Hi List,
Even Arachne does run some extensions automaticaly e.g. .gif.
I did receive a .gif with a worm inside (.exe) but Arachne detetected
something was wrong with the .GIF image and made a second attachment of
the .exe and did not show the image on the screen but showed the .gif
attachment.
What was wrong with the image? At the strart of a .gif image there ought
to be something like GIF87a which was not there.
The .exe could not be run in DOS, win only.
So this did not harm me... but it probably would harm windoze users
since IE and Outlook do open images automaticly.
73 de Bastiaan
On Sun, 5 Aug 2001 08:25:23 -0400 (EDT), Thomas Mueller wrote:
> On Fri, 3 Aug 2001 04:15:47 -0400 (EDT), Thomas Mueller wrote:
>> What kind of file was pearl_harbor.zip.bat ? Was it a ZIP file or did it look
>> like a text .BAT file? Certainly not a well-named DOS .BAT file!
> and Glenn McCorkle responded:
> It was an actual .ZIP file.
> The sircam worm grabbed it from the temp dir on the sending computer and
> wrote the worm portion of the code into an already existing file.
> It the renamed it from pearl_harbor.zip to pearl_harbor.zip.bat and sent
> the new file out to everyone it could fined in the senders address book.
> The .bat was added to the file extension so that the "worm" would the
> be automatically run by any receiving computer on which the owner had
> not turned-off the default setting of MS-outlook express.
> Yes... MSOE is so STUPID that the default setting just goes right ahead
> and runs ANY file which can be run.
> (.BAT, .EXE, .PIF, .DOC, .LNK, perhaps several others that I'm not
> remembering right at this moment)
> I tried unzipping the file after cleaning the infection out of it.
> Most of the stuff was corrupted.
> What I was able to unzip turned-out to be a windows wallpaper changer
> program. (and most of its associated files)
> The sender was infected by the Sircam worm and then it began sending
> itself out to everyone it could.
> That's how these worms are able to continue spreading themselves.
> (the owner of the machine has no idea what's going on untill it's too late)
> (end of quote)
> How does MSOE or Windows know that README.txt.pif is a .pif while
> pearl_harbor.zip.bat is a .zip and not a .bat? I thought the portion of the
> file name after the last dot determined the file type or category, allowing for
> the fact that a .COM file can be really an .EXE and vice versa. I received two
> messages from one sender with Badtrans-viral attachments, s3msong.MP3.pif and
> README.txt.pif, which were .pif files but which are listed as safe-looking
> README.txt and s3msong.MP3 in the Windows software. These .pif files couldn't
> do anything to me in DR-DOS 7.03.
> Maybe valid DOS/Windows-console commands were included in the .zip file as
> comments so it could run as a .bat?
-- Arachne V1.61, NON-COMMERCIAL copy, http://arachne.cz/
