Re: Suspect e-mail from bfrazzon () lcc furb br.

[Paul Rogers <paul.rogers () MIS-CDS COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yotam Rubin wrote:
> Also note how the binary's mime type is set to image/gif.
> I do not know how Outlook handles this but the sender
> probably wanted to achieve one of two things:

This could be because the mail maybe trying to bypass some e-mail
content filtering software, because Outlook uses the second occurence
of the MIME filename to distinguish the name and filetype, where as
the content filtering software uses the first occurence. Therefore
the software would recognise it as a GIF rather than an EXE.

For example, to send a VBS the MIME header for the attachment would
read:

- ------_=_NextPart_000_05C19F26.AB526EB2
Content-Type: text/plain;
        name="test.doc"
Content-Disposition: attachment;
        filename="test.doc.vbs"

Or it could be for a completely different reason.

Cheers,

Paul Rogers,
Network Security Analyst.

MIS Corporate Defence Solutions Limited

Tel:            +44 (0)1622 723422 (Direct Line)
                +44 (0)1622 723400 (Switchboard)
Fax:            +44 (0)1622 728580
Website:        http://www.mis-cds.com/

> -----Original Message-----
> From: Yotam Rubin [mailto:yotam () MAKIF OMER K12 IL]
> Sent: 08 May 2001 21:56
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Suspect e-mail from bfrazzon () lcc furb br.
>
>
> ***   THIS MESSAGE ORIGINATED OUTSIDE MIS   ***
>
> Gentle people,
>
>       I have recently received a highly dubious e-mail from
> bfrazzon () lcc furb br. The subject of the letter was "damaged.
> For more".
> Attached to the letter was a file named EDCREGC.EXE whose
> mime type was
> image/gif. Below is the content of the discussed message:
>
> "        If you have a Plug-and-Play monitor:Check if the
> Windows 95 Monitor
> option button is selected and that Plug and Play Monitor
> (VESA DDC) appears
> immediately under it. If so, the MGA display driver
> automatically uses the
> correct settings for your monitor. If not, use Windows 95
> monitor selection to
> use your monitor's default settings (see "Windows95 monitor
> selection"). "
>
> I have posted the entire message including headers at:
> http://192.117.130.34/Fendor/security/bruno-8-5-2001
> You may find the attached binary at:
> http://192.117.130.34/Fendor/security/EDCREGC.EXE
>
>       Another fact of interest is that the recipient's (me)
> non-local address
> portion was capitalized. Assuming that he used an address
> harvester, the
> form of the collected address is probably identical to the
> recipient's address
> in this particular message. The only public place where my
> address is partially
> capitalized is the list archive of the incidents mailing list.
> I am fairly sure this is not how his software normally
> behaves, because
> other addresses in the letter were not capitalized in the
> same manner, as
> opposed to messages originating at securityfocus.com.
>
>       Also note how the binary's mime type is set to image/gif.
> I do not know how Outlook handles this but the sender
> probably wanted to
> achieve one of two things:
>
>  o Deceive the recipient into thinking that the attachment is
> a picture,
>    thus coaxing him to open the curious file.
>  o Perhaps he wanted Outlook to open the attachment automatically.
>    I know that outlook renders certain mime-types on the fly, so
> maybe
>    by opening the message the attachment is executed.
>
> Enlightenments regarding this letter are highly solicited.
>
>       Best Regards, Yotam Rubin

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOvkHPLnKcoQ5QY/3EQLWQACfQDsV3i7vPl1QOyxI2KvykLI/xzUAn0Gf
OFkL5fqEzRwwU7mrgFvxhmob
=1Lg+
-----END PGP SIGNATURE-----