Typically users archive file to lump several files together into a single file for convenience or to simply save storage space. However, we uncovered a worm that creates copies of itself even on password-protected archived files.
We acquired a sample of a worm (detected as WORM_PIZZER.A) that propagates using a particular WINRAR command line (see below). Once executed, this enables WORM_PIZZER.A to create copy of itself in archived files, particularly in .ZIP, .RAR and .RAR SFX files. The worm does not harvest passwords from these archive files. The said command line is normal, in which a user can add file onto archived files so long as their system is installed with WINRAR. However, the malware abuses this to add copies of itself onto such files.
Figure 1. WINRAR command line
During our testing, this worm was downloaded by WORM_SWYSINN.SM from a particular site.
This technique is reminiscent of WORM_PROLACO variants seen in 2010, in which variants were seen to archive certain .EXE files together with a copy of itself. But what makes WORM_PIZZER.A interesting is its clever way of creating copies of itself in archived files, even on password-protected ones. Unsuspecting users who extract these archived files would have no idea that they already contain this worm, thus likely to execute the malware along with their other files.
Figure 2. WORM_PIZZER.A copy (bot.exe) in an archived file
Trend Micro detects and deletes WORM_PIZZER.A if found and also blocks access to the site hosting the said malware.
The first half of the year 2013 is shaping up to be a year of rehash, with dated threats like ZBOT, CARBERP, and GAMARUE using new techniques to evade detection or at least stealthier ways to slip into user’s system unnoticed. WORM_PIZZER.A is no different from this flock of repackaged threats. Because of the protective measure archived files afford, users might be too complacent in extracting and executing these files – providing the perfect cover up to propagate in an infected system.
For protection, users must observe best computing practices, which include avoiding visiting unknown sites, and downloading files from unverified email messages. Because the malware can create copies of itself on archived files, users must be extra cautious in executing such files.
With additional insights Threat researchers from Dexter To and Joseph Jiongco.
Update as of June 7, 2:00 AM PDT
Our protection against this threat has been updated; we now detect it as WORM_PIZZER.SM.