8

Someone I know got infected. He sent me the file to analyze. I downloaded the zip and it contained a scr file. I unzipped it and right-clicked to open it in Notepad++. It immediately got quarantined by my AV (Security essentials) and I could not view it.

Then the same guy told me that his AV (McAfee) has also quarantined it. However, next day he was infected. (Login was attempted on his bank accounts and email.)

I am now worried. Is it possible to get infected just by right-clicking?

OS is Windows 7.

EDIT: there was a difference in how I opened and how he opened. I right-clicked, while he double-clicked. Both of us got "quarantine popups".

Strange thing is that McAfee does not catch the virus: Virustotal scan results

So my theory is this:

He double clicked and it ran, then it downloaded some other virus files which were recognized by McAfee. This was what likely quarantined the virus.

I certainly hope that right-clicking on a malicious exe (renamed to scr) should not allow arbitrary code execution, unless there is a serious flaw in Windows.

EDIT2: As suggested by Daniel Ruf, here is the Malwr.com analysis.

Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
Jus12
  • 1,315
  • 2
  • 11
  • 16
  • 1
    Not sure why there is a downvote. This is a good question. It really depends on what the malware is exploiting. If it's exploiting the a spefic mechanism then they could gain execution just by interacting with it ( in this case right clicking it to open into notepad++). – Cameron Does Things Dec 10 '15 at 20:27
  • @CameronVerotti I had intentionally downloaded because I wanted to look at the code of the virus to see if I could understand what it was doing. – Jus12 Dec 10 '15 at 20:29
  • 1
    What kind of quarantine? Was it a scan on access or was it a blocking of malicious actions by the file. Your AV should tell you. – schroeder Dec 10 '15 at 20:45
  • It was a scan on access. I even tried renaming to txt but it would not let me view the file. – Jus12 Dec 10 '15 at 20:54
  • 1
    can you analyze it on malwr.com so we can see the traffic, HTTP requests and dropped files? – Daniel Ruf Dec 10 '15 at 21:26
  • Potentially you can be infected without doing "nothing" and this includes right-clicking the file. For example, recent research has shown that antivirus software have vulnerabilities that can be exploited when the antivirus reads the maliciously crafted file. – Eloy Roldán Paredes Dec 11 '15 at 08:34
  • @EloyRoldánParedes Nitpicking: That should be "you can be infected by doing 'nothing'", or "you can get infected without doing anything". – timuzhti Dec 11 '15 at 09:35

2 Answers2

2

You're basing this on the assumption that the scr file was the source of the infection as supposed to a backdoor downloaded by an established trojan. It is possible to get infected from a number of different ways, including a preview thumbnail. Hence why you should always perform malware analysis using virtual machines or seperate dedicated hardware.

wireghoul
  • 5,745
  • 2
  • 17
  • 26
  • Its a good point that I'm assuming everything he described is correct. According to the claim, the login attempts started a 3-4 hours after the "double click". The passwords were in a (not so obscurely located) text file, so the attacker would have had to put *some effort* to get to it. – Jus12 Dec 11 '15 at 03:47
2

A .scr (screen saver) file is almost identical to an actual executable. They are popular methods of infection because most people do not assume .scr files to be harmful. However, Windows is designed not to execute any code within a screen saver unless it is explicitly executed (by the user or OS). That doesn't mean that it's impossible, however, as when you're interacting with the file (even through right-click), processes in your computer have the ability to do things such as scan the contents of your file. Windows does this by itself, to grab information about the file, and third-party applications such as AntiVirus also use these events in order to perform random file scans. If a vulnerability is found in the way the file is read, it could lead to arbitrary code execution, which allows code to be run at the same permission level as the vulnerable software.

As a simple answer to your question; Yes, however the chances of encountering such a modern real-world attack are very slim. These exploits are extremely rare and quickly patched.

Jonathan Gray
  • 1,036
  • 7
  • 11
  • I'm more interested in actual instances of this exploit. Has it ever occurred? – Jus12 Dec 14 '15 at 12:10
  • @Jus12 Probably not. Right-clicking probably triggered some explorer extension (e.g. 7z) to open the file for reading. The anti-virus would have intercepted the open request at very low level in the OS and prevented access as the file is malicious. It is extremely unlikely the computer would get infected at that stage (unless there's a bug in the OS kernel code or in the AV software). – billc.cn Dec 14 '15 at 19:49