RE: in case nobody else noticed it, there was a mail worm released today


Christopher Bird wrote:
Please pardon my ignorance, but I am
*mightily* confused.

Vivien M. wrote:
and ISTR one patch for Outlook 2000 that blocked
your ability to save executables was released)

Michel Py wrote:
It default in Outlook XP and Outlook 2003, which
has prompted large numbers of persons to download
Winzip, which as not stopped worms to be
propagated as you pointed out.

Christopher Bird wrote:
The bit I don't get is how a zip file is created
such that launching it invokes winzip and then
executes the malware. When I open a normal .zip
file, winzip opens a pane that shows me the
contents. After that I can extract a file or I
can "doubleclick" on a file to open it - which if
it is executable will cause it to execute. I
haven't seen a case where simply opening a zip
archive causes execution of something in its
contents unless it is a self extracting archive
in which case it unzips and executes, but doesn't
have the .zip suffix.

The point is, if the user opens the zip file in the first place, and if
the file name it contains does not look suspicious, the user _will_ also
double-click on the file within the winzip window, which extracts the
file in a temp folder _and_ executes it.

Sam Stickland wrote:
I don't think that was the point Michael was trying to
make. I believe he meant that MS stopped the ability to
_even_ save executables attached to emails to disk in
some forms of Outlook,

Yes. If you send me an .exe file, I can _not_ save it nor execute it.
Outlook deletes the attachment, and now Exchange 2003 deletes it on the
server as well before it even has a chance to get to Outlook.

but this did nothing to stop the spread of viruses.
People simply sent executables as zipped files, which
people then had to extract to run. Dispite the fact
that an external program has to be used to get to to
the executable, people still run them.

Exactly. Actually, there are faster ways to send executable files
without zipping them: rename the file as .txt, and put a little note in
the email saying that the .txt file is in reality an .exe and must be
renamed. Don't even need Winzip. Voila.

This latest worm is all about social engineering; remember: some users
still fall for the hoaxes that claim Norton or McAffee does not detect a
virus and instructs to delete a system file. Gee, some even fall for
that herbal stuff that promises to put a foot in their pants. Given the
number of people that have fallen for the "Microsoft update" and the
"7-bit ascii" we are seing these days, they would rename the file and
run it if they believe they have to do it.

Three years ago, I opened an .exe that contained a virus. At lunch with
my colleagues, we discussed the Florida ballots. In the evening, I
receive an email from one of my co-workers whose subject was "Florida
ballots" containing an .exe file; given that the "saddam.exe" he sent
before was rather entertaining, I executed it. The anti-virus signature
was not available yet, busted. Social engineering it is.

The bottom line is this: no matter what safeguards you put in the
system, and no matter how many times you instruct users to be careful
opening attachments, the one and only thing that make users think is
when they open a worm and get screwed/lose data/look stupid.