There's a new threat that spreads via USB storage devices, by exploiting a previously unknown flaw in Windows shortcuts.

We have added detection for the shortcut LNK exploit as Exploit:W32/WormLink.A. The shortcut file used in this case is 4.1 KB. Files associated with the trojan-dropper, backdoor, rootkit are detected as the Stuxnet family.

We mentioned two interesting details yesterday, that the rootkit was signed, and that it was targeting SCADA systems.

The rootkit components are digital signed and we've confirmed that a valid Realtek Semiconductor Corp. signature is used. The dropped drivers are properly signed, while the trojan-dropper itself only attempted to copy the digital signature.

In any case, the certificate, while valid, expired in June. The H Security has a screenshot of the certificate.

Malicious software using valid digital signatures is something that our Jarno Niemelä recently predicted in his Caro 2010 Workshop presentation: It's Signed, therefore it's Clean, right?

Regarding the SCADA systems that are being targeted, the Siemens SIMATIC WinCC database appears to use a hardcoded admin username and password combination that end users are told not to change.

Thus, any organization successfully compromised by this targeted attack could be completely vulnerable to database compromise. This Slashdot comment has additional details.

We'll have more on this case as it develops.

Edited to add: While the certificate used for signing has expired, noted above, because a countersigning technique to time stamp is used, it is still possible that the certificate can be utilized.

From Microsoft's MSDN Library: "The countersignature method of time stamping … allows for signatures to be verified even after the signing certificate has expired or been revoked."

On 16/07/10 At 10:30 AM

Tuesday's edition of the Wall Street Journal reported on a security flaw in Citi's mobile banking application for the iPhone.



Customers are advised to update.

From the WSJ:

"Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users' iPhones."

Oops — not good.

According to Charlie Miller, you'd need an exploit to access it remotely.

Here's a complete list of iOS vulnerabilities which you can also download as an Excel file. [XLSX] (Source)

Fortunately, the vulnerabilities are patched, a lot of them thanks to Miller.

Miller is also says that iPhone data files can also be gained by jailbreaking a lost or stolen phone.

Our thoughts?

Why go after data on the phone itself when you can target the synced backup file?



The files are not difficult to locate.



And they can be easily viewed with free software such as SQLite Database Browser.

iTunes offers encryption, but most people probably don't use it.



We're glad that Citi discovered the flaw in their application instead of the bad guys, and we hope that the 117,600 affected customers will update soon (and then sync to update their backup file).

Do you encrypt your backup file?

Tell us in this poll: Do you encrypt your iPhone/iPod backup file?

On 30/07/10 At 01:05 PM

Microsoft has released Security Advisory 2286198, which provides details on the LNK shortcut (Windows Shell) vulnerability that's currently being exploited by the Stuxnet rootkit.

The news is not good.

Besides USB devices, the Windows Shell vulnerability can also be exploited via Windows file shares and WebDav.

All versions of Windows are affected:



Vulnerable versions include Windows XP Service Pack 2 which is not listed by the advisory due to its recent end-of-support status.

If there's to be no patch for SP2, users will need to implement the suggested workarounds:

  •  Disable the displaying of icons for shortcuts
  •  Disable the WebClient service

See Microsoft's Security Advisory for details.

On 17/07/10 At 10:04 AM

So Mozilla recently upped their bug bounty money from $500 to $3000 (USD).

Here's a few thoughts on the topic:

The whole concept of paying for outsiders to report bugs and vulnerabilities was controversial even before 2004, when Mozilla's program first started (check out No More Free Bugs, Bug Bounty Program Answers Critics and Bug Finders: Should They Be Paid? for more background) and six years on, the arguments for and against don't seem to have changed too much.

In the meantime though, other things have changed, which may have an impact on the whole venture.

For one thing, the (online) world has gotten a lot bigger and flatter. In the last few years, there's been an explosion in the number of computer users from countries outside of the US and Western Europe.

More users, as a general rule, equals more eyeballs to find flaws; and while technical prowess may generally be lower in less developed countries, the sheer numbers involved may be able to negate that disadvantage. So perhaps in the next few years, we may see more "amateur" researchers becoming involved in paid bug-hunting work.

