Interesting attached malware file .uue

[Henry Law]

I had a friendly email from a packaging company in Leicester this
morning, asking me to quote against an attached Purchase Order. Ha ha;
obviously some kind of malware distributor. The attachment was called
"PO.uue", which intrigued me, since .uue is usually a uuencoded file.

I detached it on my linux machine and had a look at it. Not uuencoded
at all, in fact, but a RAR file containing "Documents.scr". Curiouser
and curiouser, since my only experience of .scr is a Windows Screensaver.

I've got no further in identifying the actual payload of this thing,
except to note that EMacs identifies the thing as a graphic file and
invokes its Imagemagick mode, which surprised me even further. The
displayed graphic is nonsense, though: see
http://www.lawshouse.org/misc/Documents.scr.InEmacs.png

Has anyone any knowledge of this kind of attack, who could satisfy my
curiousity by explaining firstly how the .uue file is interpreted by
Windows (presumably the target environment), and on the assumption that
it's automatically extracted, how the Screensaver file is given control
so that whatever nasty stuff it contains is made active.

--

Henry Law Manchester, England

[Richard Kettlewell]

Henry Law <ne...@lawshouse.org> writes:
> I had a friendly email from a packaging company in Leicester this
> morning, asking me to quote against an attached Purchase Order. Ha
> ha; obviously some kind of malware distributor. The attachment was
> called "PO.uue", which intrigued me, since .uue is usually a uuencoded
> file.
>
> I detached it on my linux machine and had a look at it. Not uuencoded
> at all, in fact, but a RAR file containing "Documents.scr". Curiouser
> and curiouser, since my only experience of .scr is a Windows
> Screensaver.
>
> I've got no further in identifying the actual payload of this thing,
> except to note that EMacs identifies the thing as a graphic file and
> invokes its Imagemagick mode, which surprised me even further. The
> displayed graphic is nonsense, though: see
> http://www.lawshouse.org/misc/Documents.scr.InEmacs.png

Could be coincidence, but it looks suspiciously like a ZX Spectrum
crashing. Is it perhaps 6912 bytes long?

http://fileformats.archiveteam.org/wiki/SCR_(ZX_Spectrum)

This may just mean that it’s designed to look like that to get past some
kind of filter, and in fact contains a payload that will be differently
interpreted by something else.

> Has anyone any knowledge of this kind of attack, who could satisfy my
> curiousity by explaining firstly how the .uue file is interpreted by
> Windows (presumably the target environment), and on the assumption
> that it's automatically extracted, how the Screensaver file is given
> control so that whatever nasty stuff it contains is made active.

How the attacker expects it to be extracted I couldn’t say. But note
that it only takes a target at least as curious as you were to do it
manually.

Most image formats[1] are are (sometimes quite complex) languages and
most of the parsers for those languages were hand-written by people who
were thinking primarily about data compression rather than computer
security. The result is that, historically at least, they were full of
bugs and some of those bugs were exploitable.

[1] although not the ZX Spectrum format mentioned above, which is a
straight memory dump.

The situation has probably improved a bit in the last few years (popular
bug-finding tools like afl-fuzz are well-suited to this kind of issue)
but the need to stay fully patched remains.

--
http://www.greenend.org.uk/rjk/

[Henry Law]

On 25/07/16 12:24, Richard Kettlewell wrote:
> Henry Law <ne...@lawshouse.org> writes:
>> I've got no further in identifying the actual payload of this thing,
>> except to note that EMacs identifies the thing as a graphic file and
>> invokes its Imagemagick mode, which surprised me even further. The
>> displayed graphic is nonsense, though: see
>> http://www.lawshouse.org/misc/Documents.scr.InEmacs.png
>
> Could be coincidence, but it looks suspiciously like a ZX Spectrum
> crashing. Is it perhaps 6912 bytes long?

Coincidence, I think. This thing is ten times that in size. Also, it
contains the immortal text "This program cannot be run in DOS mode".

Looking further (using Emacs) I see various strings and bits of XML that
I find are associated with .Net thingies.

I'll stop now.

[Rob Morley]

On Mon, 25 Jul 2016 11:49:24 +0100
Henry Law <ne...@lawshouse.org> wrote:

> I had a friendly email from a packaging company in Leicester this
> morning, asking me to quote against an attached Purchase Order. Ha
> ha; obviously some kind of malware distributor. The attachment was
> called "PO.uue", which intrigued me, since .uue is usually a
> uuencoded file.

