Number 278 - July 2006
Potentially Malicious Windows Files
This upload from Ray Mills, discusses a document that lists every Windows file type that could potentially have malicious security implications. The document can be viewed or downloaded from the website given.


   Roger Grimes has posted a free document that lists every Windows file type that could potentially have malicious security implications. It's ironic that it is a Word doc, since we learned last Thursday that attackers are exploiting an unknown zero-day flaw in Word to install rootkits. But this document isn't part of the problem; it's part of the solution.

   Grimes lists over 200 file extensions; rates each type's malicious risk; recommends whether to block the file type in IM and in Windows; shows its registry key; and even comments briefly and cogently on why it's a risk. You might think you have a good working knowledge of all this, but can you really explain whether a .OCX is safe or risky to allow at the gateway? How about a CAB file? .CHM? .QTIF? Each time he points out a problem, he also cites an authoritative source URL.

   This is terrific work, a boon to every security-conscious net administrator, and I hope a lot of people benefit from Grimes' painstaking work. Check it out for yourself: Potentially Malicious Windows Files. (Web address all one line no breaks, no hyphens)

New Instant Messaging Worm - The Strangest Worm Ever Seen
   A worm running through Yahoo's instant messaging network is installing a browser of its own--a first for IM malware--that leads users to adware and spyware sites, several security firms said Monday.

   The worm, dubbed "Yhoo32.explr" by IM security vendor FaceTime Communications on Friday (mid May 2006) and "Browaf" by Symantec on Monday, is installed when Yahoo users click on a malicious link embedded within an instant message.


   Yhoo32.explr downloads and installed the so-called "Safety Browser," which adds an IE-like icon to the desktop, and when used, takes the unsuspecting to sites where their PCs are infected with adware and spyware. The worm also changes the home page of IE to point to the malicious Safety Browser's site.

   To complicate things, Safety Browser doesn't post an Uninstall option in Windows' Add or Remove Programs Control Panel applet.

   This is one of oddest and more insidious pieces of malware we have encountered in years.

   This is the first instance of a complete web browser hijack without the user's awareness. Similar 'rogue' browsers, such as 'Yapbrowser', have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. 'Rogue' browsers seem to be the hot new thing among hackers.

   Along with the bogus browser, the worm makes the PC blare out screeching music thick with bad guitar licks and drum solos. The headache-inducing noise plays every time the computer boots or Safety Browser launches.

   Anti-virus vendors, such as Symantec, are working on signatures to detect the new Yahoo IM worm.
  Number 278 - July 2006