What is particular with this malware is the use of MIME-encoded data as its attachments aside from the usual executable types. The usual executable types of filename extensions that most of the malwares use are .exe, .scr, .pif, and etc. Now, aside from using the usual extensions, it also makes use of the following MIME-encoded data file extensions.
- .b64
- .BHx
- .HQX
- .mim
- .uu
- .UUE
- .XxE
Inside these MIME files is a file with the usual executable extension with the usual-malware-trick, a lot of spaces, before the real extension.
What goes into my mind upon knowing the fact that it uses MIME-encoded files as its attachments is the security issue that exists on Winzip versions prior to 9.0 SR-1.
When providing long strings to certain parameters of MIME archives (.mim, .uue, .uu, .b64, .bhx, .hqx and .xxe extensions)…
A buffer overflow will occur.
An attacker could attempt to use this buffer overflow to create a file that would execute malicious code of their choice when the file was opened by an earlier version of WinZip. The attacker would have to give the file one of the affected extensions, and would then have to trick you into opening the file; for example, by sending it to you as an e-mail attachment.
But, at least it was not the intention of the author. If that happens, large number of infections will occur considering the fact that these MIME-encoded data files are supposed to be like ‘container’ files and not ‘executable’ files. On that case, many users even the average users might be fooled to double-click the MIME-encoded data files, which will result to the automatic execution of the malicious file inside the MIME file, if and only if they are using the affected versions of Winzip.
References :
WORM_GREW.A Details
WORM_GREW.A Solution
Winzip
WinZip MIME Parsing Buffer Overflow Vulnerability
