The many faces of malware >O

I thought it would be most appropriate to start this blog entry with an “Ouch” emoticon >O. Read on… and the problem shall present itself.

A relatively harmless looking CHM file (compiled HTML help file) came across my desk today. Opening this file I found a fascinating collection of images from the August 1946 National Geographic article by Lt.Col. Ilya Tolstoy titled “Across Tibet from India to China”. The CHM file article was appropriately titled “Photos of Tibet in the early 1940’s”. Before anything else, I feel I should share two of the more interesting pictures from that collection:


The Ch’am masked dance festival


The impressive Potala Palace

So while you were busy looking at pictures of Tibet from the 1940’s, a lot of things have been happening on your computer. First, the CHM file has dropped a file called music.exe. This file, music.exe, has dropped two files called conime.exe and zipfldr.dll and then deleted itself. These two dropped files have contacted a remote server and downloaded two further files called photos-downloaded1.exe and photos-downloaded2.exe. These two downloaded files now have contacted yet another remote server!.. all in the span of you viewing these pictures of Tibet.

Have no fear because two of these files were proactively detected by Sophos as Mal/Emogen-Y and Mal/Emogen-AA. The rest of the files are detected as Troj/CHMDrop-B. This malicious CHM file was spammed out in a targeted campaign, and that once again reminds me to remind everyone out there, “Please don’t open unsolicited attachments”. A file as harmless sounding as a CHM file can be exploited to hide malware as it was proved once again in this case.