McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This is a detection for ZIP files which have been modified to avoid detection by Anti-Virus vendors.

McAfee Advisory

McAfee
"The McAfee scan engine has always been a market leader in detection of
viruses, worms and Trojans within compressed and archived file formats.
As such the mechanism used for the detection of such payloads has been
designed to ensure all archive files are thoroughly scanned at each
nested level in the file to ensure that all appropriate parts of the
file are scanned.

McAfee is aware of a proof of concept exploitation in Zip archive
payloads where information in the local header part of the archive is
modified.

The local header exists just before the compressed data of each file. It
is possible to modify the uncompressed size of archived files in the
local header without affecting functionality.  Consequently there is the
potential for a malicious payload to be hidden and avoid anti-virus
detection by modifying the uncompressed size within the local headers to
zero.

The techniques used by McAfee to analyze Zip archives have allowed a
comprehensive solution for the Zip file format vulnerability to be
provided to protect customers.

The latest update for the current 4320 McAfee Anti-Virus Engine DATS
drivers (Version 4398 released on Oct 13th 2004) further enhances the
protection afforded to McAfee customers against such potential exploits.

A DATS Driver update issued in Version 4397 (October 6th 2004) provided
early protection for the same potential exploit targeted specifically
for Gateway and Command line scanning.

If a detection of this type of exploit is found it will trigger the
message "Found the Exploit-Zip Trojan!" to be displayed.

Please see the advisory from iDefense for further details

Symptoms

N/A.

Please note that this exploit simply prevents detection when samples are sent through gateway devices and with on-demand scans.

If a ZIP containing malware is extracted on a machine running an on-access scanner then the malware will be detected at that time and prevented from running.

Method of Infection

N/A

Removal

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a detection for ZIP files which have been modified to avoid detection by Anti-Virus vendors.

McAfee Advisory

McAfee
"The McAfee scan engine has always been a market leader in detection of
viruses, worms and Trojans within compressed and archived file formats.
As such the mechanism used for the detection of such payloads has been
designed to ensure all archive files are thoroughly scanned at each
nested level in the file to ensure that all appropriate parts of the
file are scanned.

McAfee is aware of a proof of concept exploitation in Zip archive
payloads where information in the local header part of the archive is
modified.

The local header exists just before the compressed data of each file. It
is possible to modify the uncompressed size of archived files in the
local header without affecting functionality.  Consequently there is the
potential for a malicious payload to be hidden and avoid anti-virus
detection by modifying the uncompressed size within the local headers to
zero.

The techniques used by McAfee to analyze Zip archives have allowed a
comprehensive solution for the Zip file format vulnerability to be
provided to protect customers.

The latest update for the current 4320 McAfee Anti-Virus Engine DATS
drivers (Version 4398 released on Oct 13th 2004) further enhances the
protection afforded to McAfee customers against such potential exploits.

A DATS Driver update issued in Version 4397 (October 6th 2004) provided
early protection for the same potential exploit targeted specifically
for Gateway and Command line scanning.

If a detection of this type of exploit is found it will trigger the
message "Found the Exploit-Zip Trojan!" to be displayed.

Please see the advisory from iDefense for further details

Symptoms

Symptoms -

N/A.

Please note that this exploit simply prevents detection when samples are sent through gateway devices and with on-demand scans.

If a ZIP containing malware is extracted on a machine running an on-access scanner then the malware will be detected at that time and prevented from running.

Method of Infection

Method of Infection -

N/A

Removal -

Removal -

Variants

Variants -

N/A