video.exe is bad

Posted on by

(Any savvy Internet user should be thinking, “Well, duh!” right now)

I keep getting e-mails to my GMail account… They’re caught by the spam filter 100% of the time, but always catch my eye. They used to read, “What a stupid face you have mwaggy,” but I just got one saying “mwaggy is a moron.”

The text is always something short, linking to a file called video.exe. The latest one just reads:

this is the proof, watch: http://{REDACTED}/video1.exe

That alone makes it pretty certain that it’s some sort of malware. You don’t download attachments from random strangers (just like “You don’t take candy from random strangers”), but you most certainly don’t download executable attachments from random strangers (just like, “You don’t take obviously-poisoned candy from random strangers”).

But I’m a curious fellow. Why did I keep getting this file, and what was it? I was pretty confident that I could download it with impunity from Firefox (which doesn’t automatically run programs, though IE doesn’t anymore either), save it to my desktop, and then virus-scan it. But I figured I’d err on the side of safety, and instead downloaded it to my Linux server (via wget), and then I compressed it. Compression isn’t normally meant as a safety mechanism, but with a .exe, I could accidentally run it. If I accidentally double-clicked on video1.exe.gz, all I’d get would be an error that Windows didn’t know what to do with a .gz file. I figured I could download it, decompress it into a directory but not open the directory, and virus scan it to see what it was.

But I was never able to download the file from my server! I entered the url for video1.exe.gz on my server, but Firefox popped up an error that the transfer was interrupted. I kind of paused for a minute, trying to figure out what had just happened.

And then I noticed that NOD32 had just popped up a red box. It had noticed that the gzipped file I was downloading contained a virus and aborted the transfer, moving the file into a quarantine directory.

NOD32 suggests that it’s a likely variant of the Nuwar worm. It makes it sound as if the infected machine will begin mailing itself to people in the address book on the computer, but the IP of the latest one comes back to a system in Florida, where I’m pretty sure I haven’t e-mailed anyone.

Leave a Reply

Your email address will not be published. Required fields are marked *