W32/Pahati-A: New month, old tricks

I analysed a Visual Basic worm this morning W32/Pahati-A.

The sample came in with the filename winword.exe, which is obviously very suspicious since that is the normal name for the Microsoft Word application from the Office suite. Even more suspicious was the fact that the file also used an icon suggestive of a Word document. Curiouser and curiouser.

When run the worm copies itself as ‘Patah Hati.doc .exe‘ to local drives, including any inserted USB disks.

When extensions are hidden you would see:

Extension Hidden

Of course, tricks such as spoofing the filename and/or icon have been used by Windows malware for years and we have previously blogged (1,2) about an increase in worms copying themselves to USB drives. The fact is that very little in the world of malware involves new tricks. Usually it is just the tricks of yesteryear being continually reinvented for modern times.