On Wed, 27 Jun 2001 20:07:27 -0500, Samuel W. Heywood wrote:
> On Thu, 28 Jun 2001 00:37:23 +0000, Bastiaan Edelman wrote:
>> Hi to all
>> A few weeks ago I received an email plus a GIF-attachment.
>> But the attachment was not a normal attachment... but a virus disguised
>> as a GIF-image.
>> Arachne should show a GIF or JPG image automagicaly but she did not this
>> time...
>> Looking into the file (a whole lot of ASCII codes) showed not the usual
>> GIF87a or GIF89a label at the start of the file. So this was not a GIF
>> image but something else!
>> This was a .exe file for Windows. DOS rejected it.
>> Next thing I did was sending this attachment to the Virus Hunters of
>> Norman Virus Control (packet as a .ZIP).
>> They confirmed my suspicion...
>> One of the things I love Arachne for is that she is in DOS, so all that
>> virussus meant to corrupt Windows don't do their destructive job.
> Even if it really is indeed a Windows EXE file, which it does appear
> to be, there would probably be no way you could run the virus program,
> even if you were running Windows, unless you were to first rename the
> file so as to change the GIF extension to EXE.
> Sam Heywood
I saved this email downloaded with Arachne.
Instead of showing the GIF image two things happened:
Arachne showed:
1- Attachment: sugatreg.exe
2- File written cache\sucatreg.gif
The original file name of the attachment was sucatreg.gif but Arachne
was right... it was an .exe file.
Identification is not by extension alone...
First caracters of GIF are GIF87 or GIF89
First caracters of EXE are MZ for DOS and windows
A windows.exe also has a warning that it will not run under DOS
and after that the real program starts with NE or PE.
NE or PE often at 080, 0100 or 0400 (hex); the first caracters on the
line.
The PE statement was there at 080 (hex) and the "not DOS" warning also.
So I see no reason why this program should not run under windows.
But why should I try and clean up the mess after the trial?
Who will claen up after the M$ trial... Billy won't!
He will go on infecting the internet!
CU Bastiaan
.
Zendamateurs, kijk eens op de homepage...
http://home.hetnet.nl/~ba8tian/index.html
-- This mail was written by user of Arachne, the Ultimate Internet Client
-- Arachne V1.61, NON-COMMERCIAL copy, http://arachne.cz/
