For a long time, we have seen worms masquerading as media and document files (commonly targeting MS Word), movies or folder icons. This is an old skool tactic that remains very popular in South East Asia, often seen in the Indonesian-origin W32/Rontokbro family. They often used file names associated with pornography or news headlines enticing users into opening them, but nonetheless, they still seem “new” and should raise an alarm for vigilant users. Now, what if they are _your own_ documents?
Over the last few months, we have been following a series of worms that take a more subtle approach to deceive users into clicking on the malware. The W32/Autorun.worm.i.gen worm, better known for its aggressive propagation via removable media using a AUTORUN.INF file, has a darker side less known to its victims, and most researchers.
This series of worms subtly infects MS Word files by prepending itself to the document and changing the file extension from “.doc” to “.exe”, essentially morphing it into a Windows executable file. The meticulous malware authors modifies the Windows registry to enable file extension hiding so users do not see the “.exe” extension – only the original filename along with Windows’s helpful file type description of “Microsoft Word Document”. A video speaks louder than a picture:
Did you notice any change in appearance? When clicking on the infected files, the worm drops the original document file and opens it in MS Word while its malicious payload executes in the background. The most apparent hint shows in the increase in file size. For expert Windows users, they might notice the hidden file extensions.
What next? It is not a technically sophisticated method, and could well be applied to movie, music, HTML and other media files. It is however, known to us, that document and media files should never be executable. As a quick preventive measure, an Access Protection Rule such as preventing “My Documents” or “My Videos” from executing files is VERY proactive. On Unix-based systems, the same method to mount /tmp as non-executable to prevent bad ELF files from executing via web remote exploits can be applied similarly to user home and document folders: