[66903] in North American Network Operators' Group
RE: in case nobody else noticed it, there was a mail worm released today
daemon@ATHENA.MIT.EDU (Christopher Bird)
Thu Jan 29 09:07:20 2004
From: "Christopher Bird" <seabird@msn.com>
To: <nanog@merit.edu>
Date: Thu, 29 Jan 2004 08:06:46 -0600
In-Reply-To: <DD7FE473A8C3C245ADA2A2FE1709D90B0DAE68@server2003.arneill-py.sacramento.ca.us>
Errors-To: owner-nanog-outgoing@merit.edu
Please pardon my ignorance, but I am *mightily* confused.
In a message from Michel Py is the following:
<snip>
>
>
> > and ISTR one patch for Outlook 2000 that blocked
> > your ability to save executables was released)
>
> It default in Outlook XP and Outlook 2003, which has prompted large
> numbers of persons to download Winzip, which as not stopped worms to
be
> propagated as you pointed out.
>
> Michel.
The bit I don't get is how a zip file is created such that launching it
invokes winzip and then executes the malware. When I open a normal .zip
file, winzip opens a pane that shows me the contents. After that I can
extract a file or I can "doubleclick" on a file to open it - which if it
is executable will cause it to execute. I haven't seen a case where
simply opening a zip archive causes execution of something in its
contents unless it is a self extracting archive in which case it unzips
and executes, but doesn't have the .zip suffix.
Would anyone explain to me how this occurs (and if RTFM with a pointer
to the M is the best way, then so be it!)
Thanks in advance
Chris
