Mytob.MX and the double extension trick

Discussion in 'malware problems & news' started by Rmus, Nov 25, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    New Version of MYTOB is causing an escalation of Risk Alert

    Trend Micro says:

    ----------------------
    This attached .ZIP file on the email message this worm sends out contains
    a copy of itself with a double extension name. The first extension name may
    be any of the following:
    DOC
    HTM
    TXT

    The second extension name may be any of the following:
    EXE
    PIF
    SCR
    ZIP
    -----------------------

    Here is an older variant:

    http://www.rsjones.net/img/mytob_1.gif

    Depending on the particular .zip program, you may or may not see the three ... after the file extension,
    and be fooled into thinking that it is a text file. If extracted, the file shows the .txt extension:

    http://www.rsjones.net/img/mytob_0.gif

    The user may not notice that the icon is not a text file icon and run the file.

    However, White-list protection will block the attempted extracting of the file, and reveal
    that the real extension is .pif, which is an executable:

    http://www.rsjones.net/img/mytob_2.gif

    Sure enough, by enlarging the .zip file window, we see the complete file name:

    http://www.rsjones.net/img/mytob_3.gif

    In a another thread, BlueZannetti wrote,

    ------------------------------------------------
    The critical issue with keyloggers, as with most malware,
    is to isolate and deal with them at download and/or install time.
    -------------------------------------------------

    If this aspect of security were emphasized more, there would be fewer occasions of infections of this type.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Nov 25, 2005
Loading...
Thread Status:
Not open for further replies.