[Techtalk] new spam thingy

Tim White timw at tojo.objectif.com.au
Fri Nov 22 17:03:46 EST 2002 

The virus does exploit a problem with Outlook/Outlook Express, where you
can have these 'special' things called iframes in HTML mail (I have no
idea why you would normally use an iframe by the way).

Below is a snippet of a virus our mailscanner picked up - both BugBear
and Klez work the same way. 

1) MIME Email with HTML bit and Bad Code bit
2) iframe in HTML bit points to the Bad Code bit in the same email -
hence just looking at the message will run the attachment.
3) Bad Code bit uses silly Outlook fault that trusts the MIME
Content-Type (in this case saying that the attachment is a midi file) to
decide what to do with the file. Even tho' the attachment is a .pif -
Outlook decides that it is safe because it is a midi file and then
executes it.

These viruses are an extra PITA because you can't tell who sent them,
the only part of the headers you can trust is the IP address that your
email server received the message from. Sometimes you can compare that
to other mail received but that is annoyingly tedious.

Below is the email snippet I mentioned, have a nice weekend,

Tim White

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:P8k5I4Vw6hp2I2uCOw1 height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>

--Xz3V7895F0O6q7
Content-Type: audio/x-midi;
        name=pages .pif
Content-Transfer-Encoding: base64
Content-ID: <P8k5I4Vw6hp2I2uCOw1>
<VIRUS SNIPPED>






On Fri, 2002-11-22 at 15:40, Maria Blackmore wrote:
> On Thu, 21 Nov 2002, Alvin Goats wrote:
> 
> > WindowsExecutbleFile with mime command to execute the file
> 
> I wasn't aware that MIME included the ability to send commands to
execute
> a program.  In fact I'm almost 100% sure of that.
> 
> Traditionally, viruses of this type have relied on the gullibility of
> users to run the program.  However recently I heard people muttering
> something about exploits for outlook that made it run arbitrary code
> simply by recieving an email, which could feasibly, of course, include
> chaining an executable from an attachment.
> 
> just my 3p  (inflation, you see:)
> 
> Maria
> 
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk

More information about the Techtalk mailing list