Worm Spreads Across Password-Protected Archive Files

Written by: Cyrene Kazandra Tumaliuan

A new malware detected as WORM_PIZZER.SM has recently been spotted creating copies of itself in archive files, specifically in .ZIP, .RAR and .RAR SFX. Reminiscent of WORM_PROLACO, this worm can spread across password-protected archive files and bypass archive files’ built-in security.

What does WORM_PIZZER.SM do to an infected system?

WORM_PIZZER.SM can drop copies of itself in both unprotected and password-protected archive files. The worm can also download and execute malicious files in the infected system.

To further understand the nature of WORM_PIZZER.SM, an infection scenario was replicated by creating a password-protected archive filed where the worm will be dropped. For this test, the dropped malware holo.exe wasn’t password-protected and was easily dragged into the archive file using the a specific command line. Two clean sample files were dragged into the archive as well: caloco2.com and caloco.exe. Though protected by passwords, the two sample files were easily dragged into the .ZIP file as shown in the figure below:

How does WORM_PIZZER.SM spread across password-protected archive files?

WORM_PIZZER.SM uses the following WinRAR.exe command line when creating copies of itself in “secured” archives:

This specific command line enables WORM_PIZZER.SM to add more files in any password-protected archive file. Moreover, the malware drops copies of itself within archive files such as .ZIP, .RAR, and .RAR SFX and into %System Root% and its subfolders.

Why is WORM_PIZZER.SM notable?

WORM_PIZZER.SM is notable because it bypasses built-in security in password-protected archive files without the need to steal user login credentials. Passwords allow people to believe that their files are secured, thus they may unintentionally extract and execute malicious archive files in their computers. Encrypted or not, all kinds of data are subject to this threat.

Further tests reveal that WORM_PIZZER.SM has additional behaviors. We surmise that the malware is on a testing phase and may come with more payloads depending on the cybercriminals’ motivations. The worm’s command-and-control (C&C)/download site is also an indication that cybercriminals may use Trojanized bitcoin miners as a payload to reap additional profit.

How do I know if my machine’s infected with WORM_PIZZER.SM?

Your computers may be infected if you can spot the following:

  • Connections to any of the following sites:
    • http://tazbox.BLOCKED}.org/downloader/kl/AppLauncher.exe
    • http://tazbox.BLOCKED}.org/downloader/miner/dwm.exe
  • The following files in your system:
    • %Application Data%\Microsoft\Internet Explorer\AppLauncher.exe
    • %Application Data%\Microsoft\windows\dwm.exe

What should I do if my computer is already infected?

Search and delete the following files:

  • %Application Data%\Microsoft\Internet Explorer\AppLauncher.exe
  • %Application Data%\Microsoft\windows dwm.exe

These files are hidden by default. So, you must unhide these files to delete them. Here’s how:

  • Go to Control Panel
  • Click Appearance and Personalization
  • Then, open Folder Options
  • Click the View tab
  • Under Advanced settings, check Show hidden files and folders, and click OK
  • %Application Data%\Microsoft\windows\dwm.exe

Once you’ve located these files, select the files, then press SHIFT DELETE to permanently delete them. Repeat these steps as necessary.

Are Trend Micro customers protected from this threat?

Yes. WORM_PIZZER.SM is actively detected and removed by Trend Micro products. Additionally, it is always best to be wary of all types of archive files, whether password-protected or not.

EXPERT INSIGHTS

“We believe that cybercriminals are aiming to make Trojanized bitcoin miners as additional payload for WORM_PIZZER. Since most malware trails point to generating profit for the authors, adding these malicious bitcoin miners seems like the next likely stage in this scheme.” – Dexter To, threat researcher