foto.rar

  • Thread starter Thread starter yxz
  • Start date Start date
Y

yxz

Received an email have an attahcment called "foto.rar", googled it and
I only found it at:

http://www.sophos.com/virusinfo/analyses/trojgolduna.html

However the site doesn't say how it affect my computer. Is my computer
been affected by opening the rar file in Winrar or I have to execute
some file inside the "foto.rar"? Basically, is it safe to open a
unfamiliar rar file?

Thanks
 
yxz said:
Received an email have an attahcment called "foto.rar", googled it and
I only found it at:

http://www.sophos.com/virusinfo/analyses/trojgolduna.html

However the site doesn't say how it affect my computer. Is my computer
been affected by opening the rar file in Winrar or I have to execute
some file inside the "foto.rar"? Basically, is it safe to open a
unfamiliar rar file?

Thanks
Click to expand...

Do NOT open the *.rar file!!!! If you're concerned, submit the file to
an anti-virus company. I personally prefer VET which is an Australian
division from Computer Associates. The Australia VET website can be
found at www.vet.com.au and will allow you to submit suspicious files
for analysis. The system is generally aimed at those who use the VET
program as if it is indeed a new virus then they will add the signuature
to the next update.

At a tentative guess I would imagine you're NOT infected if you have NOT
opened the file but again, maybe send the file to an av company.

Sh4d03

--
If you require more assistance or if my suggestion works please E-mail me at
sh4d03 [at] TPG [dot] com [dot] au. Additionally, if you are able to provide
assistance to me and wish to E-mail me directly please also feel free to
contact me in this manner. Please ensure you include "Newsgroup_sh4d03"
in the
subject line. Please pay attention to the capitilisation. Emails sent to
this the above address which do NOT contain "Newsgroup_sh4d03" in the
subject line will fail to reach me.
Thanks,
Sh4d03
 
yxz said:
Received an email have an attahcment called "foto.rar", googled it and
I only found it at:

http://www.sophos.com/virusinfo/analyses/trojgolduna.html

However the site doesn't say how it affect my computer. Is my computer
been affected by opening the rar file in Winrar or I have to execute
some file inside the "foto.rar"? Basically, is it safe to open a
unfamiliar rar file?

Thanks
Click to expand...

In the future,scan all questionable files with several scanners.
I have some single file scanners listed on my site.
http://www.geocities.com/maxpro4u/madmax.html
-max


--
Virus Removal Instructions: http://www.geocities.com/maxpro4u/
Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html
Virus Cleaning+Fixes: http://www.geocities.com/maxpro4u/TechPros
Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)
 
Never just open an Archive file if you are not expecting it !

Scan it with your AV software and/or submit it to Virus Total --
http://www.virustotal.com/flash/index_en.html which will test it against several AV vendor
scanners.

--
Dave




| Received an email have an attahcment called "foto.rar", googled it and
| I only found it at:
|
| http://www.sophos.com/virusinfo/analyses/trojgolduna.html
|
| However the site doesn't say how it affect my computer. Is my computer
| been affected by opening the rar file in Winrar or I have to execute
| some file inside the "foto.rar"? Basically, is it safe to open a
| unfamiliar rar file?
|
| Thanks
 
On that special day, yxz, ([email protected]) said...
Received an email have an attahcment called "foto.rar", googled it and
I only found it at:
Click to expand...

It might be that the "rar" is in fact is not an archive, but meant to
coax you into double clicking it, because "archives do no harm", and
then suddenly you notice, this thing doesn't behave like an archive, but
like an executable, and it is too late, you have executed it. Netsky
does such things.


Gabriele Neukam

(e-mail address removed)
 
yxz said:
Received an email have an attahcment called "foto.rar", googled it and
I only found it at:

http://www.sophos.com/virusinfo/analyses/trojgolduna.html

However the site doesn't say how it affect my computer. Is my computer
been affected by opening the rar file in Winrar or I have to execute
some file inside the "foto.rar"? Basically, is it safe to open a
unfamiliar rar file?

Thanks
Click to expand...

Just goes to show you, People never read. The link you provide DOES tell
you exactly what you wanted to know
But since you NEVER clicked on the Tab called "Description" you never saw
the following:

Troj/Goldun-A is a password stealing Trojan for the Windows platform.

When executed the Trojan copies itself to the Windows folder as
wmedia16.exe.

Troj/Goldun-A may steal passwords for the e-gold banking site.

The Trojan may arrive in an email with the following characteristics:

Subject line: photo from you sweet Jessy )
Attached file: foto.rar
Message text: Please don't you show them pictures to anyone! Especially your
parents! Otherwise they kill you - they are damn horny!!

Your Jess, kissing you! When you come home, phone me asap! p.s. photos
attached, password on archive - foto.
 
Just goes to show you, People never read. The link you provide DOES tell
you exactly what you wanted to know
But since you NEVER clicked on the Tab called "Description" you never saw
the following:

Troj/Goldun-A is a password stealing Trojan for the Windows platform.

When executed the Trojan copies itself to the Windows folder as
Click to expand...
^^^^^^^^^^^^

What is executed? Cetain file inside "foto.rar" or just "foto.rar"
itself? I read the description and I still had no answer to this
questoin, that's why I asked.
 
What is executed? Cetain file inside "foto.rar" or just
"foto.rar" itself? I read the description and I still had
no answer to this questoin, that's why I asked.
Click to expand...

Read Gabriele Neukam's reply.

J
 
On that special day, yxz, ([email protected]) said...


