Security Incidents mailing list archives
Re: Suspect e-mail from bfrazzon () lcc furb br.
From: Paul Rogers <paul.rogers () MIS-CDS COM>
Date: Wed, 9 May 2001 09:57:24 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yotam Rubin wrote:
Also note how the binary's mime type is set to image/gif. I do not know how Outlook handles this but the sender probably wanted to achieve one of two things:
This could be because the mail maybe trying to bypass some e-mail content filtering software, because Outlook uses the second occurence of the MIME filename to distinguish the name and filetype, where as the content filtering software uses the first occurence. Therefore the software would recognise it as a GIF rather than an EXE. For example, to send a VBS the MIME header for the attachment would read: - ------_=_NextPart_000_05C19F26.AB526EB2 Content-Type: text/plain; name="test.doc" Content-Disposition: attachment; filename="test.doc.vbs" Or it could be for a completely different reason. Cheers, Paul Rogers, Network Security Analyst. MIS Corporate Defence Solutions Limited Tel: +44 (0)1622 723422 (Direct Line) +44 (0)1622 723400 (Switchboard) Fax: +44 (0)1622 728580 Website: http://www.mis-cds.com/
-----Original Message----- From: Yotam Rubin [mailto:yotam () MAKIF OMER K12 IL] Sent: 08 May 2001 21:56 To: INCIDENTS () SECURITYFOCUS COM Subject: Suspect e-mail from bfrazzon () lcc furb br. *** THIS MESSAGE ORIGINATED OUTSIDE MIS *** Gentle people, I have recently received a highly dubious e-mail from bfrazzon () lcc furb br. The subject of the letter was "damaged. For more". Attached to the letter was a file named EDCREGC.EXE whose mime type was image/gif. Below is the content of the discussed message: " If you have a Plug-and-Play monitor:Check if the Windows 95 Monitor option button is selected and that Plug and Play Monitor (VESA DDC) appears immediately under it. If so, the MGA display driver automatically uses the correct settings for your monitor. If not, use Windows 95 monitor selection to use your monitor's default settings (see "Windows95 monitor selection"). " I have posted the entire message including headers at: http://192.117.130.34/Fendor/security/bruno-8-5-2001 You may find the attached binary at: http://192.117.130.34/Fendor/security/EDCREGC.EXE Another fact of interest is that the recipient's (me) non-local address portion was capitalized. Assuming that he used an address harvester, the form of the collected address is probably identical to the recipient's address in this particular message. The only public place where my address is partially capitalized is the list archive of the incidents mailing list. I am fairly sure this is not how his software normally behaves, because other addresses in the letter were not capitalized in the same manner, as opposed to messages originating at securityfocus.com. Also note how the binary's mime type is set to image/gif. I do not know how Outlook handles this but the sender probably wanted to achieve one of two things: o Deceive the recipient into thinking that the attachment is a picture, thus coaxing him to open the curious file. o Perhaps he wanted Outlook to open the attachment automatically. I know that outlook renders certain mime-types on the fly, so maybe by opening the message the attachment is executed. Enlightenments regarding this letter are highly solicited. Best Regards, Yotam Rubin
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOvkHPLnKcoQ5QY/3EQLWQACfQDsV3i7vPl1QOyxI2KvykLI/xzUAn0Gf OFkL5fqEzRwwU7mrgFvxhmob =1Lg+ -----END PGP SIGNATURE-----
Current thread:
- Suspect e-mail from bfrazzon () lcc furb br. Yotam Rubin (May 08)
- Re: Suspect e-mail from bfrazzon () lcc furb br. Ryan Russell (May 08)
- Re: Suspect e-mail from bfrazzon () lcc furb br. Ryan Russell (May 08)
- <Possible follow-ups>
- Re: Suspect e-mail from bfrazzon () lcc furb br. BRAD GRIFFIN (May 08)
- Re: Suspect e-mail from bfrazzon () lcc furb br. Paul Rogers (May 10)