Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

OT: viruses in email & MIME types

1 view
Skip to first unread message

fiat_lux

unread,
Aug 16, 2001, 5:45:09 PM8/16/01
to
I don't know a whole lot about MIME, but today I recieved an email from an
unknown person, talking about my financial records which was totally off the
wall. There was no To: line, so I suspect it's a mass mailing.

Anyway, it had an attachment. Fortunately, I don't open suspicious emails on
Outlook, I use a small POP3 mail checking app that only displays your
messages on notepad, keeping you safe from any harmful attachments, etc.

Anyway. It had a ~150 KB attachment. But check these MIME headers:

Content-Type: image/gif; name="cscript.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cscript.exe"

Why does it say the content type is a gif image, when the attachment is
clearly an EXE. Is it trying to fool email clients into thinking the
attachment is a gif? At any rate, thisis extremely suspicious, and I'm not
going to download the message on Outlook.


Mark W. Brouwer

unread,
Aug 16, 2001, 7:38:06 PM8/16/01
to fiat_lux

Any file can contain a double extension (jpg.vbs or gif.exe) and if
it's an known extension to WIN it will only show the first extension.
F.i. pic.jpg.vbs = pic.jpg - pic.gif.exe = pic.gif.

AS you can see the second extension (known by WIN) isn't shown, but will
be executed!!

How to NOT hide extensions in Windows
http://www.irchelp.org/irchelp/security/trojanext.html

--
Mark W. Brouwer,
Netherlands.
Email not correct due to SPAM.
Please remove WODKA to reply.
-----------------------------------------
Home Page : Virus or Hoax ?
Got Infected? Want info? Search and find!
http://resource.at/virus
(framed/javascript enabled version)
-----------------------------------------
http://members.tripod.lycos.nl/brouw039/
(non-framed/javascript disabled version)
-----------------------------------------

0 new messages