[Techtalk] new spam thingy

Alvin Goats agoats at compuserve.com
Fri Nov 22 15:20:20 EST 2002 

> It doesn't. But Internet Explorer had a gaping security hole that allowed 
> anyone to download and execute programs on your computer. It set the MIME 
> type to audio/wav, but left the extension at .exe. Now, under Windows, 
> executing programs and opening files use the same API (so opening a Word 
> document is the same as executing Word). So IE saw the MIME type (a sound 
> file) and said that it was okay to "execute", and Windows saw the extension 
> and executed it as an executable!


Perhaps a better explanation of the virus sets I was getting early this
month:


Microsoft's software was set to execute, play or otherwise use whatever
software was necessary to run attachments, their default settings. Mime
would decode, and then one of a few things happened:

the code in the first header '001.txt' would execute the virus (001.txt
was actually an html file), the Windows system with any of the targeted
software (outlook, internet exploder, etc) would launch the virus, or if
you were finally suckered into running the virus with some of the
windows default settings (wav, jpg, etc) as the final approach. After
the virus was launched, the final program of the same name would
overwrite the virus code with an html file. 


Java can also be used to exploit your system IF you have enabled java or
javascript for your e-mails or news groups as well. To make things neat
and simple for me, I use Netscape for my mail and newsgroups, so I do
have some risk involved with html, mime and java messages UNLESS I
disable them. This is easier to do under linux than windows (I never
could find ALL the little holes in their system, so I gave up and stuck
with linux).


The virii were klez and W32.BugBear with the following file names (these
were their EXACT file names):

ALIGN.exe
NAME.bat
Policy.bat
TYPE.scr
before.bat
picacu.exe
setup.exe

Add to these some more extensions: .wav, .au, .asf, .asx, .mid, .jpg,
.gif, .bmp, .htm, .com and you can have zillions of files to execute and
infect your windows system. 

Now if you are trying to target more machines, I would expect some java
code with an extension that would be executable for the targeted
machine. With the increase in the attempts on linux, I'd look at
shutting down as much of the java, javascript and html autoexecution
capabilities as possible. 

My ha'penny's worth of feedback.

Alvin


BTW, the turkey targeting me by e-mail had everything originating from
the same main site, different accounts, but the same main site. Watch
and see if you get more mail from the same site, then turn them in to
your governing authorities.

More information about the Techtalk mailing list