[Security] This week's virus - .doc or .exe?

October 29, 2008 - 08:34 UTC - Tags: virus This week I have received several samples of a very similar looking malware. It's basically a .zip-file containing a "document". The last version I got was from "Your UPS". The reason I'm writing document with quotes is that it first appears to be a .doc file, but it has an .exe extension at the end after a lot of white space:

Inv#3982.doc                                            
                                                        
                                                        
                .exe

With a *nix style shell escaping in front of every space, it looks like this:


Inv#3982.doc\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ .exe

14 out of 36 virus scanners on virustotal detect it: analysis

Permalink |

Comments closed for this post

About Erlend

Security guy with some thoughts on secure development.

Follow me on twitter

Tag cloud

.net, .netspec, adam, ad lds, ajax, asp.net, authentication, authorization, axis, bdd, certificates, conference, cookie, craftsman, crossdomain, cross site scripting, cryptography, csp, csrf, css, escaping, firefox, flash, flex, httponly, input validation, javascript, jquery, jsonp, nosql, nosql-injection, output escaping, owasp, password, phishing, ql-injection, rails, retirejs, rfi, security, silverlight, spam, speaker, sql-injection, sql injection, ssl, talk, tdd, testing, unit testing, web services, wse, wss4j, x509, xml, xsrf, xss