1. Field of the Invention
The present invention relates generally to computer systems, and more particularly but not exclusively to techniques for detecting malicious content.
2. Description of the Background Art
Malicious programs, such as computer viruses, spy wares, worms, and Trojans, pose a significant threat to computer systems. For example, a computer virus can corrupt or delete important files, send e-mails without user authorization, render a computer inoperable, or cause other types of damage to a computer. Computers may incorporate antivirus programs as a protective measure against viruses. An antivirus program may open a file and then scan the file for malicious content.
As a countermeasure against antivirus programs, a malicious program may be embedded in a password protected archive. An example of such a malicious program is the so-called “BAGLE” worm. The BAGLE worm propagates by mass-mailing copies of itself using SMTP (Simple Mail Transfer Protocol). The BAGLE worm also opens a backdoor that allows a hacker to upload and run programs on infected computers.
The BAGLE worm arrives in a password protected archive, which is included as an attachment to an e-mail. The password required to extract files from the archive is included in the message body of the e-mail. The password is provided as a text file in the early versions of the worm. This allows an antivirus program to parse the message body to obtain the password, which in turn allows the antivirus program to extract files from the archive for scanning. However, later versions of the worm include the password as a graphical image. This prevents an antivirus program from obtaining the password needed to extract files from the archive.