Since we now have a poster telling us how to decompress the "book" files =
it is time for all to be aware that some snakes have been hiding vile =
things inside these compressed files.

I do not advocate "never" looking into .zip and .rar files. I do think =
they should be expanded into a quarantined folder and checked by our AV =
software before letting them loose.

Be careful.

--=20

PDQ
--
-------------------------------------------------------------------------=
----

http://www.eweek.com/article2/0,1759,1756636,00.asp

Virus writers have once again gotten the drop on anti-virus vendors and =
IT administrators with a new technique that's finding early and =
considerable success.

ADVERTISEMENT Late last month, administrators and service providers =
began seeing virus-infected messages with a new type of attachment =
hitting their mail servers: an .rar archive. .Rar files are similar to =
..zip files in that they are containers used to hold one or more =
compressed files. The .rar format is not as widely known as .zip, but it =
is used for a number of tasks, including compressing very large files, =
such as music and video.

The emergence of .rar-packed viruses highlights the lengths to which =
virus writers are willing to go to evade anti-virus systems, as well as =
the limitations of those traditional signature-based defenses.

Experts say .rar files carrying viruses have been sailing past =
commercial anti-virus products and finding their way into the mailboxes =
of users, who are often unfamiliar with the file format. Administrators =
who have seen .rar-packed malware say that none of the messages have =
been stopped by their anti-virus defenses.

Many of the messages in .rar virus e-mail are slick invitations to view =
pornographic content, which is part of the reason for the viruses' =
success, experts say. .Rar's compression algorithm is 30 percent more =
efficient than .zip technology, so it is often used to compress such =
content. E-mail purporting to deliver images and video in an .rar =
archive may well be taken as legitimate, experts say.


Once opened, the archive typically contains an executable file with a =
double extension, such as "foto.jpg.exe." The viruses themselves are new =
and are usually droppers that install a Trojan or back door on the =
user's PC.

"Most of these are appealing to lustful young men," said Bill Franklin, =
president of Zero Spam Network Corp., in Coral Gables, Fla., a managed =
services provider. "It's a game of percentages. This is just another way =
to get control of machines. It may hit fewer machines, but they're =
probably more technical users, so their machines would be of higher =
value. It's a good example of the fact that virus writers are probing =
every nook and cranny."

One recent .rar virus that appeared at the end of last week is disguised =
as a patch from Microsoft Corp. Although the text of the e-mail is =
poorly written, users have often proved willing to fall for such =
pitches. Franklin said that he has seen about six or seven new .rar =
viruses each week this month and that all of them are getting past the =
anti-virus products installed on his network.

Anti-virus vendors have acknowledged the presence of viruses delivered =
as .rar files in the past few weeks and are scrambling to develop tools =
to identify and eradicate the malware.

Officials at McAfee Inc., which by the end of last week had developed =
signatures for a few of the new viruses, said virus writers probably =
have turned to using .rar archives to get past gateway filtering rules. =
"Some large corporations have blocked [.zip files], so this is a way =
around that," said Jimmy Kuo, a McAfee Fellow at the Santa Clara, =
Calif., company.

Kuo said some early NetSky variants used .rar archives as well.

One administrator who has seen a number of these viruses recently on his =
network said that while the social engineering in the messages is =
nothing special, the novelty of the .rar format is enough to fool some =
users.

"Most users have finally gotten trained not to open .zips and =
executables, and now we have to worry about this," said the =
administrator, who asked not to be identified. "Our [anti-virus system] =
doesn't catch these yet, so we have to block it at the gateway in order =
to stop them."

"PDQ" wrote in message news:JZQ5e.14831
Since we now have a poster telling us how to decompress the "book" files it
is time for all to be aware that some snakes have been hiding vile things
inside these compressed files.

Of course, one should always be careful when downloading files and should
always have a working up to date virus checker. The major virus checkers are
capable of scanning inside compressed or archived files as they're
downloaded. However, I've not heard of a PDF file being infected.

