[Josep Albors of ESET Ontinet.com tells us about a file attachment that was neither as boring nor as harmless as it seemed. Errors in interpretation or translation from the original blog are down to DH]
When we speak of files that can infect our system, most of us still think only in terms of executable files. Unfortunately, sometimes malicious code can be included in a multitude of different file types, from the classic macro viruses that even now are sometimes found infecting Microsoft Office documents (Word, Excel, etc.), to the recent epidemic of PDF exploits, not to mention media files (MP3), audio and video (AVI).
So when we receive mails with unsolicited attachments in our laboratory, we always find time for some analysis, and have thus encountered many new samples of malicious code. The case we are going to discuss today is especially interesting since it turned out to be something quite different to what it seemed at first sight.
Our analysis begins with the receipt of an email which, like many others, included an attachment. Normally when we receive attached images, they are intended for some sort of promotion of online pharmacies, or beautiful and lightly-clad ladies in seductive poses, helping to break the monotony and brighten a researcher’s day.
Bitten by curiosity at receiving this message with no apparent purpose (not trying to sell us anything, or persuade us to open a link), we decided to analyse the attachment more thoroughly with a hex editor, and got something of a surprise.
If you look closely, what appeared to be a simple image has something to hide. To begin this is a compressed file which, in turn, contains another document with the name Changelog_09_2010.doc_______________________.exe
This is a typical example of a traditional double extension used to disguise the real nature of the file. So what we really have is a file with a filename extension that looks like a jpg image, but which really acts as a container for a file with a deceptive double extension. This looks like a Microsoft Word document, but is actually an executable. Someone went to a lot of trouble for what looks like a simple image that shows only a gray background, huh?
If you have antivirus software, it should detect this threat without major problems. In fact, at the time of writing, more than half of the antivirus engines present in a Virustotal report already detected these samples as a threat. (ESET products detect it as a variant of Win32/Kryptik.HAD.)
In conclusion, we at the laboratory of ESET Ontinet.com would like to stress the fact of that certain file types are not what they seem. In spite of this, many computer users still think that their systems can only become infected by files that are obviously executables. That is why we should continue to stay alert to suspicious mails as' discussed here, and always keep anti-virus up-to-date anti-virus so as to forestall this type of threat.
David Harley CITP FBCS CISSP
ESET Senior Researcher
Author David Harley, We Live Security