Also, the assumption that users from less developed countries are less tech-savvy may no longer be entirely correct, or may be defunct very soon, if the various reported attacks in the last few years are anything to go by. Offering a way to channel that proficiency into more helpful activities might not be a bad thing.

And while $3000 isn't that big a prize in the US, or in the underground, it's still a substantial amount in other, less affluent countries — possibly enough to make the effort worthwhile for a weekend tech warrior looking for extra money. For them, a bug bounty like Mozilla's offers some advantages that might appeal, such as:

  •  Fast, easy pay-off
  •  Unlimited by geography
  •  Legitimacy

Debate over the usefulness of bug bounty programs isn't likely to end soon, with most security experts more or less watching and waiting while Mozilla tests the waters.

Still, with the rapid large-scale changes taking place in the computing world, it's certainly conceivable that these programs could evolve in the next few years and take on a form that's viable for both the majority of software vendors and for the volunteer researcher as well.

Thoughts?

On 19/07/10 At 08:19 AM

Greetings from Black Hat 2010!



So far the biggest announcement has been that Adobe will join MAPP (Microsoft Active Protections Program) and will start sharing vulnerability information for all Adobe products through it. This means that MAPP partners, such as F-Secure, will get advance notifications of vulnerabilities in products such as Adobe Reader or Flash, enabling us to better protect our users.

Regular readers of our blog will know that we have often been quite critical of Adobe. But here we want to give them full credit for a good move.

The conference has just started and there should be more interesting stuff coming up. I will be delivering my talk tomorrow. It's titled "You Will Be Billed $90,000 For This Call".

Signing off,
Mikko

On 28/07/10 At 08:16 PM

A World of Warcraft account could be a gold pot for phishers, depending on the player's achievement. In-game items are in demand and could be sold for real cash value, making WoW accounts a favorite phishing target.

An analyst from our Response Lab recently received an e-mail from Blizzard (the creator of WoW) asking for account verification. At a glance, the e-mail appeared to be coming from a legit source. Look at the "From" address. Nothing suspicious here.



Upon further reading of the e-mail content (click image above for larger view), something seemed off. The account has to be verified at an external site not associated with Blizzard; the e-mail content was written with noticeable grammatical errors.

Further investigation revealed that the e-mail was sent from an individual e-mail account. The phisher is using a SMTP relay attack to spoof the "From" address so that the e-mail seem to be originated from Blizzard (click the image below for a larger view):



Accounts for Blizzard games, particularly WoW, Starcraft II and Diablo III are currently being handled by Battle.net. Take note that any changes in the account require a thorough verification process, where a valid ID has to be presented.



Phishers are getting smarter, and their social engineering has gotten more subtle and harder to detect. It is up to user to be extra careful and not to trust every source blindly.

On 26/07/10 At 03:49 AM

It seems that rogue peddlers have gotten tired of their old tricks in pushing rogueware into the user's system. It used to be a fake scanning page, that leads to a warning, then a fake AV.

Now, it comes as the Firefox "Just Updated" page. You know that page that instantaneously appears right after you update your Firefox browser? And you open Firefox for the first time? Just like that. But with a catch of course. There is a message telling the user than even if their Firefox got updated, their Adobe Flash Player isn't. So they still have to update. Pretty helpful…



And the user doesn't need to click anything, the download dialog box immediately appears as soon as the page loads…



When the user runs the file… Bad old rogue AV…



Somehow the rogue guys couldn't decide if it's going to be Firefox or Flash Player… so it became a little bit of both.

Note: The malicious site is already blocked and the rogue is detected in our latest database updates.

Response post by — Mina & Christine

On 28/07/10 At 08:48 AM

Here's the bad news: several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198).

But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit.

Here's a review of the landscape. The Stuxnet rootkit was the family that first made use of the LNK zero-day. Then, last week, Chymine and Vobfus followed. Our detection names are Trojan-Downloader:W32/Chymine.A and Worm:W32/Vobfus.BK.

Chymine is a new keylogger (which you can see from the .A variant). It uses the LNK vulnerability to infect, but it doesn't create additional .LNK files to spread (so no worm vector). The folks at ESET discovered Chymine.



