Hi to all
A few weeks ago I received an email plus a GIF-attachment.
But the attachment was not a normal attachment... but a virus disguised
as a GIF-image.
Arachne should show a GIF or JPG image automagicaly but she did not this
time...
Looking into the file (a whole lot of ASCII codes) showed not the usual
GIF87a or GIF89a label at the start of the file. So this was not a GIF
image but something else!
This was a .exe file for Windows. DOS rejected it.
Next thing I did was sending this attachment to the Virus Hunters of
Norman Virus Control (packet as a .ZIP).
They confirmed my suspicion...
One of the things I love Arachne for is that she is in DOS, so all that
virussus meant to corrupt Windows don't do their destructive job.
******************************************************************
From: "Bastiaan Edelman" <[EMAIL PROTECTED]>
Organization: Arachne Fan Club
Date: Mon, 28 May 2001 14:11:23 +0000
X-Mailer: Arachne V1.61
To: [EMAIL PROTECTED]
Subject: Virus build into .GIF image?
X-Encoding: MIME
MIME-Version: 1.0
X-Attachment-Processor: Insight 3.5
Content-Type: multipart/mixed;
boundary=MIME-multipart-message-boundary-991073484
* This message is in MIME format.
--MIME-multipart-message-boundary-991073484
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7bit
Hello virusfihters...
The attachment contains:
1- 90984193.cnm = full e-mail message
sender: [EMAIL PROTECTED] does not exist
title : What does this mean??
2- attachment = sucatreg.gif This is not a .GIF image but a disguised
.EXE file.
I tried to see the image in DOS and then it came out:
This programm does not run in DOS => it needs windows to run.
If you look at a GIF-image in text-mode the image has to start with
"GIF89a" or something like that... this one is not!
I suppose that it is not save to view this "image" with Windows so I did
not open it this way...
Greetings de Bastiaan
The "GIF" image:
UEsDBBQAAAAIAA5ruyqnkXFo7wcBALY/AgAMAAAAOTA5ODQxOTMuQ05N7L1pk+pKkiD6eTDj
P6S12TOrMvoeSaAEcau7rSO0CwkpJCSWsZk2kkUSSyozIRHw65/cQ5Dkuadqqt+bj5dbeUBL
eHh4+B4eUeFqscpPq+XvT+uPYv/0/nH6cfq4zn8UH+nTX/6n1On9aLflH5JSff2vvz69XJ6y
1fF1dfzxunt6KvNj9uTli4/iUKyPT5E3CqJE/cvzj+eqQa/3o6vA31//1mz8j6fo8/Vfn9q9
J29+eWqLovQk9n/vdH9vPz+1xOq62fgJkcP++CZKP8rzAbr6y/fL/yn1qy7a0o/uj670v/5a
wa8Q+456UByO6/z8V46kDrg95csnjXZ6HalDuu2q0br4ePq3xfvb/D9v7f7jb38P0U6fI/r0
F1WPRn/9A777eb778bab17T5yx3Fttj9IfWRds3G0/3z0/iGq+NhMX9bPXmrw2Ge5q/pU7T6
OK0+nuQf4nM9inoQj2BMbWbJjtj5oamjv4u7dMO92TAqXH9/Mlcf2+I/Hwn2r83G/xjlr6vt
6mn1+hTNX19XT6f565NWrA4vnx/p07+9raTisv7P+xD/o9mIYuro6uj3p0h9+kvv6fxD7Ejt
vwYjQ+/2/9L+K9xuNia/eZE3z3e/BR958ZEfL78/DYuP/XwHj77udfDN6r3Vx+8PPOV/HndF
sX3Sz28fq8Ph6fmHKP5odyT5h9QBrvFsT/8tWX0c8uL19yfpR3VLLV6Pq9fjb6PL2+r3p/3n
7pi/zT+Owj4/r5bAiy/F5+ty/nH593/5rfr8+38NV+djUL3xX6IoVn+k/V+iJMmK2O38oHqv
+iLivzyA/Zi/Htarj9/010WxzF/T3596L/mxQgVnbvWbvfz96d+A+uJzuyf2Ot1O/8cX232j
<snipped>
If anyone wants to evaluate this "image" please let me know; I'll send
you the zipped file as an attachment, about 100KB.
CU, Bastiaan
