FOCUS-VIRUS Subject: [Kaspersky Lab Press Release] Beware the PIF! A Dangerous Monster Can Hide Beneath Harmless Files (fwd) Date: Thu Oct 26 2000 Author: Jeremy Paquette FOR IMMEDIATE RELEASE 25 October 2000 Beware the PIF! A Dangerous Monster Can Hide Beneath Harmless Files Moscow, Russia, October 25, 2000 - Kaspersky Lab, an international anti-virus software development company, considers it necessary to draw users' attention to a threat that programs with PIF extension can pose to the normal operating of personal computers and corporate networks. Because of the lack of awareness of this problem Kaspersky Lab has began to receive numerous reports of virus infections caused by this type of malicious program. PIF-files (Program Information File) are the standard Windows files that are used by the operating system to store information about start up properties for DOS-applications. PIF-files contain the necessary applications' details such as its name, size, location, creation and modification date, default screen size, memory usage, idle sensitivity, etc. This Windows feature enables users to avoid making multiple adjustments to the DOS-application operating mode each time they are started. It is enough to set up the program once and save the configuration to a PIF-file. Therefore, PIF-files contain only technical details that provide easy of use for users working with DOS-applications under Windows. It appears as though there is no need to worry about malicious programs that may be planted inside PIF-files. This mistaken belief makes users careless over PIF-files. Some people arbitrary run PIF-files received from untrustworthy sources, without performing a comprehensive anti-virus check, thinking that no malicious code can hide inside. In fact, PIF-files can contain hidden executable modules, for instance, BAT, EXE or COM programs that will be automatically executed after the host file is run. An illustrative example of planting malicious code inside PIF-file is the world's first PIF Internet worm 'Fable' that was discovered recently. It arrives to the computer within an e-mail message having a random subject taken from one of the following variants: ž Fable ž Something You Should Read ž Very Important That You Receive This The message body contains just one phrase that is randomly chosen from one of these: ž A nice little fable ž Wanted to make sure you received this In addition, there is an infected file FABLE.PIF attached to the message. Once it is started, the worm creates a set of supplementary files, securing its constant presence in the system and distributing its copies through IRC channels and e-mail. The e-mail spreading routine follows the standard for the majority of Internet worms: 'Fable' creates a VBS file that unbeknownst to the user gains access to the Outlook e-mail program and sends out copies of the virus to all the recipients from the Outlook address book. Another good example of the miss use of PIF-files is the Internet worm MTX that was originally discovered in September and caused an epidemic in many countries worldwide. The infected files it distributes via e-mail have a PIF extension. In fact, these are ordinary Windows EXE-files that were intentionally renamed. When such a "PIF-file" is started the original malicious code is automatically executed causing the system infection. Users, who are not aware of the potential threat of PIF-files, are tricked into clicking on the attachment. Kaspersky Lab has not received any reports of the 'Fable' worm to be 'in-the-wild'. "We consider there is no reason to panic. We classify this worm as rather a proof-of-concept than something that poses a real threat," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "However, we would like to draw the user's attention that PIF files are not as harmless as they may look. Besides ingeniously hidden PIF-viruses, they can carry other types of malware. We recommend users not to run these files especially if they are received from untrustworthy source". Further details on the 'Fable' worm are available at Kaspersky's Virus Encyclopedia at www.viruslist.com. Protection against this worm has already been added to the daily update of AntiViral Toolkit Pro (AVP). About Kaspersky Lab Kaspersky Lab Ltd. is a fast growing international privately owned anti-virus software development company with offices in Moscow (Russia), Cambridge (UK) and Johannesburg (South Africa). Founded in 1997 the company concentrates its efforts on the development of world-leading anti-virus technologies and software. Kaspersky Lab also provides free online security related Internet information services. The company markets, distributes and supports its software and services in more than 40 countries worldwide. Media Contacts Denis Zenkin Kaspersky Lab, Ltd. Phone: +7 (095) 797 87 00 E-mail: denis@avp.ru WWW: http://www.kasperskylabs.com Sara Claridge Marylebone Media Relations Phone +44 118 975 5188 E-mail sara@marylebone.co.uk Best Regards, Denis Zenkin Head of Corporate Comminucations Kaspersky Lab Ltd 10, Geroyev Panfilovtsev St, Moscow, 123363, Russia Tel.: +7 095 948 56 50; Fax: +7 095 948 43 31; Mobile: +7 095 798 98 76 E-mail: denis@kaspersky.com; http://www.kaspersky.com; http://www.viruslist.com Secure Your Cyberspace with Kaspersky Anti-Virus (AVP)! ---------- Forwarded message ---------- Date: Thu, 26 Oct 2000 From: Denis Zenkin Subject: [Kaspersky Lab Press Release] Beware the PIF! A Dangerous Monster Can Hide Beneath Harmless Files