Storm worm with password protection
A new member of the Nuwar/Zhelatin worm family uses a trick previously used by the Bagle worm - to avoid detection by virus scanners the executable is concealed in a password protected ZIP file.
The e-mail containing the worm warns users of a dangerous worm, against which an attached patch supposedly offers protection. It claims to be encrypted for security reasons and the user is requested to enter the password to install it. To protect itself from scanners which analyse text, this is, as for some spam e-mails, included as an image file.
A test at Heise showed the method is successful - whilst almost all scanners recognise the unzipped malware, the detection rate for the encrypted ZIP file is very low. The worm is thus able to at least sneak past many mail gateway virus scanners. Active anti-virus software on a work station system should, however, spring into action on opening the encrypted archive. Using the Heisec Emailcheck, you can have a harmless, encrypted test virus sent to you (EICAR in password protected ZIP) to test how your anti-virus software copes with this kind of threat.
(mba)