RE: [Exim] needed: beagle/bagle pattern

On Tue, 2004-01-20 at 14:14, Rick Cooper wrote:

> This is not accurate. Rename notepad.exe to notepad.ddd and then
> type notepadd.ddd at the windows command prompt. Windows attempts
> to execute files based on the information in the header (load
> point, etc) and not on the extension type, so it would be very
> easy to virus attached as xyz.xxx and have it launched. The .exe
> extension is a convention but is not required. I assume this is
> why Exiscan will now identify a file by type, not just name, and
> is why MailScanner has been doing it for some time.

That's not entirely accurate either. The command prompt will attempt to
run any work you place first on the line. It searches for that word
with .com, .exc, and .bat extensions, if an extension isn't provided.

But Explorer, the Windows shell, will only load executables into memory
if their extention is registered in the registry. If you double click
on your notepad.ddd file, all you'll get is a dialog box asking what
program you would like to use to open a .ddd file.

Sure the instructions in the virus e-mail body could instruct the user
to open a command prompt, locate the file (who knows where Windows saved
it), and then run it, by typing the full name including extension. I
don't see such a virus infecting too many people (of course if you make
it look official enough, there will be those who will do it).

I think we are more likely to see a virus that targets XP users (since
they have built in .zip extraction), that e-mails out the virus in a
password protected ZIP file. Telling the user that the password is for
their protection to prevent tampering. Then including the password in
the body of the e-mail, or even worse telling them a second e-mail will
follow.

Don't get me wrong, I'll use all the protection I have available, for my
users.

--
Chris