Autorun Worm Invades ZIP

Stealth technique used by malware is considered a core characteristic which has been developed, improved, redesigned, and reused. Michael Tants, Threat Researcher at Regional TrendLabs in Europe, has notified us of a worm that has a unique way of hiding: on infection, WORM_AUTORUN.JFZ writes a copy of itself in every ZIP-compressed file it finds on a system.

When WORM_AUTORUN.JFZ places a copy of itself in an archive, it uses double extension by adding .GIF and .SCR.

The .GIF extension is used as its social engineering factor. Curious users who still have their default configurations set in Windows Explorer (where the extension of known file types is hidden) may have an unpleasant experience once they double-click on the purported image file. The .SCR extension, on the other hand, makes it an executable file.

Writing in data files is not the only way this worm assures its existence on a system. It also makes use of traditional spreading methods like dropping a copy of itself (which is kkk.exe) in tandem with autorun.inf into all available physical, removable, and shared drives.

We strongly urge you to regularly update your pattern files and scan your systems for malware and grayware

From : Trendmicro

Related posts:

1. Removal of W32/AutoRun.NAN Worm (Worm.Win32.AutoRun.nan, Worm:W32/AutoRun.GF) (Manual)
2. Removal of W32/AutoRun.PYK Worm (Manual)
3. Autorun no more
4. How to Remove olhrwef.exe (Magania Trojan / Worm) Manually
5. How To Remove Win32/Mabezat, Win32/Mabezat.A, Win32/Mabezat.B, Worm.Win32.Mabezat.b