[Techtalk] new spam thingy

Alvin Goats agoats at compuserve.com
Thu Nov 21 23:19:37 EST 2002

An FYI to all of you:

I was receiving a bunch of e-mail from someone (same originating place)
that was sending virii as mime attachments. The trick they were using
was fairly simple:

001.txt  (some html header)

WindowsExecutbleFile with mime command to execute the file

html file with the same name as WindowsExecutableFile that would
overwrite the executable file that was just saved and executed.

Net result: you've been infected and the file that did the infecting was
overwritten with an html file! Tracks were covered. The virii included
klez and W32.BugBear.

Since the attack was windows based and I'm using Linux, nothing

But if this is a java type approach instead of mime, then it might cause
some problems, particularly if it is a Linux/Unix based executable (java
can be cross platform dangerous if the receiver has sufficiently high
access priveledges). I don't like having java anything enabled with my
mail or news and I don't like mime mail for this reason.

What you might try in order to look at the file is: 

Save the mail as something.txt (make it a non-excutable text file).
chmod the file if you have to. Midnight commander will try to execute or
otherwise interpret other file extensions, but not '.txt'

Use midnight commander to VIEW the file and look at what is going on.
You can scroll up and down the file to see what is there, and you can
view in hex as well. 

This is how I examined the mail I was receiving. Note that I didn't give
file names on the virii; they varied from .bat, .exe, to .scr, all of
which could be executed under Windows.


More information about the Techtalk mailing list