On Sat, 9 Apr 2005 09:33:50 -0400, "PDQ" wrote:

Since we now have a poster telling us how to decompress the "book" files it is time for all to be aware that some snakes have been hiding vile things inside these compressed files.

I do not advocate "never" looking into .zip and .rar files. I do think they should be expanded into a quarantined folder and checked by our AV software before letting them loose.

Be careful.

--

PDQ
What a load of ********

Chaq'un a son goute.

--=20

PDQ
--
=20
"John" wrote in message =
news | On Sat, 9 Apr 2005 09:33:50 -0400, "PDQ" wrote:
|=20
| Since we now have a poster telling us how to decompress the "book" =
files it is time for all to be aware that some snakes have been hiding =
vile things inside these compressed files.
|
| I do not advocate "never" looking into .zip and .rar files. I do =
think they should be expanded into a quarantined folder and checked by =
our AV software before letting them loose.
|
| Be careful.
|
| --=20
|
| PDQ
| What a load of ********

On Sat, 09 Apr 2005 14:27:36 +0000, John wrote:

What a load of ********


Really? Google thinks otherwise.

http://www.eweek.com/article2/0,1759,1756636,00.asp
http://us.mcafee.com/virusInfo/defau...&virus_k=99455
http://secunia.com/virus_information/8102/beaglemmrar/

Search term was ".rar virus" all one string, no quotes.

"Bill" wrote in message
On Sat, 09 Apr 2005 14:27:36 +0000, John wrote:

What a load of ********

Really? Google thinks otherwise.

http://www.eweek.com/article2/0,1759,1756636,00.asp
http://us.mcafee.com/virusInfo/defau...&virus_k=99455
http://secunia.com/virus_information/8102/beaglemmrar/

It's obvious you don't know what you're talking about. Currently, there's no
such thing as a Rar virus. There can be programs archived by Rar that might
contain a virus, but Rar compression itself cannot infect your computer. If
you're going to be warning people about Rar files, then you might as well
warn them about Zip, Cab and every other unpacked program in the market.

On Wed, 13 Apr 2005 17:41:46 -0400, Upscale wrote:

"Bill" wrote in message
On Sat, 09 Apr 2005 14:27:36 +0000, John wrote:

What a load of ********

Really? Google thinks otherwise.

http://www.eweek.com/article2/0,1759,1756636,00.asp
http://us.mcafee.com/virusInfo/defau...&virus_k=99455
http://secunia.com/virus_information/8102/beaglemmrar/

It's obvious you don't know what you're talking about. Currently, there's no
such thing as a Rar virus. There can be programs archived by Rar that might
contain a virus, but Rar compression itself cannot infect your computer.

No one in this thread has claimed the existence of a .rar virus. PDQ's
posting was factually correct, even if it amounted to little more than
wasted breath.

If
you're going to be warning people about Rar files, then you might as well
warn them about Zip, Cab and every other unpacked program in the market.

What are you smoking?

People SHOULD be warned about accepting files from any unknown source.
That's just "Computer Hygiene 90". If they are compressed archives, virus
detection gets tougher. The point that has been previously made is that
the anti-virus software was not examining the contents of the .rar files
and thus could miss viruses delivered through them.

"Bill" wrote in message

What are you smoking?

So you don't think a virus could be distributed through a Zip file or even a
cab file?

People SHOULD be warned about accepting files from any unknown source.
That's just "Computer Hygiene 90". If they are compressed archives, virus
detection gets tougher. The point that has been previously made is that
the anti-virus software was not examining the contents of the .rar files
and thus could miss viruses delivered through them.

It's nothing more than common sense to scan *ALL* incoming files. If someone
is too new to know about examining all compressed, archived files, then it's
doing a disservice to those very people zero to specifically zero in on Rar
files, suggesting they are more prone to contain a virus than other types of
archives.