Mytob.MX and the double extension trick

Discussion in 'malware problems & news' started by Rmus, Nov 25, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    New Version of MYTOB is causing an escalation of Risk Alert

    Trend Micro says:

    ----------------------
    This attached .ZIP file on the email message this worm sends out contains
    a copy of itself with a double extension name. The first extension name may
    be any of the following:
    DOC
    HTM
    TXT

    The second extension name may be any of the following:
    EXE
    PIF
    SCR
    ZIP
    -----------------------

    Here is an older variant:

    http://www.rsjones.net/img/mytob_1.gif

    Depending on the particular .zip program, you may or may not see the three ... after the file extension,
    and be fooled into thinking that it is a text file. If extracted, the file shows the .txt extension:

    http://www.rsjones.net/img/mytob_0.gif

    The user may not notice that the icon is not a text file icon and run the file.

    However, White-list protection will block the attempted extracting of the file, and reveal
    that the real extension is .pif, which is an executable:

    http://www.rsjones.net/img/mytob_2.gif

    Sure enough, by enlarging the .zip file window, we see the complete file name:

    http://www.rsjones.net/img/mytob_3.gif

    In a another thread, BlueZannetti wrote,

    ------------------------------------------------
    The critical issue with keyloggers, as with most malware,
    is to isolate and deal with them at download and/or install time.
    -------------------------------------------------

    If this aspect of security were emphasized more, there would be fewer occasions of infections of this type.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Nov 25, 2005
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.