Re: attachment; filename="photo1.jpg.pif"

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Tue Apr 24 2001 - 18:46:57 PDT

Next message: Gavin Reid: "RE: 'FrogEater'"

Previous message: Jens Hektor: "Re: Sun RPC Scans, Port 111/530/32k, slow scans"
In reply to: Majid Almassari: "Re: attachment; filename="photo1.jpg.pif""
Next in thread: Zora Monster: "Re: attachment; filename="photo1.jpg.pif""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Majid Almassari <majid.almassariat_private> wrote:

> .pif (Portable Interchange Format) is a Short Cut to MS-DOS based
> Executable Programs. It has the same effect as .exe and .bat.  ...

Not quite.

A "real PIF" is just a data file with a defined format.  The real
problem is that if you rename an EXE to PIF, Windows quite happily
runs it.  I believe the virus Win95/MTX was the first malware to
consistently "exploit" this.

> ...  Most
> likely this is a Trojan such as Sub Seven.

Indeed, but in this case it almost certainly was the new Stator virus
(or Email worm if you must), which depends on TheBat! for its mailing
distribution to work.

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Next message: Gavin Reid: "RE: 'FrogEater'"
Previous message: Jens Hektor: "Re: Sun RPC Scans, Port 111/530/32k, slow scans"
In reply to: Majid Almassari: "Re: attachment; filename="photo1.jpg.pif""
Next in thread: Zora Monster: "Re: attachment; filename="photo1.jpg.pif""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 08:36:42 PDT