WORM_AUTORUN.JFZ injects a copy of itself into every ZIP archive
Posted
Saturday, June 06, 2009 7:30 PM
by
hwaldron
Malware writes continue to use sophisticated new techniques to hide malware. This new Autorun worm variant can hide inside ZIP archives, which are sometimes difficult for AV products to locate malware infections that are embedded inside.
WORM_AUTORUN.JFZ injects a copy of itself into every ZIP archive
http://blog.trendmicro.com/autorun-worm-invades-zip/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AUTORUN.JFZ
QUOTE: TrendLabs in Europe, has notified us of a worm that has a unique way of hiding: on infection, WORM_AUTORUN.JFZ writes a copy of itself in every ZIP-compressed file it finds on a system.
When WORM_AUTORUN.JFZ places a copy of itself in an archive, it uses double extension by adding .GIF and .SCR. The .GIF extension is used as its social engineering factor. Curious users who still have their default configurations set in Windows Explorer (where the extension of known file types is hidden) may have an unpleasant experience once they double-click on the purported image file. The .SCR extension, on the other hand, makes it an executable file.
Writing in data files is not the only way this worm assures its existence on a system. It also makes use of traditional spreading methods like dropping a copy of itself (which is kkk.exe) in tandem with autorun.inf into all available physical, removable, and shared drives.