Re: Exploit.IFrame.FileDownload virus??
Hi, Thomas Baker wrote: I use Cygwin Mutt 1.2.5i (2000-07-05) on Win2000 and just got messages from two people with a short text message saying Your password is 12zxjkjl123kjl12jz. But the size of each of the messages, according to Mutt, was 65k. After viewing the message with the default viewer (only), my virus protector popped up with a message to the effect that c:\tmp\mutt-mutt-LEPIDUS-2136-12 was infected with the Exploit.IFrame.FileDownload virus. Before deleting, I looked at its file entry -- it was roughly 250k and bore a time-stamp of several minutes earlier, when I had been reading the message. I saved one of the messages to a file named virus and tried opening it with vim, but got a message like file is readonly. I deleted that too. According to F-Secure Web site, this is a virus that exploits a flaw in Internet Explorer, and by extension mail readers that use it, such as Outlook. No surprise there! The only surprise to me is that 250k infected file which appeared in my c:/tmp. What kind of things does Mutt park there, and where could that big file have come from?? Surely Mutt would not have uncompressed anything without telling me...? When I used cygwin mutt to read over IMAP, it always cached every message in /tmp, causing my virus scanner to have a bad day. mutt never ran them, it just stored them there whilst processing them (why I don't know). Luke
Re: Exploit.IFrame.FileDownload virus??
On Mon, Jul 15, 2002 at 10:57:42AM -0500, Rich wrote: According to F-Secure Web site, this is a virus that exploits a flaw in Internet Explorer, and by extension mail readers that use it, such as Outlook. No surprise there! The only surprise to me is that 250k infected file which appeared in my c:/tmp. What kind of things does Mutt park there, and where could that big file have come from?? Surely Mutt would not have uncompressed anything without telling me...? There is a new variant of a virus called Frethem.K that sends a text file and file called decrypt-password.exe. This virus exploits IE and Outlooks function to be able to run the executable just when the message is viewed. There should have been another attatchment with you mail. We just started getting hit with it at my work this morning. You can check out http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM.K to read more about it. Maybe the 250k file in c:\tmp was the attachment? Does Mutt cache such things in the TMPDIR? Tom -- Dr. Thomas Baker[EMAIL PROTECTED] Institutszentrum Schloss Birlinghoven mobile +49-171-408-5784 Fraunhofer-Gesellschaft work +49-30-8109-9027 53754 Sankt Augustin, Germanyfax +49-2241-144-1408
Re: Exploit.IFrame.FileDownload virus??
On Mon, Jul 15, 2002 at 04:56:04PM +0200 I heard the voice of Thomas Baker, and lo! it spake thus: saying Your password is 12zxjkjl123kjl12jz. But the size of each of the messages, according to Mutt, was 65k. that use it, such as Outlook. No surprise there! The only surprise to me is that 250k infected file which appeared P'raps it's the size difference that's kicking you. Are you sure that the message was 65k bytes, not 65k lines? -- Matthew Fuller (MF4839) | [EMAIL PROTECTED] Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet
Re: virus
Prahlad -- ...and then Prahlad Vaidyanathan said... % ... % ps. Is there a mutt port running on Windows ? In which case (s)he might % be an innocent mutt-user :-) There is, I hear, though I haven't tried it yet. I'd be quite surprised, though, if such a machine would spread the virus -- there's no LookOut! address book available :-) % % -- % Prahlad Vaidyanathan [EMAIL PROTECTED] % % Old age is always fifteen years old than I am. % -- B. Baruch :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg23279/pgp0.pgp Description: PGP signature
virus
Some nut is actually using Outlook for this list. I just got an email in response to one I posted from [EMAIL PROTECTED] that had a virus attached to it (.mp3.pif). -- Carl B. Constantine University of Victoria Programmer Analyst http://www.uvic.ca UNIX System Administrator Victoria, BC, Canada [EMAIL PROTECTED]
Re: virus
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * On 17-01-02 at 17:19 * Carl B . Constantine said Some nut is actually using Outlook for this list. I just got an email in response to one I posted from [EMAIL PROTECTED] that had a virus attached to it (.mp3.pif). Which nut is this? - -- Nick Wilson Tel:+45 3325 0688 Fax:+45 3325 0677 Web:www.explodingnet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE8RvqlHpvrrTa6L5oRAklmAJ0Zm136THKILVJmoHdWvZuqwoygxACgtXqt x6I98SZA1gkU4aOg0zCs+rk= =rYIm -END PGP SIGNATURE-
