I've seen binaries that resemble this situation lately as well. If you `strings` the binary, it has some strings that would lead you to believe it's a PE file, ie. it contains UPX0 & UPX1 strings which are commonly used as tghe section labels for PE files that are UPX packed. However, if you try to analyze the binary as a PE, even if you took the new executable offset found in the DOS header as being valid, the values one would read at the offset are bogus... just completely bogus.
I haven't done anymore investigation than this and apologize if this is old info. On Tue, 3 Aug 2004, Denis McMahon wrote: :Hmm : :I've had a couple of suspicious emails this week with headers, blank :line, a line of text, mime headers. : :Thunderbird doesn't see the mime attachment due to the broken headers, :which is good, but nor does the grisoft email proxy scanner, which is :bad, especially as I guess that certain broken applications (no I don't :have outlook [express] on my system) might try and be snart and find the :attachment. : :This might be broken malware sending unusable stuff out, but my worry is :that somene may have found a technique that will sneak an attachment :past some a-v scanners in a "broken" format that certain popular email :apps will try and fix, possibly putting active malware on the hard disk. : :I tried to talk to grisoft about this, but all I get back is "you have :to pay to talk to us cheapskate" ... whilst I can agree that they might :not want to provide tech support to users of their free scanner, does :anyone have an email address at grisoft for submitting suspicious items :that have got past their proxy scanner? : :Denis : :_______________________________________________ :Full-Disclosure - We believe in it. :Charter: http://lists.netsys.com/full-disclosure-charter.html : : -- Andrew R. Reiter [EMAIL PROTECTED] [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
