Mytob.MX and the double extension trick

Discussion in 'malware problems & news' started by Rmus, Nov 25, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    New Version of MYTOB is causing an escalation of Risk Alert

    Trend Micro says:

    This attached .ZIP file on the email message this worm sends out contains
    a copy of itself with a double extension name. The first extension name may
    be any of the following:

    The second extension name may be any of the following:

    Here is an older variant:

    Depending on the particular .zip program, you may or may not see the three ... after the file extension,
    and be fooled into thinking that it is a text file. If extracted, the file shows the .txt extension:

    The user may not notice that the icon is not a text file icon and run the file.

    However, White-list protection will block the attempted extracting of the file, and reveal
    that the real extension is .pif, which is an executable:

    Sure enough, by enlarging the .zip file window, we see the complete file name:

    In a another thread, BlueZannetti wrote,

    The critical issue with keyloggers, as with most malware,
    is to isolate and deal with them at download and/or install time.

    If this aspect of security were emphasized more, there would be fewer occasions of infections of this type.


    ~~Be ALERT!!! ~~
    Last edited: Nov 25, 2005
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.