Re: virus
On Thu, 17 Jan 2002, Carl B . Constantine wrote: Some nut is actually using Outlook for this list. I just got an email in response to one I posted from [EMAIL PROTECTED] that had a virus attached to it (.mp3.pif). LOL... That's not even a virus, it's a shortcut to the executable! Hrmmm... Wonder what executable it was pointing to! 8o)
Re: virus
Carl -- ...and then Carl B . Constantine said... % % Some nut is actually using Outlook for this list. I just got an email in Lots of people do. It's kinda funny when you think about it, but we see Netscape, Mozilla, LookOut!, PINE, and more. % response to one I posted from [EMAIL PROTECTED] that had a virus % attached to it (.mp3.pif). That's just a Program Information File, or what Win uses to remember how to run a DOS program. I wonder what mp3 is... on that system, anyway. % % -- % Carl B. Constantine University of Victoria % Programmer Analysthttp://www.uvic.ca % UNIX System Administrator Victoria, BC, Canada % [EMAIL PROTECTED] :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg23218/pgp0.pgp Description: PGP signature
Re: virus
On 2002.01.17, in 20020117164300.GB3131@knute, Knute [EMAIL PROTECTED] wrote: response to one I posted from [EMAIL PROTECTED] that had a virus attached to it (.mp3.pif). LOL... That's not even a virus, it's a shortcut to the executable! Viruses/worms can be embedded in a .pif file. The point of using .pif is that Windows software frequently considers it to indicate executable content that should be automatically executed when double-clicked. Irregularities in the PIF data can cause the OS to run other code. SIRCAM rides this horse, in addition to others. I just got a .scr file from the same address. -- -D.[EMAIL PROTECTED]NSITUniversity of Chicago
Re: virus
At some point hitherto, Knute hath spake thusly: On Thu, 17 Jan 2002, Carl B . Constantine wrote: Some nut is actually using Outlook for this list. I just got an email in response to one I posted from [EMAIL PROTECTED] that had a virus attached to it (.mp3.pif). LOL... That's not even a virus, it's a shortcut to the executable! A recent outlook virus uses this method to do its damage -- I believe it's either a Nimda or Sircam variant. It spreads via the usual method (outlook address book). I don't recall the details, but it appends one of four extensions, one of which is .pif, to the name of a random file on the victim's system, and then uses that name to send out a copy of itself. And remember also, even if it is just a .pif file, shortcuts can contain arguments, so it could be something like del *.* or other damaging command. Outlook can be tricked to automatically open such things and do damage to your system. Using outlook is just a bad, bad idea. If you really want the details, look up Sircam and Nimda at one of the antivirus vendors' sites. One of those two is the culprate. it's generally accompanied by a message that says I send you this file to have your advice. -- Derek Martin [EMAIL PROTECTED] - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org msg23224/pgp0.pgp Description: PGP signature
Re: virus
On 17/01/02 David Champion did speaketh: Viruses/worms can be embedded in a .pif file. The point of using .pif is that Windows software frequently considers it to indicate executable content that should be automatically executed when double-clicked. Irregularities in the PIF data can cause the OS to run other code. SIRCAM rides this horse, in addition to others. Such things are harmless, if inappropriate to this list. Lets not forget however, that Mutt recently was found to be susceptible to a buffer overflow that could be spread through an email, no? Thankfully it was quickly patched, and thanks to Debian, I had it upgraded before I knew about the exploit. Was that exploit as dangerous as recent MS Lookout! virii? Just curious. Mike -- Michael P. Soulier [EMAIL PROTECTED], GnuPG pub key: 5BC8BE08 ...the word HACK is used as a verb to indicate a massive amount of nerd-like effort. -Harley Hahn, A Student's Guide to Unix msg23231/pgp0.pgp Description: PGP signature
Re: virus
