I just received the following email from an unknown source and
I am forwarding it to the list with the binaries snipped out:
------------------------------------------------
Return-Path: <[EMAIL PROTECTED]>
Received: from speedy2000.net (www.speedy2000.net [212.199.214.28])
by norm.shentel.net (8.12.0.Beta7/8.12.0.Beta7) with ESMTP id g615CaLT023203
for <[EMAIL PROTECTED]>; Mon, 1 Jul 2002 01:12:37 -0400
Received: from Rvv (ACC15C45.ipt.aol.com [172.193.92.69])
by speedy2000.net (8.11.6/8.11.2) with SMTP id g615BZN28369
for <[EMAIL PROTECTED]>; Mon, 1 Jul 2002 08:11:36 +0300
Date: Mon, 1 Jul 2002 08:11:36 +0300
Message-Id: <[EMAIL PROTECTED]>
From: fujiwa-y <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Fw:sheywood,let's be friends
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=S2u3V1Y75pRw4I6W11S19YX45174rQC36Qy
X-UIDL: e'I!!ZHZ!!Pko!!~I""!
--S2u3V1Y75pRw4I6W11S19YX45174rQC36Qy
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:H937A1aH013z438O height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>
--S2u3V1Y75pRw4I6W11S19YX45174rQC36Qy
Content-Type: audio/x-midi;
name=photochildsmiling[1].exe
Content-Transfer-Encoding: base64
Content-ID: <H937A1aH013z438O>
[DELETED KLEZ.H VIRUS]
Content-Type: application/octet-stream;
name=photochildsmiling[1].jpg
Content-Transfer-Encoding: base64
Content-ID: <H937A1aH013z438O>
[DELETED JPG IMAGE, being a portrait of a child smiling]
-----------------------------------
When the RAW message is scanned by F-PROT the file
"photochildsmiling[1].exe" is identified as a KLEZ.H worm.
When I click on the ikon and press F-2 to save it, it is
decoded as a 10,853 byte binary file. When I scan the DECODED
binary file F-PROT fails to identify the decoded binary file
as a virus. BTW, I can put a JPG extension on the file and view
it as just a harmless image file identical to the file
"photochildsmiling[1].jpg"
The encoded forms of the binaries differ greatly in file size,
but when decoded by Arachne the resulting binaries are the same
size.
If I cut the RAW base64 encoded file named "photochildsmiling[1].exe"
from the message file and decode it by using a non-Arachne utility
named MIME64.EXE, the file will be decoded to a 91279 byte binary
file. When I scan the decoded binary file F-PROT identifies it as
the KLEZ.H worm.
Questions:
1. Why did Arachne's base64 decoding utility fail to decode the file
"photochildsmiling[1].exe" properly? I have received many KLEZ's and
so far this is the only one that Arachne has failed to decode
peoperly.
2. Is this some kind of KLEZ variant designed to fool Windows by
some clever and different kind of trick?
Would anybody like to take a look at this KLEZ? BTW, there is
absolutely nothing wrong with having the photo of the child on
one's computer. It is just a portrait of an unknown child smiling.
There is absolutely no nudity or anything else about the picture
that anyone could possibly construe as being indecent.
Sam Heywood
-- This mail was written by user of The Arachne Browser - http://arachne.cz/
