last week a friend had an ugly Internet worm virus. The interesting thing was,
that the virus was attached as a .pif file, which contains a word document and the virus exe.
After double click, the documents where splitted and the word file
could be viewed normally. The exe part was executed. So the user
didnt recognize, that anything unusual happend.
So I wonder, what for is a .pif? (I only know for storing DOS program information and icons) And how to wire some other
data into a pif?
beaster.
( I dont want to make an own virus! I'm only interested in the technical stuff)
also funny - the virus was written in TurboPascal / Delphi and
is 130 KByte large :grin: !!
that the virus was attached as a .pif file, which contains a word document and the virus exe.
After double click, the documents where splitted and the word file
could be viewed normally. The exe part was executed. So the user
didnt recognize, that anything unusual happend.
So I wonder, what for is a .pif? (I only know for storing DOS program information and icons) And how to wire some other
data into a pif?
beaster.
( I dont want to make an own virus! I'm only interested in the technical stuff)
also funny - the virus was written in TurboPascal / Delphi and
is 130 KByte large :grin: !!
I get about 40 version of that virus during this summer
It's most of the time a short msg with a document like
something.doc.pif
something.doc.com
something.doc.bat
something.doc.exe
etc...
(s)
It's most of the time a short msg with a document like
something.doc.pif
something.doc.com
something.doc.bat
something.doc.exe
etc...
(s)
beaster,
Sounds like a copy of SirCam. I have had 20 or 30 of them but they are starting to die out now, about 160k of Delphi junk with random attachment names taken from the DOCS directory apparently. AVP and a few of the AV companies have data on it and how to get rid of it.
Regards,
hutch@pbq.com.au
Sounds like a copy of SirCam. I have had 20 or 30 of them but they are starting to die out now, about 160k of Delphi junk with random attachment names taken from the DOCS directory apparently. AVP and a few of the AV companies have data on it and how to get rid of it.
Regards,
hutch@pbq.com.au
beaster,
.pif is a file extension for DOS shortcuts and typically windows
wouldn't show this extension in explorer.
If for example you rename any exe file to a .pif extension it will still execute as inside first two bytes is MZ signature.
Simply any exe file have the ability to call ms-word and display any .doc file.
All extension as (scalp) showed will execute any exe file.
He just miss .SCR extension.
This is just poor trick taking advantage of innocent people.
.pif is a file extension for DOS shortcuts and typically windows
wouldn't show this extension in explorer.
If for example you rename any exe file to a .pif extension it will still execute as inside first two bytes is MZ signature.
Simply any exe file have the ability to call ms-word and display any .doc file.
All extension as (scalp) showed will execute any exe file.
He just miss .SCR extension.
This is just poor trick taking advantage of innocent people.
Thanks, quite interesting!
Indeed, it was a SirCam.
Indeed, it was a SirCam.
I got hit by something similiar a month ago, cept it attached .VBS to my media files (BMP, MP3, etc)... i was a resource dictator and didn't allow NAV to run in the background.
lost quite a few files on the harddrive and pretty much hosed it. I will reformat when I save up enuff to get win2k pro...but still have my best porn links on the net saved in IE heh
l8a
lost quite a few files on the harddrive and pretty much hosed it. I will reformat when I save up enuff to get win2k pro...but still have my best porn links on the net saved in IE heh
l8a
PIF was the extension used for Win16 shortcuts.
.PIF is the extension for all DOS programs. I mean shortcuts.
Just try in the windows:
Find *.pif
and you will be surprised of how many you will find on your hard drive.
And if it is more then 4kb in size, you have something suspicious going on your PC.
:)
Just try in the windows:
Find *.pif
and you will be surprised of how many you will find on your hard drive.
And if it is more then 4kb in size, you have something suspicious going on your PC.
:)
Windows creates a PIF file anytime you run a DOS program, and change the default properties of the "DOS box" that it runs in. Foe example, if you hide the toolbar, use a different font, or change the memory management settings for a certain program. Windows saves the info in a PIF file with the same name as the associated EXE file. When you run the program, Windows loads the PIF file to set-up the DOS box. :)
Just try to save this little file and double click it.
It is innocent file, which you already have on your machine anyway. Just with different extension.
It is a stupid trick, isn't it?
It is innocent file, which you already have on your machine anyway. Just with different extension.
It is a stupid trick, isn't it?
I got hit by something similiar a month ago, cept it attached .VBS to my media files (BMP, MP3, etc)...
What do you mean attached? If the file extension is BMP, MP3, etc, then the file is pretty much harmless, even if it is an executable file in reality. If the extension name is .exe, .pif, .com, but its actually a media with with an executable "attached" to the end, it still wont execute and do any harm, so what do you mean?