Michael P. Soulier wrote: Such things are harmless, if inappropriate to this list. Lets not forget however, that Mutt recently was found to be susceptible to a buffer overflow that could be spread through an email, no? Thankfully it was quickly patched, and thanks to Debian, I had it upgraded before I knew about the exploit. Was that exploit as dangerous as recent MS Lookout! virii? Just curious. the buffer overflow IIRC was something that was VERY unlikely to result in an actual exploit (read me's email to the list on the subject in the archives); not only that, but it would only result in the privileges of the user running mutt (hint... don't read email as root!). i think there's a big difference between a gaping security hole, and a vulnerability which most likely would be difficult to exploit in actual practice. w
Re: virus
On 12:00 17 Jan 2002, David T-G [EMAIL PROTECTED] wrote: | % response to one I posted from [EMAIL PROTECTED] that had a virus | % attached to it (.mp3.pif). | That's just a Program Information File, or what Win uses to remember how | to run a DOS program. I wonder what mp3 is... on that system, anyway. Yep - the .mp3 is so it shows as a .mp3 on windows systems configured to hide common extensions, which is the (stupid!) default. The idea is that the user sees .mp3 and plays it. Which under windows doesn't mean here, mp3 player, take this file but instead means here, OS, take this file and decide what to do with it. The OS sees the .pif and _runs_ it! And so the virus gets into the system. -- Cameron Simpson, DoD#743[EMAIL PROTECTED]http://www.zip.com.au/~cs/ On the one hand I knew that programs could have a compelling and deep logical beauty, on the other hand I was forced to admit that most programs are presented in a way fit for mechanical execution, but even if of any beauty at all, totally unfit for human appreciation. - Edsger W. Dijkstra
Re: virus
Hi, On Thu, 17 Jan 2002 Carl B . Constantine spewed into the ether: Some nut is actually using Outlook for this list. I just got an email in response to one I posted from [EMAIL PROTECTED] that had a virus attached to it (.mp3.pif). Something similar happened on another list I'm on, and the diagnosis was : - Somebody using a Windows machine is on the list - That machine is infected with W32/Badtrans.B@mm - It uses MAPI - Only people who post to the list get hit, cos it harvests addresses from the mailbox(es) and addressbook. So, the 'nut' may be just an innocent (?) Windows user ;-) If you've saved the mail, just grep through the headers, and look for the originating IP. Chances are, it will be already black-listed by at least a few people. Otherwise, you could consider taking serious action against the bugger. pv. ps. Is there a mutt port running on Windows ? In which case (s)he might be an innocent mutt-user :-) -- Prahlad Vaidyanathan [EMAIL PROTECTED] Old age is always fifteen years old than I am. -- B. Baruch msg23263/pgp0.pgp Description: PGP signature
OT: Re: virus
On Mon, Mar 12, 2001 at 03:22:58PM +0100, Kai Blin wrote: On Wed, 7 Mar 2001, Jan Johansson wrote: Well, I usually say email is safe and I'm 18, so come on... but, on the other hand, you can say email is safe for me (with mutt/pine/whatever) because I'm smart enough. This email attachment stuff seems like computer darwinism to me :) pine has problems, I can not find the advisory in the bugtraq archive now but if I am not misstaken there was something with executing local code when sending "badly" formatted attachments. I know there are about 4000 printf bugs waiting to happen. Default is to hide the file extension so that we also get the nice problem of sexygirl.jpg.vbs, is it a nice girl or a virus? Eudora tells you (or used to tell you, didnt use it for a while) that where it saved the file with the full path and name, doesn't it? How about http://www.securityfocus.com/archive/1/12915. Anyway, I don't think a luser would refrain opening a file called sexygirl.jpg.vbs if a friend of his sent it and said it was a nice picture, would he? Lusers click on anything that is clickable without reading warnings. -- "OpenBSD put me out of business." - retired cracker
Re: virus
