[Esa-l] ALERT: new .ZIP worm uses multiple obfuscation layers

John D. Hardin jhardin at impsec.org
Fri Mar 12 06:06:19 PST 2004


All:

I just got what is obviously a worm - meaningless body text and a Zip
file attachment.

The sanitizer DID NOT block it, because the Zip file contained only a
.htm file. That HTML page contained an apparently auto-executing
base-64 encoded .EXE.

The message itself had an HTML body part containing IFRAME code
intended to automatically open the Zip in an HTML-enabled mail client.
This part WAS defanged, but the Zip file attachment was visible to the
end user and thus the user could still self-infect.

You may want to add "*.html?" and "*.eml" and "*.msg" to your zipfile
poison list.

This is getting annoying. I *so* do not want to recurse into zip
attachments.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   22 days until the Slovakian Presidential Election


More information about the esa-l mailing list