A RARe Virus Delivery Method

Mark Berry July 27, 2010

Yesterday I received the following email from someone I don’t know:

RAR virus attachment

The unusual thing is the attachment of type .rar. RAR is an archive format not as common as .zip in the Windows world.

I had an old copy of the freeware UnRAR on my machine so I had a look at the file contents. Sure enough, it’s a script file (.scr) which, like an .exe file, can make changes to a machine.

Virus Scanning Not Enough

This file was delivered through Postini, which means their virus scanner didn’t catch it. In fact, as of this writing, VirusTotal shows 23 of 42 antivirus engines identifying the malware. Major engines like AVG, ClamAV, and Sophos are not catching it yet. While infection is less likely since many people won’t have .rar archive utility installed, it still is up to the user to remember:  don’t open attachments from unknown senders. In fact, it’s best to avoid attachments even when you know the sender unless you are specifically expecting an attachment from them.


Leave a Reply





*