Vobfus is an older family that has always used shortcuts, combined with social engineering. This latest variant is merely adding to its feature set. Microsoft researcher, Marian Radu, named the Vobfus family.

Today's news involves Sality (a popular polymorphic virus), and Zeus (a popular botnet). We generically detect the Sality sample and the LNK file it uses as a spreading vector.

The Zeus variant was discovered as an e-mail attachment with a message supposedly from "Security@microsoft.com" and the subject "Microsoft Windows Security Advisory."

This is the body:



Zeus is a challenging threat to combat, and not many vendors detect this variant yet. We're adding detection now. Fortunately, the exploit used is detected by many and the entire thing relies on socially engineering its victim into opening a password protected zip file and copying the lol.dll to the root of the C: since the path must be known in order for the exploit to work.

We don't really expect great success for this particular variant of Zeus.

On 26/07/10 At 03:46 PM

If you're not following Mikko's Twitter feed, you may have missed yesterday's news that public proof of concept exploit code for the Windows shortcut (.lnk) vulnerability has been released on exploit-db.com.

This further escalates the danger of the shortcut vulnerability. So far, only the authors of the Stuxnet rootkit have utilized the flaw, but now there's just no doubt that other bad guys will soon follow.

Fortunately some folks are also using the PoC for good.

Didier Stevens (well known for his research on Adobe Reader's /launch feature) tested the exploit with his Ariad tool and it was successfully blocked. Stevens has tested back to Windows 2000 SP4. If you need to maintain a legacy system that's not scheduled for a Microsoft Security update (such as Windows XP SP2), Ariad might be an option.

But Stevens calls Ariad beta software, and so that won't be an option for some. So what else can be done?

Chet Wisniewski at Sophos has suggested using Group Policies to restrict the launch of executables to local hard drives.

And of course, the workarounds from Microsoft's Security Advisory.

  •  Disable the displaying of icons for shortcuts
  •  Disable the WebClient service

Regarding Security Advisory 2286198: parts of it seem unclear to us.

For example, the advisory states:

"The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut."

Yet our analysis indicates otherwise, clicking is not required.

Microsoft's own Malware Protection Center states that the exploit:

"takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction."

Simply browsing the removable drive. No clicking.

And then there's a question about the AutoPlay feature. The advisory states:

"For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."

But this is what comes up, by default, when we plug a USB device into our Windows 7 test system:



That dialog does say AutoPlay, right? So it seems that AutoPlay isn't automatically disabled on Windows 7 systems.

Perhaps it should have said AutoRun is disabled by default? (Windows 7 is definitely better at handling removal media than previous versions of Windows, but AutoPlay still seems to be a default feature.)

In any case, having AutoPlay disabled isn't much of a mitigating factor for this vulnerability. It's only: click Start, click Computer, and click Removable Disk. Three clicks and you're at risk. But still, organizations should disable the AutoPlay feature in order to limit Windows 7 social engineering tricks.

Ordinarily we wouldn't pick these small nits with Microsoft but we think this is particularly important as it's the advisory that provides official information for those assessing risk to their organizations.

Updated to add: Microsoft has updated their advisory. Our latest post has the details.

On 19/07/10 At 03:56 PM

Microsoft has updated Security Advisory 2286198 and it now clarifies that:

"The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed."

Displayed is the important keyword. This is good and addresses our earlier concerns.

However, the advisory still reads that:

"For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."

This is still inaccurate. Or at least, it's not accurate enough. We know what Microsoft is trying to say but we think some folks might misinterpret. It would be better to state that AutoPlay functionality for removable disks is automatically LIMITED.

Take a look at our Windows 7 test machine, which was hardened, this is a button in the AutoPlay Control Panel:



"Reset all defaults."

So we opted to restore the defaults:



"Use AutoPlay for all media and devices" is now enabled. That's ALL media and devices.

This is the dialog that was presented when a USB flash drive containing multimedia files was inserted into the Windows 7 system:



The highlighted option is "Open folder to view files."

So what is disabled? AutoPlay? No. Windows 7 AutoPlay isn't disabled, rather, it doesn't include the OPTION to set a default ACTION for removable disks.

