Hi Pierre
Of course, because it's BASE64 which means it's encoded in a 64-based system instead of plain text
I'm far from being a pro in interpreting MIME-Headers but the text.zip is just the 'name' of this element, in my opinion, that could be everything. Important is the "Content-Type: application/octet-stream;" which just means that it's a stream of octets - just a stream of code of any possible type, you can see text as a stream of octets aswell (ascii-codes) and when it's 'encoded' in BASE64 you cant read it....
Example: 'Hello Pierre, how are you?' looks like this in BASE64: "SGVsbG8gUGllcnJlLCBob3cgYXJlIHlvdT8="
Matt
Pierre Thomson wrote:
No; the text is unreadable in the raw message. It only shows in my mail reader. When I tried to include a bit of the encoded ZIP file my message was blocked at apache.org... smart guys!
pt
-----Original Message----- From: Matthias Keller [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: Re: Trying to catch those latest virii....
Hi Pierre
That's interesting but to me it looks like this .zip is just for hiding it, it's not a real zip file (i doubt you could view a real zip file inline... (and I wouldnt like that neither...))
Here's some more dump from my email: __________
From: "Mail Administrator" <[EMAIL PROTECTED]> To: xxx Subject: Returned mail: see transcript for details Date: Tue, 27 Jul 2004 12:04:59 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0001_F824EC38.FBF36544" X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
This is a multi-part message in MIME format.
------=_NextPart_000_0001_F824EC38.FBF36544 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit
Dear user of student.ethz.ch,
We have received reports that your email account has been used to send a huge amount of junk email during this week. Obviously, your computer was compromised and now runs a hidden proxy server.
Please follow our instructions in order to keep your computer safe.
Best regards, student.ethz.ch user support team.
------=_NextPart_000_0001_F824EC38.FBF36544 Content-Type: application/octet-stream; name="document.pif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="document.pif"
wJIqlP/F1Y8......about 20 lines of base64......+qAsLG/
------=_NextPart_000_0001_F824EC38.FBF36544--
_________
Mine actually looks quite normal (mail with attachment) to me... ?
Matt
ps: Yes I know SA isn't here to block my virii but as long as no antivirus company known to me has any signatures for this I need a way to block it... (neither my antivir nor on my laptop my Norton AV 2004 Pro knows this virus...)
Pierre Thomson wrote:
Aha!
I just got one of these myself, and the text is in an inline ZIP file! I don't think any SA rules scan those.
Here's a bit of a raw dump; only the names are changed:
Message-Id: <[EMAIL PROTECTED]> From: "Mail Delivery Subsystem" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Returned mail: see transcript for details Date: Tue, 27 Jul 2004 10:19:05 -0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_278B1AC0.BB1C5953" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
This is a multi-part message in MIME format.
------=_NextPart_000_0006_278B1AC0.BB1C5953 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit
------=_NextPart_000_0006_278B1AC0.BB1C5953 Content-Type: application/octet-stream; name="text.zip" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="text.zip"
...
and it appears like this:
Dear user of domain.com,
Your account was used to send a huge amount of junk email messages during the recent week. We suspect that your computer was infected by a recent virus and now contains a trojaned proxy server.
We recommend you to follow instructions in the attachment in order to keep your computer safe.
Have a nice day, domain.com technical support team.
