wierd attachment

  • Thread starter Thread starter Snowsquall
  • Start date Start date
S

Snowsquall

In my spam folder I came accross attachments that ended in hqx, bhx and mim.
I managed to download them and scanned them. My antivirus extracted the
virus and put it in quarantine. It turned out to be Blackmal.E and info can
be found on:
http://www.channelregister.co.uk/2006/01/19/kama_sutra_worm/
http://www.informationweek.com/windows/showArticle.jhtml?articleID=177101528

My question is how does this virus spread? Since there seems to be no
program to extract the file from the HQX extention?

The only way the virus can be extracted is have an antivirus program put it
in quarantine. Then if anyone runs it, its because the person knows how to
restore viruses out of quarantine. Since it is known to be a virus then no
one is really tricked into running it unless it is accidently double clicked
after it is fetched from quarantine.
 
My question is how does this virus spread? Since there seems to be no
program to extract the file from the HQX extention?
Click to expand...

An hqx is used a lot in the Mac platform. StuffIt can extract it, and
actually, I think WinZip can as well.
 
On that special day, Snowsquall, ([email protected]) said...
My question is how does this virus spread? Since there seems to be no
program to extract the file from the HQX extention?
Click to expand...

As far as I know, this suffix belongs to a Mac system, I can't even
tell whether it is from MacOS 9 or MacOS Xsomething. I received the
same crap (meanwhile there are five) and sent a complaint to
Excellmedia; but the worms are still coming in.

Sophos says, it spreads via mail and network shares,

http://www.sophos.com/virusinfo/analyses/w32nyxemc.html

but the description didn't exactly match what I found in my inbox, so
it is quite possible that this is a new variant of Blackmal, also
called Nyxem or MyWife (I hate this inconsistent naming).

Ah, it IS, in fact.

http://www.sophos.com/virusinfo/analyses/w32nyxemd.html

Quote:
Side effects
Turns off anti-virus applications
Sends itself to email addresses found on the infected computer
Deletes files off the computer
Forges the sender's email address
Uses its own emailing engine
Downloads code from the internet
Reduces system security
Installs itself in the Registry

neat... after having *this* actively on your machine, you'll have to
wipe the hard disk (because of the updates that are downloaded from the
net, which might be especially tailored to go undetected) and call the
credit companies, for a password change.


Gabriele Neukam

(e-mail address removed)
 
Gabriele Neukam said:
On that special day, Snowsquall, ([email protected]) said...


As far as I know, this suffix belongs to a Mac system, I can't even
tell whether it is from MacOS 9 or MacOS Xsomething. I received the
same crap (meanwhile there are five) and sent a complaint to
Excellmedia; but the worms are still coming in.

Sophos says, it spreads via mail and network shares,

http://www.sophos.com/virusinfo/analyses/w32nyxemc.html

neat... after having *this* actively on your machine, you'll have to
wipe the hard disk (because of the updates that are downloaded from the
net, which might be especially tailored to go undetected)
Click to expand...


I did not run it. I cannot run it as the extensions are not recognized by
my computer XP SP2. That is why I wondered how it could spread.
The only way I could run it, is to extract it from quarantine but I know how
not to run stuff as I am very careful. Some people think if one downloads a
virus then one's machine is automatically infected. I had someone tell me
"you do not know what else downloaded and installed when you downloaded that
file"
I actually know when something is being installed. Just downloading a file
does not make it run. I just *save* it to a disk. I then password it and
put it in my collection...
 
On that special day, Snowsquall, ([email protected]) said...
I actually know when something is being installed. Just downloading a file
does not make it run.
Click to expand...

Just for the record: I said, "after having *this* actively on your
machine," All readers, please note the fourth word in my quote. I
didn't mean, "on your machine" as "somewhere as a dumb file", but as
"up, running, and of course running within the current account"


Gabriele Neukam

(e-mail address removed)
 
On that special day, Snowsquall, ([email protected]) said...


Just for the record: I said, "after having *this* actively on your
machine," All readers, please note the fourth word in my quote. I
didn't mean, "on your machine" as "somewhere as a dumb file", but as
"up, running, and of course running within the current account"


Gabriele Neukam

(e-mail address removed)
Click to expand...

I've seen 9 of these in the last week in Yahoo Groups emails. Norton
reports this.

Source: Attachments,zip .SCR
Description: The email attachment Attachments,zip .SCR within
Attachments00.HQX is infected with the W32.Blackmal.E@mm virus.
Click for more information about this threat : W32.Blackmal.E@mm

What is an HQX extension? As a Windoze user I had to go look it up.

http://filext.com/detaillist.php?extdetail=HQX
 
I got a few of them also - according to virustotal.com Symantec still
doesn't see it as a threat?

Symantec 8.0 01.24.2006 no virus found
 
Duh_OZ said:
I got a few of them also - according to virustotal.com Symantec still
doesn't see it as a threat?

Symantec 8.0 01.24.2006 no virus found
Click to expand...

I have Norton (Symantec) and it sure does detect it. I do not know what is
wrong with VirusTotal as I sent one of my copies to it and Symantec said "no
virus found" yet my Norton detected it and put it in quarantine as "Blackmal
E"
 
Snowsquall said:
In my spam folder I came accross attachments that ended in hqx, bhx and mim.
I managed to download them and scanned them. My antivirus extracted the
virus and put it in quarantine. It turned out to be Blackmal.E and info can
be found on:
http://www.channelregister.co.uk/2006/01/19/kama_sutra_worm/
http://www.informationweek.com/windows/showArticle.jhtml?articleID=177101528

My question is how does this virus spread? Since there seems to be no
program to extract the file from the HQX extention?
Click to expand...

All three of the extensions you listed are related to ASCII representations of
binary files. Two apparently are for conversions of Macintosh executables,
and one for the MIME encoding we are all familiar with. This is a necessary
conversion to allow binaries to be transported in email (which is a text only
medium). Email clients are usually capable of decoding these.

Many of the de-archiving utilities (for instance WinZip) can handle decoding
these as well as decompressing archive files. WinZip (older versions) had a
problem with autoexecution of some of these filetypes if they were maliciously
crafted to exploit the buffer overflow vulnerability within WinZip.

The bottom line is that difficulty is no obstacle to users executing malware.
They "will" find a way to infect themselves. If the OS doesn't handle the
malware's transport filetype by default, the user will find a way.
 
Snowsquall said:
I actually know when something is being installed. Just downloading a file
does not make it run. I just *save* it to a disk. I then password it and
put it in my collection...
Click to expand...

Be careful with that assumption. As recently demonstrated, some filetypes
are accessed when you save them to disk. If your system can be trusted to
only download and save to disk (and not to process the file in any manner)
then you are safe with this assumption. If your system accesses the saved
file for rendering of what should be a 'data only' filetype (like a JPEG file)
and instead finds a WMF, with the ability to execute code within itself, then
you are not safe.

Executable files should not be automatically processed by the system, they
might be accessed for resources such as icon data, but not processed for
execution. Data only files might be automatically processed by the default
application without a problem unless there is an exploit of the application
that handles it, in which case your method again fails. The WMF of recent
was an example of a wrongly 'assumed' data only filetype being automatically
processed and executed.

Be careful out there...
 
Back
Top