It might be that the "rar" is in fact is not an archive, but meant to
coax you into double clicking it, because "archives do no harm", and
then suddenly you notice, this thing doesn't behave like an archive, but
like an executable, and it is too late, you have executed it. Netsky
does such things.


Gabriele Neukam

(e-mail address removed)
Click to expand...

Thanks, I checked, it's "foto.rar".
 
On that special day, yxz, ([email protected]) said...
It is "foto.rar" not "foto.rar.anything".
Click to expand...

You didn't understand. A "foto.rar" may be passed, to say, WinZip.
Winzip examines it, finds that the suffix is wrong "there is nothing
compressed, it is in fact a renamed executable. Please system, execute
it". System gets the message from WinZip "aha, this has been passed from
an internal program, so it is nothing alien. It is executable, so it has
to be run. Run it".

And the "foto.rar" is executed, as it is in fact a "foto.exe", with a
replaced suffix, which doesn't keep WINDOWS from executing it "why, it
is an executable, after all". Foto.exe runs and plants the malware on
the machine.

If you want to be sure that such a thing doesn't happen, FIRST of all,
start WinZip, then use the WinZip filemanager to locate the rar file,
have WinZip un-archive it explicitly. If Winzip says, "I can't, this is
no archive", something is wrong with it.

If WinZip can un-archive the file, next scan the result again, with your
scanner. It should now be identified as malicious. If not, get the
newest virus definitions. If still not, send it to one of the online
checking services offered on the homepages of the anti-virus
specialists.

And ask the sender if this file was *meant* to be sent to you. If the
reply is a bewildered "what foto", you know, it is malicious.


Gabriele Neukam

(e-mail address removed)
 
Gabriele Neukam said:
You didn't understand. A "foto.rar" may be passed, to say, WinZip.
Winzip examines it, finds that the suffix is wrong "there is nothing
compressed, it is in fact a renamed executable. Please system, execute
it". System gets the message from WinZip "aha, this has been passed from
an internal program, so it is nothing alien. It is executable, so it has
to be run. Run it".
Click to expand...

I don't see that behaviour on my system (Win2k). If I rename an
executable, like wordpad.exe to wordpad.zip, and double-click it, I
get an error message from Winzip - "Cannot open file: it does not
appear to be a valid archive". Winzip opens with a blank window, and
the file is *not* passed to the OS to be run.
 
On that special day, yxz, ([email protected]) said...


You didn't understand. A "foto.rar" may be passed, to say, WinZip.
Winzip examines it, finds that the suffix is wrong "there is nothing
compressed, it is in fact a renamed executable. Please system, execute
it". System gets the message from WinZip "aha, this has been passed from
an internal program, so it is nothing alien. It is executable, so it has
to be run. Run it".

And the "foto.rar" is executed, as it is in fact a "foto.exe", with a
replaced suffix, which doesn't keep WINDOWS from executing it "why, it
is an executable, after all". Foto.exe runs and plants the malware on
the machine.
Click to expand...

Tried it with notepad.exe, doesn't work, saying "unknown format or
demaged". Actually, this is the first time I heard a malware can
spread in this way, care to provide a link?
 
You didn't understand. A "foto.rar" may be passed, to say, WinZip.
Winzip examines it, finds that the suffix is wrong "there is nothing
compressed, it is in fact a renamed executable. Please system, execute
it". System gets the message from WinZip "aha, this has been passed from
an internal program, so it is nothing alien. It is executable, so it has
to be run. Run it".
Click to expand...

Admittedly my WinZip v7.0 isn't the latest, but it won't accommodate
[.rar] files. WinRar, on the other hand, will decompress a zip, but will
not run (execute) anything, regardless of it's extension.
Sounds like some misconfigured Microsoft "helper" feature, where the
internal header is used instead of the filename extension.
I thought there were patches to inhibit that several years ago?

FWIW: A real nifty archiver app is:
http://www.izsoft.dir.bg/izarc.htm
 
You didn't understand. A "foto.rar" may be passed, to say, WinZip.
Winzip examines it, finds that the suffix is wrong "there is nothing
compressed, it is in fact a renamed executable. Please system, execute
it". System gets the message from WinZip "aha, this has been passed from
an internal program, so it is nothing alien. It is executable, so it has
to be run. Run it".

And the "foto.rar" is executed, as it is in fact a "foto.exe", with a
replaced suffix, which doesn't keep WINDOWS from executing it "why, it
is an executable, after all". Foto.exe runs and plants the malware on
the machine.
Click to expand...

This is the first I heard of this, could you provide a URL that explains
it? There is the chance that an OLE2 document file could have a macro
malware and do this if the .rar. is not a registered suffix. The
double-click on a "foto.rar" that has the OLE2 header will open the file
in word - when the system fails to associate the rar suffix with an app,
the system examines the header and invokes the default doc app.
 
On that special day, yxz, ([email protected]) said...
Tried it with notepad.exe, doesn't work, saying "unknown format or
demaged". Actually, this is the first time I heard a malware can
spread in this way, care to provide a link?
Click to expand...

Something similar happened with a combination of Outlook Express 5.x
(without SP2) and supposedly multimedia/x-midi files (in fact
executables, that was the false MIME header exploit, used by several
mail worms. The open preview window would load and run the malicious
file automatically).

I thought I read that WinZip wasn't exactly safe for a given time, and
would do similar things. But the last problem was a buffer overflow, not
a fake suffix. Yet, a buffer overflow could be exploited, too.

http://www.winzip.com/fmwz90.htm - MIME-encoded stuff, again. I wonder
how it is supposed to work; it doesn't seem to be related to rar files.

Still I would be wary.


Gabriele Neukam

(e-mail address removed)
 
Back
Top