Since we now have a poster telling us how to decompress the "book" files =
it is time for all to be aware that some snakes have been hiding vile =
things inside these compressed files.

I do not advocate "never" looking into .zip and .rar files. I do think =
they should be expanded into a quarantined folder and checked by our AV =
software before letting them loose.

Be careful.

--=20

PDQ
--
-------------------------------------------------------------------------=
----

http://www.eweek.com/article2/0,1759,1756636,00.asp

Virus writers have once again gotten the drop on anti-virus vendors and =
IT administrators with a new technique that's finding early and =
considerable success.

ADVERTISEMENT Late last month, administrators and service providers =
began seeing virus-infected messages with a new type of attachment =
hitting their mail servers: an .rar archive. .Rar files are similar to =
..zip files in that they are containers used to hold one or more =
compressed files. The .rar format is not as widely known as .zip, but it =
is used for a number of tasks, including compressing very large files, =
such as music and video.

The emergence of .rar-packed viruses highlights the lengths to which =
virus writers are willing to go to evade anti-virus systems, as well as =
the limitations of those traditional signature-based defenses.

Experts say .rar files carrying viruses have been sailing past =
commercial anti-virus products and finding their way into the mailboxes =
of users, who are often unfamiliar with the file format. Administrators =
who have seen .rar-packed malware say that none of the messages have =
been stopped by their anti-virus defenses.

Many of the messages in .rar virus e-mail are slick invitations to view =
pornographic content, which is part of the reason for the viruses' =
success, experts say. .Rar's compression algorithm is 30 percent more =
efficient than .zip technology, so it is often used to compress such =
content. E-mail purporting to deliver images and video in an .rar =
archive may well be taken as legitimate, experts say.


Once opened, the archive typically contains an executable file with a =
double extension, such as "foto.jpg.exe." The viruses themselves are new =
and are usually droppers that install a Trojan or back door on the =
user's PC.

"Most of these are appealing to lustful young men," said Bill Franklin, =
president of Zero Spam Network Corp., in Coral Gables, Fla., a managed =
services provider. "It's a game of percentages. This is just another way =
to get control of machines. It may hit fewer machines, but they're =
probably more technical users, so their machines would be of higher =
value. It's a good example of the fact that virus writers are probing =
every nook and cranny."

One recent .rar virus that appeared at the end of last week is disguised =
as a patch from Microsoft Corp. Although the text of the e-mail is =
poorly written, users have often proved willing to fall for such =
pitches. Franklin said that he has seen about six or seven new .rar =
viruses each week this month and that all of them are getting past the =
anti-virus products installed on his network.

Anti-virus vendors have acknowledged the presence of viruses delivered =
as .rar files in the past few weeks and are scrambling to develop tools =
to identify and eradicate the malware.

Officials at McAfee Inc., which by the end of last week had developed =
signatures for a few of the new viruses, said virus writers probably =
have turned to using .rar archives to get past gateway filtering rules. =
"Some large corporations have blocked [.zip files], so this is a way =
around that," said Jimmy Kuo, a McAfee Fellow at the Santa Clara, =
Calif., company.

Kuo said some early NetSky variants used .rar archives as well.

One administrator who has seen a number of these viruses recently on his =
network said that while the social engineering in the messages is =
nothing special, the novelty of the .rar format is enough to fool some =
users.

"Most users have finally gotten trained not to open .zips and =
executables, and now we have to worry about this," said the =
administrator, who asked not to be identified. "Our [anti-virus system] =
doesn't catch these yet, so we have to block it at the gateway in order =
to stop them."