But in the case of the LNK vulnerability, one click, and you're at risk, by DEFAULT.

Windows 7 AutoPlay is a significant improvement compared to Windows XP AutoPlay. In fact, it is almost probably a perfect balance of security and functionality… for consumers.

However, businesses and organizations at risk from targeted attacks are a different story. They should fully disable AutoPlay.

Why?

As we noted in our previous post, social engineering tricks have targeted AutoPlay.

For example, this is one of Conficker's methods of attack:



Conficker's autorun.inf file used a Windows system folder icon in its efforts to be the first option presented. One click, and you'll launch the autorun.inf. Clever trick, eh?

Here's another theoretical AutoPlay issue (not a vulnerability). USB storage devices can include a partition formated as a Virtual CD.

In this case, the partition is treated as a regular CD by AutoPlay.



When we wrote the Virtual CD post back in June, it seemed highly unlikely that we'd see it deliberately used in a targeted attack. We thought it was much more likely to affect someone due to a compromise in the manufacturing process; that the Virtual CD would be infected in the master copy at the factory.

But now, considering the Stuxnet case, which uses a zero-day flaw, signed drivers, and targets Siemens SIMATIC WinCC databases… maybe the idea of a Virtual CD attack isn't so far fetched after all. Clearly there's some very motivated espionage in play.

Bottom line: If you're an IT manager with Windows 7 systems in your network, disable AutoPlay.

Updated to add: Microsoft has updated their advisory. Our latest post has the details.

On 20/07/10 At 09:26 AM

Bulletin Severity Rating:Critical - This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Critical - This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.

Bulletin Severity Rating:Important - This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow data tampering of signed XML content without being detected. In custom applications, the security impact depends on how the signed content is used in the specific application. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability.

Bulletin Severity Rating:Important - This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font.

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow elevation of privilege if a user views content rendered in a specially crafted CFF font. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in COM validation in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher, or PowerPoint file with an affected version of Microsoft Office. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Bulletin Severity Rating:Critical - This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Important - This security update resolves fourteen privately reported vulnerabilities in Microsoft Office. The more severe vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The most infected countries are:
Costa Rica: 2.56%
Mexico: 2.06%
Argentina: 1.89%
Spain: 1.30%
Colombia: 1.26%

The most infected countries are:
Turkey: 1.48%
Switzerla.: 1.23%
Argentina: 0.63%
Colombia: 0.42%
Mexico: 0.33%

The most infected countries are:
Mexico: 0.66%
Costa Rica: 0.64%
Spain: 0.26%
Peru: 0.19%
Otros: 0.13%

The most infected countries are:
Peru: 0.75%
Costa Rica: 0.64%
Chile: 0.56%
Canada: 0.53%
Colombia: 0.42%

The most infected countries are:
Mexico: 1.51%
Colombia: 0.84%
Costa Rica: 0.64%
Chile: 0.56%
Argentina: 0.47%

The most infected countries are:
Denmark: 0.93%
Otros: 0.67%
Canada: 0.53%
Germany: 0.47%
Spain: 0.43%

The most infected countries are:
Costa Rica: 0.64%
Chile: 0.56%
Turkey: 0.49%
Argentina: 0.47%
Brazil: 0.47%

The most infected countries are:
Otros: 0.94%
Norway: 0.79%
Netherlan.: 0.68%
Switzerla.: 0.62%
Mexico: 0.61%

The most infected countries are:
Turkey: 0.56%
Canada: 0.53%
Slovenia: 0.50%
Argentina: 0.47%
Spain: 0.46%

The most infected countries are:
Denmark: 0.93%
Sweden: 0.89%
Thailand: 0.81%
Germany: 0.79%
UK: 0.54%

A new Trojan Downloader was spammed today. Trojan is attached in zip archive to emails in HTML format with subject "Hot game" and body text that claims some Angelina Jolie or Lara Croft undressing game. xgame.zip attachment contains xgame.exe (20992B) which drops executes and deletes kernel driver C:\WINDOWS\System32\drivers\runtime.sys and downloads another downloader smartdrv.exe. runtime.sys runs injects and hides Iexplore.exe process and downloads another components. xgame.exe is detected as Trojan Downloader.Agent.UZM, smartdrv.exe is detected as Trojan Downloader.Agent.UZN, runtime.sys is detected as Trojan Downloader.Agent.THW and other downloaded components are detected as several variants of Trojan Backdoor.Ntrootkit.

Propagation method of new Nuwar variant is still similar to its precedessors. Spammed mails with link in IP format directs users to the worm web pages where the users are prompted to download one of the worm files with the name funny.exe. Names of other downloadable files are kickme.exe and foolsday.exe. AVG detects this threat as I-Worm/Nuwar.R.

Next Stration downloader variant spreads by email in messages with randomly generated subject and body with two attachments. PDF attachment is harmless but EXE attachment which is 18708B long is downloader itself and AVG detects it as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.

In last few days we`ve registered a larger amount of PE files infected by this virus. Win32/Mabezat is polymorphic file infector which infects PE files. More information could be found in our Virus Encyclopedia.

A new Downloader.Tibs variant is spreading today thanks to massive spamming. Infected emails contains about 130-140kB long attachment, usually with name happy2008.exe, which is trojan horse itself. There are also emails with links directing users to a malicious web pages. The files are already detected as Downloader.Tibs.

New Nuwar variant spreading method is similar to Nuwar.L last month propagation. Spammed emails are brief containing link in IP format to currently working pages with worm. Compromised page code is changed and and as a result user is prompted to download file with worm. Downloaded filename is valentine.exe it's about 110 - 130kB long and it's detected by AVG as I-Worm/Nuwar.N

We have a new wave of spammed mail messages containing link directing users to website where the worm could be downloaded. Emails contains short text and IP address of currently working pages with worm. In this case downloaded filename is withlove.exe and it's about 115kB in size. Websites and worm files changes every few minutes. AVG detects withlove.exe as I-Worm/Nuwar.L.

Latest Stration downloader spreads by email in messages with randomly generated subject and body with one EXE and one PDF file attached. EXE file is 20992B in size and it`s downloader itself which is detected by AVG as I-Worm/Stration.FJA. The file downloader tryes to download is already detected as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.

A new Stration downloader was seeded during todays morning using mail messages where subject and body are variable and which contains two attachments, one with pdf extension and second with exe extension which is 4096B in size and it`s downloader itself. AVG detect this threat as Trojan horse Downloader.Generic6.PFM. Downloader tryes to download and install Stration to affect system, but Stration download link is no longer active. More information about Stration worm familly can be found in the Virus Encyclopedia.

This Trojan spy program is designed to steal confidential user data and remotely manage the victim machine. It is a Windows PE EXE file. It is 470 bytes in size. Installation When launched, the Trojan creates the following file: %AppData%\<name>.exe <name&gr; is chosen at random from...

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 23552 bytes in size. Installation The Trojan copies its executable file as follows: %WinDir%\system\svhost.exe In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link...

This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. It is 78848 bytes in size. It is written in C++.

This malicious program is a Windows DLL file. Installation The malware copies its executable file with random names to the following directories: %Program Files%\Internet Explorer\<rnd>.dll %Program Files%\Windows Media Player\<rnd>.dll %Program Files%\WindowsNT\<rnd>.dll %Program...

This malicious program is a Trojan. It is a Windows PE EXE file. It is 417792 bytes in size. It is packed using UPX. The unpacked file is approximately 439KB in size. It is written in C++. Installation Once launched, the Trojan copies its body to the current user’s Windows startup...

This Trojan downloads another malicious program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 9216 bytes in size. It is packed using UPX. The unpacked file is approximately 38KB in size. It is written in...

This network worm spreads via local networks and removable storage media. When it copies itself to remote computers, the worm creates a temporary file with a random extension. The program itself is a Windows PE DLL file. The worm components vary in size from 155KB to 165KB. It is packed using UPX....

First version of this worm is known from december 2008. Nowadays it has 300+ several variants. More information could be found in Virus Lab Blog.

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine. The worm itself is a Windows PE EXE file written in Visual Basic. The size of the infected file can vary significantly. The functionality described below...

EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program. Why is this harmless file detected as a virus? The file was created in order to demonstrate to...