Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Typically users archive file to lump several files together into a single file for convenience or to simply save storage space. However, we uncovered a worm that creates copies of itself even on password-protected archived files.

    We acquired a sample of a worm (detected as WORM_PIZZER.A) that propagates using a particular WINRAR command line (see below). Once executed, this enables WORM_PIZZER.A to create copy of itself in archived files, particularly in .ZIP, .RAR and .RAR SFX files. The worm does not harvest passwords from these archive files. The said command line is normal, in which a user can add file onto archived files so long as their system is installed with WINRAR. However, the malware abuses this to add copies of itself onto such files.

    WORM-ZIPPER-command-line2 copy

    Figure 1. WINRAR command line

    During our testing, this worm was downloaded by WORM_SWYSINN.SM from a particular site.

    This technique is reminiscent of WORM_PROLACO variants seen in 2010, in which variants were seen to archive certain .EXE files together with a copy of itself. But what makes WORM_PIZZER.A interesting is its clever way of creating copies of itself in archived files, even on password-protected ones. Unsuspecting users who extract these archived files would have no idea that they already contain this worm, thus likely to execute the malware along with their other files.

    WORM_PIZZER_archivedfile

    Figure 2. WORM_PIZZER.A copy (bot.exe) in an archived file

    Trend Micro detects and deletes WORM_PIZZER.A if found and also blocks access to the site hosting the said malware.

    The first half of the year 2013 is shaping up to be a year of rehash, with dated threats like ZBOT, CARBERP, and GAMARUE using new techniques to evade detection or at least stealthier ways to slip into user’s system unnoticed. WORM_PIZZER.A is no different from this flock of repackaged threats. Because of the protective measure archived files afford, users might be too complacent in extracting and executing these files – providing the perfect cover up to propagate in an infected system.

    For protection, users must observe best computing practices, which include avoiding visiting unknown sites, and downloading files from unverified email messages. Because the malware can create copies of itself on archived files, users must be extra cautious in executing such files.

    With additional insights Threat researchers from Dexter To and Joseph Jiongco.

    Update as of June 7, 2:00 AM PDT

    Our protection against this threat has been updated; we now detect it as WORM_PIZZER.SM.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice