On Sun, Mar 28, 2004 at 01:32:15PM -0600, wayne wrote:
In <20040328190715(_dot_)41155DEA7(_at_)portent(_dot_)listbox(_dot_)com>
mengwong(_at_)dumbo(_dot_)pobox(_dot_)com writes:
[attached zip file deleted]
Uh, I'm unable to deal with the data in the zip file because I don't
have any software that deals with .pif files on my linux box. (What
are .pif files anyway?)
This really is an email worm (probably some variant of mydoom or netsky).
Apparently some infected machine somewhere forged a message from Meng's address
to the list posting address, which dutifully forwarded it on to all the
subscribers.
The .pif file type is an anachronism from the days of Windows 3.1, where DOS
programs sometimes needed to supply some extra information to Windows in order
to run properly (the pif file could hold information such as window size and
location, or multitasking settings). Because Microsoft almost never removes
features, the .pif extension is to this day recognized as an "executable" file
type. Now, once Windows decides that a file is an executable, it does not use
the file extension to determine *how* to run the program. It looks at the file
contents instead. So this file is in fact a Win32 executable which is the worm
payload. Running it on a Windows computer would infect the computer.
The final bit of this story is that default Windows settings hide the file
extension when showing filenames. So most users will only see the file as
"talk.doc" instead of "talk.doc.pif". The .doc extension is a red herring, it
really isn't a Word document file and Windows will not treat it as such.
Sorry about the off topic post, but I think it's probably valuable for those of
us in the anti-worm community to be aware of the kinds of things we're up
against.
Greg Hewgil
http://hewgill.com