Question: How can a Zip file launch a Worm?

  • Thread starter Thread starter JS
  • Start date Start date
J

JS

Hi,
I understand how a .com, .exe, or other executable file can launch a
worm (or virus), but how does the ZIP.Netsky.Z worm work? It arrived in my
inbox today as a "textfile.zip" attachment. Why does opening up a zip file
launch this worm? (I guess I don't really know how zip files open, so I'd
like to know the details, if anybody can help with that.

thanks,
joey.
 
JS said:
Hi,
I understand how a .com, .exe, or other executable file can
launch a worm (or virus), but how does the ZIP.Netsky.Z worm work? It
arrived in my inbox today as a "textfile.zip" attachment. Why does
opening up a zip file launch this worm? (I guess I don't really know
how zip files open, so I'd like to know the details, if anybody can
help with that.

thanks,
joey.
Click to expand...

You probably have the preview window open in whatever e-mail client you are
using. You didn't actually open the file, however it was identified as the
Netsky.Z worm because your virus scanner it most likely set to scan
attachments in e-mail whenever you are viewing them in the preview window.
 
JS said:
Hi,
I understand how a .com, .exe, or other executable file can launch a
worm (or virus), but how does the ZIP.Netsky.Z worm work? It arrived in my
inbox today as a "textfile.zip" attachment. Why does opening up a zip file
launch this worm? (I guess I don't really know how zip files open, so I'd
like to know the details, if anybody can help with that.
Click to expand...

you're giving users far too much credit... the worm spreads because
people unzip and execute it...
 
Hi,
I understand how a .com, .exe, or other executable file can launch a
worm (or virus), but how does the ZIP.Netsky.Z worm work? It arrived in my
inbox today as a "textfile.zip" attachment. Why does opening up a zip file
launch this worm? (I guess I don't really know how zip files open, so I'd
like to know the details, if anybody can help with that.
Click to expand...
Because half the time it is textfile.zip.exe and because of the ****ed
up way Windows handles file extensions by hiding known ones (unless you
manually disable this)and allowing you to specify an icon for a program
all you see is textfile.zip with a zipfile icon so you double click on
it thinking you're opening it when actually you're running it.
 
Conor said:
Because half the time it is textfile.zip.exe and because of the ****ed
up way Windows handles file extensions by hiding known ones (unless
you manually disable this)and allowing you to specify an icon for a
program all you see is textfile.zip with a zipfile icon so you double
click on it thinking you're opening it when actually you're running
it.
Click to expand...

WTF? Are you on crack? ZIP is a known file extension. Windows hides this one
too by default. The only reason you see e-mail viruses like this is because
of the way they are modifying their file names.

(e.g: textfile.zip .exe)

NOT

(textfile.zip.exe)

Nobody would be stupid enough (well except maybe you Conor) to open an
attachment that looked like that.
 
not to mention how people will open a file like textfile.zip when then don't
know what is... ;) If I had a nickle for everytime I deleted an attachment,
then wondered "Man that could of been a great file" but it too late now.....
I'd be running my Ferrari instead of my keyboard....

wb
 
Hi,
I understand how a .com, .exe, or other executable file can launch a
worm (or virus), but how does the ZIP.Netsky.Z worm work? It arrived in my
inbox today as a "textfile.zip" attachment. Why does opening up a zip file
launch this worm? (I guess I don't really know how zip files open, so I'd
like to know the details, if anybody can help with that.

thanks,
joey.
___________________

I don't know about this specific worm, but it may not be a zip file. Windows
hides certain extensions.
http://www.claymania.com/safe-hex.html
http://www.irchelp.org/irchelp/security/trojanext.html
To circumvent this, you can delete all occurrences of the string
"NeverShowExt" in the registry. I tried this and it worked OK with my
Windows XP Home, but I reverted to the orginal configuration. Who wants to
see all shortcuts with a .lnk extension, all internet links with a .url
extension, etc.? I don't. So backup your registry first because odds are
good you'll want to revert to the original. Or you may delete only certain
instances of that string in the registry if you want to experiment. The
point is that Windows is faking you out. What you see is not necessarily the
entire true name of a file.
-E
 
WTF? Are you on crack? ZIP is a known file extension. Windows hides this one
too by default. The only reason you see e-mail viruses like this is because
of the way they are modifying their file names.
Click to expand...
Oh dear...