On Wed, 7 Mar 2001, Jan Johansson wrote: In Windows (and a few other) email attachments are dangerous for alot or reasons. The icon shown is in some cases extracted from the .exe file, which can lead to that the program is exectued when you open the mail. Cool, I didn't know that one... :) It is all to easy to run stupid stuff, just click on it and then yes (or not even the yes step), lusers do not read messages boxes. Some mailers understand html, java and/or javascript. Embed som nice features in there and you get the problem when people open their mail. Old folks like myself (hmmpf 24 years) usually say that it is safe to open mails as long as one does not touch the attachment, sadly that is not so anymore. Well, I usually say email is safe and I'm 18, so come on... but, on the other hand, you can say email is safe for me (with mutt/pine/whatever) because I'm smart enough. This email attachment stuff seems like computer darwinism to me :) Default is to hide the file extension so that we also get the nice problem of sexygirl.jpg.vbs, is it a nice girl or a virus? Eudora tells you (or used to tell you, didnt use it for a while) that where it saved the file with the full path and name, doesn't it? Anyway, I don't think a luser would refrain opening a file called sexygirl.jpg.vbs if a friend of his sent it and said it was a nice picture, would he? Kai PS: forgive me for not deleting all the useless stuff in this reply (the things I didn't reply to, I mean). I have to use pine right now and have trouble with this stupid pico thing... :) -- Kai Blin, kai.blin(at)uni-tuebinegn.de, Webmaster Linux, Windows and DOS, the Good, the Bad and the Ugly
Re: virus
Kai Blin proclaimed on mutt-users that: Anyway, I don't think a luser would refrain opening a file called sexygirl.jpg.vbs if a friend of his sent it and said it was a nice picture, would he? Or the other variants of the hybris worm - F*g with dogs.scr.vbs was one (one of my colleagues - a stubborn outlook user, had the embarassment of sending this out to a lot of lists she reads ...) PS: forgive me for not deleting all the useless stuff in this reply (the things I didn't reply to, I mean). I have to use pine right now and have trouble with this stupid pico thing... :) Try this (if you use a comparatively recent pine - 4.x should do) : S (setup) - C (configure) [X] enable-alternate-editor-cmd [X] enable-alternate-editor-implicitly It'll ask you if you want to use vi / emacs / $editor that way. -s -- Suresh Ramasubramanian + Wallopus Malletus Indigenensis mallet @ cluestick.org + Lumber Cartel of India, tinlcI EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin
virus
Hi, The windoze world is full of all kinds of viruses. Is it the same in Linux? I just received an email from [EMAIL PROTECTED] (probably a fake) with an attachment (AHAOFIA.EXE) described as application/octet-stream, base64 encoding, size 30K. This seems off-topic but pls. read on because I'd like to know how to handle this when I receive such emails. The email looked looked suspicious because of the source and the subject is empty and I've read somewhere that Unices (including Linux) bothered by viruses. So I bounced this file back to myself so that I can download it again from windoze where I've got two anti-virus programs to check on this. I did that this morning (from windoze) and when I try to save the file my PC just locks with a black screen and two horizontal lines spaced apart by about 3 inches. None of my anti-virus apps detected it and all my av definitions are uptodate (Norton AV and PC-cillin98). I tried to detect the virus by scanning Inbox directly, doing it in DOS, etc. but still no detection. So now I'm back in Linux. I can just delete the file but before doing that I'd like to know what options do I have. Can I save this AHAOFIA.EXE to my hdd w/o harm to my system? ... so that I can send it as an attachment to my email to Norton and PC-cillin? Can I possible track where this came from? Here's the bottom-most Received hdr: andrzejs (pa197.gdansk.ppp.tpnet.pl [212.76.24.197]) SMTP id C55165DA54. How can I include all headers for my reply. I had to get out of this msg to take a look at the above Received hdr? Thanks all. -- Horace G. Friend III [EMAIL PROTECTED] PGP DH/DSS Key Fingerprint [Send email for public key.] 046A FAE0 1E45 FC3E 0560 BAA5 3BA7 9671 5D87 2BAA
Re: virus
