In association with heise online

13 April 2007, 15:48

Storm worm with password protection

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A new member of the Nuwar/Zhelatin worm family uses a trick previously used by the Bagle worm - to avoid detection by virus scanners the executable is concealed in a password protected ZIP file.

image 1 [250 x 144 Pixel @ 1,4 KB]
Zoom To evade scanners which analyse text, this is an image file.
The e-mail containing the worm warns users of a dangerous worm, against which an attached patch supposedly offers protection. It claims to be encrypted for security reasons and the user is requested to enter the password to install it. To protect itself from scanners which analyse text, this is, as for some spam e-mails, included as an image file.

A test at Heise showed the method is successful - whilst almost all scanners recognise the unzipped malware, the detection rate for the encrypted ZIP file is very low. The worm is thus able to at least sneak past many mail gateway virus scanners. Active anti-virus software on a work station system should, however, spring into action on opening the encrypted archive. Using the Heisec Emailcheck, you can have a harmless, encrypted test virus sent to you (EICAR in password protected ZIP) to test how your anti-virus software copes with this kind of threat.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit