Original URL: http://www.theregister.co.uk/2003/10/18/kill_bill_trojan_fails/

‘Kill Bill’ Trojan fails to rack up body count

Low risk malware poses as movie subtitle file

By John Leyden

Posted in Security, 18th October 2003 10:16 GMT

A new backdoor (spying program) which poses as a DivX file containing subtitles from the latest Quentin Tarantino film Kill Bill has been spotted on the Net.

The low-spreading Manda-A (AKA PWSteal.Salira) Trojan arrives as a .RAR archive with a malformed header. This archive, 35347 bytes in size, has a movie subtitle name Kill Bill.

Subtitles are used alongside DivX movie clip files to enable foreign language speakers to follow the plot of a film.

As a social engineering trick, sending infectious files that pose as movie subtitles would seem to be of questionable effectiveness. Indeed very few copies of the Trojan have been spotted so far, making Manda more of a curious nuisance than a serious threat.

Which is just as well, as the Trojan payload contained in Manda is quite nasty, according to BitDefender. The Romanian AV firm warns that some badly-configured archivers may execute the Trojan on a simple archive view.

"It tricks users into executing the backdoor, using the name of the movie 'Kill Bill'. The ZIP file was specially crafted, so most antivirus products will not identify the file inside as executable," said Patrick Vicol, virus researcher at BitDefender Lab.

"The backdoor sends network and internet passwords, as well as statistical system information by email, to the virus author", he added.

Details inside the virus body may indicate that the author is a Romanian fan of underground music, according to BitDefender. A technical description of the Trojan can be found here or from Symantec here. ®