.UUE is an archive format that people are less likely to recognise
than .ZIP or .RAR. WinRAR and WinZip (among others) will open a .UUE
file - presumably once the OS hands the file to the archive app, the app
realises that it's a different archive format and handles it
appropriately.

>
> I detached it on my linux machine and had a look at it. Not
> uuencoded at all, in fact, but a RAR file containing
> "Documents.scr". Curiouser and curiouser, since my only experience
> of .scr is a Windows Screensaver.

.SCR is an executable format, popular with malwarists as it's not
an .EXE (which many people know to avoid).

>
> I've got no further in identifying the actual payload of this thing,
> except to note that EMacs identifies the thing as a graphic file and
> invokes its Imagemagick mode, which surprised me even further. The
> displayed graphic is nonsense, though: see
> http://www.lawshouse.org/misc/Documents.scr.InEmacs.png

ISTR there was a Windows exploit involving graphics files a couple of
years back, I forget the details.

[Richard Kettlewell]

OK. In that case I guess that your application just (wrongly) guessed
it was the above format based on the filename. Maybe image formats are
a red herring here.

What does ‘file’ make of it?

--
http://www.greenend.org.uk/rjk/

[David]

".scr" is allegedly a script file.

See also

<http://www.theregister.co.uk/2016/07/25/ms_warns_of_script_worms/>

Not quite the same, but using a ".scr" file.

You do have to take several more steps, AIUI, before the script can
actually do anything serious. Like clicking on "O.K." buttons when asked
if you really, really want to do this.

Cheers


Dave R


--
Windows 8.1 on PCSpecialist box

[TMack]

On Mon, 25 Jul 2016 11:49:24 +0100, Henry Law wrote:

.uue files are attachments encoded with "Unix-to-Unix encoding", a way of representing a binary file in orthodox
ASCII text. Some Internet protocols were not designed to carry binary (program and other non-text files) files.
They are only able to transfer messages made up of conventional text (printable ASCII) characters. In order to
get around that limitation, UUencode and other methods were created. If a .uue file is decoded properly using
a program such as Winzip it will generate the original file - presumably some kind of virus masquerading as
something useful or interesting in your case. The recipient extracts the binary then clicks on it because it looks
interesting and harmless and this triggers the virus installation. I suspect that some antivirus programs won't
recognise the uue encrypted versions of files and may not be quick enough to intercept when the uue file is
decoded.

--
Tony
'09 FJR1300, '07 Street Triple OMF#24

[Nigel Wade]

On 25/07/16 15:17, David wrote:
> On Mon, 25 Jul 2016 11:49:24 +0100, Henry Law wrote:
>
>> I had a friendly email from a packaging company in Leicester this
>> morning, asking me to quote against an attached Purchase Order. Ha ha;
>> obviously some kind of malware distributor. The attachment was called
>> "PO.uue", which intrigued me, since .uue is usually a uuencoded file.
>>
>> I detached it on my linux machine and had a look at it. Not uuencoded
>> at all, in fact, but a RAR file containing "Documents.scr". Curiouser
>> and curiouser, since my only experience of .scr is a Windows
>> Screensaver.
>>
>> I've got no further in identifying the actual payload of this thing,
>> except to note that EMacs identifies the thing as a graphic file and
>> invokes its Imagemagick mode, which surprised me even further. The
>> displayed graphic is nonsense, though: see
>> http://www.lawshouse.org/misc/Documents.scr.InEmacs.png
>>
>> Has anyone any knowledge of this kind of attack, who could satisfy my
>> curiousity by explaining firstly how the .uue file is interpreted by
>> Windows (presumably the target environment), and on the assumption that
>> it's automatically extracted, how the Screensaver file is given control
>> so that whatever nasty stuff it contains is made active.
>
> ".scr" is allegedly a script file.
>

According to Windows it's a "screen saver". On my Win 7 system it's assigned to "Unknown application".
I'm not about to test this given that the only thing I have ever seen an .scr file used for is to transmit viruses.

[TMack]

I meant to add - a .scr file is a script file. In your case a script that will infect the system with malicious code.
Double clicking on a .scr file will cause the windows wscript.exe program to run the script. The use of
"Documents" in the file name is to encourage people to click on it to try to see the "documents".