On Wed, Mar 07, 2001 at 02:28:38PM +0800, Horace G. Friend III wrote: that I'd like to know what options do I have. Can I save this AHAOFIA.EXE to my hdd w/o harm to my system? ... so that I can send it as an attachment to my email to Norton and PC-cillin? Yes, that should not harm your _Linux_ installation. You cannot execute a Wintendo executable on a native Linux system. Java-Script / Java / mal-ware may harm your Linux-system, too, but AFAIK most Wintendo-Viruses use the Outlook address book and on Linux you do not have it. Can I possible track where this came from? Possibly, but you need access to the logs of (some) involved mail-servers. How can I include all headers for my reply. I had to get out of this msg to take a look at the above Received hdr? By forwarding the mail to ... you include the complete header. HTH Frank
Re: virus
On Wed, Mar 07, 2001 at 02:28:38PM +0800, Horace G. Friend III wrote: Hi, The windoze world is full of all kinds of viruses. Is it the same in Linux? I just received an email from [EMAIL PROTECTED] (probably a fake) Yep. So now I'm back in Linux. I can just delete the file but before doing that I'd like to know what options do I have. Can I save this AHAOFIA.EXE to my hdd w/o harm to my system? ... so that I can send it as an attachment to my email to Norton and PC-cillin? Can I possible track where this came from? If you're that interested, I would suggest investing in VMware for GNU/Linux or similar, and set up an "undo-able" machine/Win32 installation/instance/whatever. Then you can boot this VM, let the potential virus tear apart your VM in whatever way it wants, and then just hit VMware's undo function and you get back a usable VM again. Or just simply copy the virtual disk and config files and such, boot/ruin, delete working copy, copy/move back saved copy. -- Oo---o, Oo---o, O-weem-oh-wum-ooo-ayyy In the jungle, the silicon jungle, the process sleeps tonight. Joe Philipps [EMAIL PROTECTED], http://www.philippsfamily.org/Joe/ public PGP/GPG key 0xFA029353 available via http://www.keyserver.net PGP signature
Re: virus
Viruses can only infect when they are executed. In other words you can copy the file as much as you like. Saving, using cat to read it, vi to edit it or whatever. This is even safe on a Windows machine so go ahead and use Notepad. In Windows (and a few other) email attachments are dangerous for alot or reasons. The icon shown is in some cases extracted from the .exe file, which can lead to that the program is exectued when you open the mail. It is all to easy to run stupid stuff, just click on it and then yes (or not even the yes step), lusers do not read messages boxes. Some mailers understand html, java and/or javascript. Embed som nice features in there and you get the problem when people open their mail. Old folks like myself (hmmpf 24 years) usually say that it is safe to open mails as long as one does not touch the attachment, sadly that is not so anymore. Default is to hide the file extension so that we also get the nice problem of sexygirl.jpg.vbs, is it a nice girl or a virus? In other words Outlook, IE and VBS engine are all parts in the wounderfull VRE [1] called Windows. [1] Virus Runtime Enviroment. -- Security only costs $30. http://www.openbsd.org/
Re: virus
On Wed, Mar 7, 2001, Horace G. Friend III wrote: The windoze world is full of all kinds of viruses. Is it the same in Linux? I just received an email from [EMAIL PROTECTED] (probably a fake) with an attachment (AHAOFIA.EXE) described as application/octet-stream, base64 encoding, size 30K. It sounds like the only way this could affect your Linux partition is if you ran it from a Windows OS and it messed with the MBR or something, but still I would think that Linux itself would be okay. The email looked looked suspicious because of the source and the subject is empty and I've read somewhere that Unices (including Linux) bothered by viruses. So I bounced this file back to myself so that I can download it again from windoze where I've got two anti-virus programs to check on this. I did that this morning (from windoze) and when I try to save the file my PC just locks with a black screen and two horizontal lines spaced apart by about 3 inches. None of my anti-virus apps detected it and all my av definitions are uptodate (Norton AV and PC-cillin98). I tried to detect the virus by scanning Inbox directly, doing it in DOS, etc. but still no detection. That sounds weird. All you did was try to save the file, no execute it? If this is the case, unless you have Outlook (?) configured to automatically execute attachments (stupid), it sounds coincidental. My suggestion? Ditch Outlook. It's mediocre for email, and a constant target. If you have to use a Windows MUA, I would recommend Eudora. -Ken -- [EMAIL PROTECTED]AIM: ScopusFest