On Mon, 01 Jul 2002 07:32:47 -0500, Samuel W. Heywood wrote: > I just received the following email from an unknown source and > I am forwarding it to the list with the binaries snipped out: > - ------------------------------------------------
> Return-Path: <[EMAIL PROTECTED]> > Received: from speedy2000.net (www.speedy2000.net [212.199.214.28]) > by norm.shentel.net (8.12.0.Beta7/8.12.0.Beta7) with ESMTP id g615CaLT023203 > for <[EMAIL PROTECTED]>; Mon, 1 Jul 2002 01:12:37 -0400 > Received: from Rvv (ACC15C45.ipt.aol.com [172.193.92.69]) > by speedy2000.net (8.11.6/8.11.2) with SMTP id g615BZN28369 > for <[EMAIL PROTECTED]>; Mon, 1 Jul 2002 08:11:36 +0300 > Date: Mon, 1 Jul 2002 08:11:36 +0300 > Message-Id: <[EMAIL PROTECTED]> > From: fujiwa-y <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Fw:sheywood,let's be friends > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary=S2u3V1Y75pRw4I6W11S19YX45174rQC36Qy > X-UIDL: e'I!!ZHZ!!Pko!!~I""! > - --S2u3V1Y75pRw4I6W11S19YX45174rQC36Qy > Content-Type: text/html; > Content-Transfer-Encoding: quoted-printable > <HTML><HEAD></HEAD><BODY> > <iframe src=3Dcid:H937A1aH013z438O height=3D0 width=3D0> > </iframe> > <FONT></FONT></BODY></HTML> > - --S2u3V1Y75pRw4I6W11S19YX45174rQC36Qy > Content-Type: audio/x-midi; > name=photochildsmiling[1].exe > Content-Transfer-Encoding: base64 > Content-ID: <H937A1aH013z438O> > [DELETED KLEZ.H VIRUS] > Content-Type: application/octet-stream; > name=photochildsmiling[1].jpg > Content-Transfer-Encoding: base64 > Content-ID: <H937A1aH013z438O> > [DELETED JPG IMAGE, being a portrait of a child smiling] > - ----------------------------------- > When the RAW message is scanned by F-PROT the file > "photochildsmiling[1].exe" is identified as a KLEZ.H worm. > When I click on the ikon and press F-2 to save it, it is > decoded as a 10,853 byte binary file. When I scan the DECODED > binary file F-PROT fails to identify the decoded binary file > as a virus. BTW, I can put a JPG extension on the file and view > it as just a harmless image file identical to the file > "photochildsmiling[1].jpg" > The encoded forms of the binaries differ greatly in file size, > but when decoded by Arachne the resulting binaries are the same > size. > If I cut the RAW base64 encoded file named "photochildsmiling[1].exe" > from the message file and decode it by using a non-Arachne utility > named MIME64.EXE, the file will be decoded to a 91279 byte binary > file. When I scan the decoded binary file F-PROT identifies it as > the KLEZ.H worm. > Questions: > 1. Why did Arachne's base64 decoding utility fail to decode the file > "photochildsmiling[1].exe" properly? I have received many KLEZ's and > so far this is the only one that Arachne has failed to decode > peoperly. > 2. Is this some kind of KLEZ variant designed to fool Windows by > some clever and different kind of trick? > Would anybody like to take a look at this KLEZ? BTW, there is > absolutely nothing wrong with having the photo of the child on > one's computer. It is just a portrait of an unknown child smiling. > There is absolutely no nudity or anything else about the picture > that anyone could possibly construe as being indecent. You "grabbed" the wrong file. The one with the virus is about 130kb in size. The one that's only 10kb is an actual JPEG image. The files will be in your Arachne cache dir with the names.. PHOTOCHI.MID and PHOTOCHI.EXE It's the one with the "phony" .MID extension that's really an .EXE The one with the "phony" .EXE is really the .JPG -- Glenn http://arachne.cz/ http://www.delorie.com/listserv/mime/ http://www.angelfire.com/id/glenndoom/download.htm http://www.thispagecannotbedisplayed.com/