[Vir Campestris]

On 25/07/2016 11:49, Henry Law wrote:
>
> I detached it on my linux machine and had a look at it. Not uuencoded
> at all, in fact, but a RAR file containing "Documents.scr". Curiouser
> and curiouser, since my only experience of .scr is a Windows Screensaver.

IIRC .scr files (windows screensavers) are actually .exe files.

Andy

[Theo Markettos]

TMack <qw...@yuiop.com> wrote:
> If a .uue file is decoded properly using a program such as Winzip it will
> generate the original file - presumably some kind of virus masquerading as
> something useful or interesting in your case. The recipient extracts the
> binary then clicks on it because it looks interesting and harmless and
> this triggers the virus installation.

My guess is the icon on the .scr (if it's a normal EXE it'll have the icon
baked into it) is that of some innocuous file like a Word doc or a PDF, and
a program the understands .uue is a way of getting around both filters on
emailing .exe directly and some of the runtime checks that come if you
download and run a .exe from Outlook/Explorer/etc.

> I suspect that some antivirus programs won't recognise the uue encrypted
> versions of files and may not be quick enough to intercept when the uue
> file is decoded.

I don't know about encrypted uuencoded files (I wasn't aware the format
supported encryption) but antivirus does flag up normally uuencoded viruses.
This was a pain when I had old mail archives on a Windows machine - the
virus checker would moan about all the Windows 95 viruses it found in
ancient spam.

Theo

[Rob Morley]

On Mon, 25 Jul 2016 15:10:13 -0000 (UTC)
TMack <qw...@yuiop.com> wrote:

> I meant to add - a .scr file is a script file. In your case a script
> that will infect the system with malicious code. Double clicking on
> a .scr file will cause the windows wscript.exe program to run the
> script. The use of "Documents" in the file name is to encourage
> people to click on it to try to see the "documents".
>

It may be that somewhere but on Windows it's usually a screensaver
file, which is actually an .EXE but with the .SCR extension.

[Mike Tomlinson]

En el artículo <--GdnQuZr5okcwjKn...@giganews.com>, Henry
Law <ne...@lawshouse.org> escribió:

>I detached it on my linux machine and had a look at it. Not uuencoded
>at all, in fact, but a RAR file containing "Documents.scr".

.scr files are .exes Henry - they're executable. It'll contain a
payload that will infect the (Windows) machine it's run on.

--
(\_/)
(='.'=) systemd: the Linux version of Windows 10
(")_(")

[Mike Tomlinson]

En el artículo <20160725135837.46095321@Mars>, Rob Morley
<nos...@ntlworld.com> escribió:

>ISTR there was a Windows exploit involving graphics files a couple of
>years back, I forget the details.

A vuln in the JPEG library. Opening an image infected the host
computer.

[TMack]

Good point. I had forgotten that .scr screensaver files are actually executables. I was thinking that the virus/
trojan would use a script that would be run by another program.

[Daniel James]

In article <--GdnQuZr5okcwjKn...@giganews.com>, Henry Law
wrote:

> I've got no further in identifying the actual payload of this thing,

Have you thought of uploading it to www.virustotal.com -- they will
scan it with a bucketful of commercial AV tools and tell you whether
any of them find anything harmful in it, and if so what.

--
Cheers,
Daniel.

[Henry Law]

On 26/07/16 17:42, Daniel James wrote:
> Have you thought of uploading it towww.virustotal.com -- they will

> scan it with a bucketful of commercial AV tools and tell you whether
> any of them find anything harmful in it, and if so what.

That's an interesting idea. If I get another one I might try that. But
my view is that the thing definitely contained malware and my interest
was rather more in how such 'ware would be delivered, than it what it
actually is.

[Johnny B Good]

On Mon, 25 Jul 2016 11:49:24 +0100, Henry Law wrote:

The only thing I can tell you for sure is that windows treats .scr files
exactly the same as it treats .exe files which makes 'unknown'.scr files
just as dangerous to open as 'unknown'.exe files.

The .scr file extension is just another one of those hideable 'system
file type' extensions so loved by the authors of malware trojan files
(the not so easy to 'unhide' .pif extension is even more well loved by
those same trojan horse authors).

I rather fancy that your suspicions will be confirmed by submitting it
to virustotal's "Heinz 57 Varieties" virus scanners engine for analysis.

--
Johnny B Good