[ insider_reports_insider ]
New Worm Same As The Old Worm
David Utter
Staff Writer
2008-02-26
 Insider Reports RSS Feed
We have all heard of security by obscurity, but some malware creators are opting for attacking from obscurity.
 | | New Worm Same As The Old Worm |  |
Going after the master boot record on a hard drive was a trick of old school virus writers. Nonetheless, the tactic has been witnessed again, in the 21st Century. It isn't the only one breaking out of the coffin and wandering around looking for brains, either.
Security vendor Symantec said another forgotten trick reemerged in a worm circulating on the Internet. This worm, called W32.Joydotto by Symantec, copies itself to removable devices when possible.
The real evil begins when someone attempts to remove the autorun.inf file the worm brings along as part of the installation. Symantec's Liam OMurchu said when the worm copies itself to a removable device, it does so without a filename.
When the worm stores and encrypts itself, the clusters on the storage device become marked as "corrupted/reserved" so they will not be overwritten. This manifests as bad sectors, but those actually hide the worm.
Deleting the autorun.inf manually leads to the device being reinfected by the worm. More sectors to hide a new copy of the worm become corrupt. Reformatting the disk will recover the bad sectors, according to OMurchu.
"The trick this worm uses was not as popular, but it is still an effective technique for hiding files," he said. "The emergence of this worm does show that virus writers are looking to the past and are creating new worms using old and forgotten (but not quite) tricks."
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
