The e-mail was sent by the recent Mydoom e-mail worm. The zipped attachments were evidence of what antivirus experts say is a new trend in virus-writing circles: using compressed files to hide viruses and elude detection by antivirus engines.
Such files are containers for one or more compact files. Using programs such as WinZip for Windows or Unzip for Unix, users compressed files they want to store or transfer to others. The files must then be decompressed, or "unzipped," before they can be viewed. Long a staple of Internet and office communications, the .zip file has become embroiled in an arms race between virus writers and antivirus technology companies, experts said.
"We're definitely seeing a trend," said Alex Shipp, an antivirus technology expert at MessageLabs Ltd. "It really took off in 2003. As soon as one virus was successful with technology like this, other virus writers took notice."
Virus authors learned long ago to hide their creations in e-mail file attachments, often disguising viruses as Windows screen saver (.scr) files or Windows program information (.pif) files, said Mike Hrabik, chief technology officer at Solutionary Inc., a managed security services company in Omaha.
While .zip files were occasionally used to mask virus payloads, the practice wasn't common in virus-writing circles because .zip files, unlike .scr and .pif files, required separate software to be installed on the receiving system before the files can be opened and run, he said.
All that changed with the release of Microsoft Corp.'s Windows XP operating system, which included native support for opening .zip files. According to Gerhard Eschelbeck, CTO of security vulnerability scanning company Qualys Inc., embedded support for .zip files in modern systems makes them easy targets for worms like Mydoom.
The link for this article located at computerworld.com is no longer available.