Yes it is a known extension and hidden by default but in the mind of
Joe Clueless, the fact it is showing a .zip extension or "...." doesn't
ring alarm bells and he merrily clicks away.

(e.g: textfile.zip .exe)

NOT

(textfile.zip.exe)

Nobody would be stupid enough (well except maybe you Conor) to open an
attachment that looked like that.
Click to expand...
Yeah, thanks for that. THe last virus I got infected with was FORM back
in ...1993.

PLenty of people are stupid enough to open attachments like that. THats
why MS had to add an option enabled by default to OE not to allow
potentially unsafe attachments to be opened.

I spent a whole week sorting out computers at a company that had people
opening attachments like that AFTER I had done a training course with
them about e-mail attachments and put big stickers on their monitors
with the info on.

Have a present...

begin stupidass.exe

Ignorant clueless turd.
 
The Prophecy said:
WTF? Are you on crack? ZIP is a known file extension. Windows hides this one
too by default. The only reason you see e-mail viruses like this is because
of the way they are modifying their file names.

(e.g: textfile.zip .exe)

NOT

(textfile.zip.exe)

Nobody would be stupid enough (well except maybe you Conor) to open an
attachment that looked like that.
Click to expand...

In actuality the OP is probably referring to a file named as follows

textfile.zip

Nothing hidden, nothing far off to the right.

That is...until it is unzipped. Then you would have the extracted

textfile.txt .exe

that you mentioned.
 
Euclid said:
Hi,
I understand how a .com, .exe, or other executable file can launch a
worm (or virus), but how does the ZIP.Netsky.Z worm work? It arrived in my
inbox today as a "textfile.zip" attachment. Why does opening up a zip file
launch this worm? (I guess I don't really know how zip files open, so I'd
like to know the details, if anybody can help with that.

thanks,
joey.
___________________

I don't know about this specific worm, but it may not be a zip file. Windows
hides certain extensions.
http://www.claymania.com/safe-hex.html
http://www.irchelp.org/irchelp/security/trojanext.html
To circumvent this, you can delete all occurrences of the string
"NeverShowExt" in the registry.
Click to expand...

Better yet change it to "AlwaysShowExt" so that you have an
easy way to reverse it. Some extensions are butt ugly. ;o)
 
Euclid said:
Hi,
I understand how a .com, .exe, or other executable file can launch a
worm (or virus), but how does the ZIP.Netsky.Z worm work? It arrived in my
inbox today as a "textfile.zip" attachment. Why does opening up a zip file
launch this worm? (I guess I don't really know how zip files open, so I'd
like to know the details, if anybody can help with that.

thanks,
joey.
___________________

I don't know about this specific worm, but it may not be a zip file. Windows
hides certain extensions.
http://www.claymania.com/safe-hex.html
http://www.irchelp.org/irchelp/security/trojanext.html
To circumvent this, you can delete all occurrences of the string
"NeverShowExt" in the registry.
Click to expand...

Better yet change it to "AlwaysShowExt" so that you have an
easy way to reverse it. Some extensions are butt ugly. ;o)
__________________________

Thanks for the info.
-E
 
Euclid said:
Hi,
I understand how a .com, .exe, or other executable file can launch a
worm (or virus), but how does the ZIP.Netsky.Z worm work? It arrived in my
inbox today as a "textfile.zip" attachment. Why does opening up a zip file
launch this worm? (I guess I don't really know how zip files open, so I'd
like to know the details, if anybody can help with that.

thanks,
joey.
___________________

I don't know about this specific worm, but it may not be a zip file. Windows
hides certain extensions.
http://www.claymania.com/safe-hex.html
http://www.irchelp.org/irchelp/security/trojanext.html
To circumvent this, you can delete all occurrences of the string
"NeverShowExt" in the registry.
Click to expand...

Better yet change it to "AlwaysShowExt" so that you have an
easy way to reverse it. Some extensions are butt ugly. ;o)
__________________________

Thanks for the info.
-E
__________________________

I left the "lnkfile" and "InternetShortcut" registry items as NeverShowExt,
and changed everything else to AlwaysShowExt, and am happy with it so far...
-E
 
They play with extensions and hope you have showing extensions is turned off
(it's a mystery to me why windows offers this option). Actually, I rarely
open a zip file, I drag the file to desktop winzip icon. I don't do this for
virus problems, it's just seems easier and lets me view contents, but as a
side benefit it will let you see what's there safely. If it's not a true zip
file, you will get an error message telling you so.
Dave cohen
 
Back
Top