Results 1 to 7 of 7

Thread: Worm activity? -- Re [1] [2] [3] [4] [5]...

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Worm activity? -- Re [1] [2] [3] [4] [5]...

    I'm curious if anyone else has received these. They seem to be originating from "hotmail accounts" (probably made up) and have subject lines of:

    Re [15]
    Re: [27]

    etc.

    What's interesting is that they contain a single gif with it. Now it's one of two things:

    - a worm trying to propogate (using strings on the file didn't provide me with anything and I don't want to open it on Windows so I'm going to check it out in linux later)

    - trojan bound to the image (see point above)

    - a spammer verifying an address and trying to by-pass any filters
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    been recieving them for the past 2 weeks or more at work.. havent had the oppertunity to capture one to play with.. no available crash-test dummy.. have used the Armstrong Spam filter method to keep them out of boxes.. I think I have had a couple of other domains than just Hotmail, but I think it was most common..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    haven't heard anything on this but i do know that if you rename an exe with the gif extention it will still run when called from the cmd line.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    It should be fairly easy to determine if the attached file actually is a GIF. Open it in some text- or hexeditor. The first few bytes should read 'GIF87a' or 'GIF89a' or 0x47 0x49 0x46 0x38 0x37 0x61 respectively 0x47 0x49 0x46 0x38 0x39 0x61.

    Are there serious exploits known using GIF files? I've found but two that 'only' result in a browser-crash (http://securitytracker.com/alerts/2004/Jul/1010827.html and http://securitytracker.com/alerts/2004/Jul/1010827.html).
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  5. #5
    Yeah, Yeah..

    I have been recieving the same e-mails, even to my bsuiness account, which is not free e-mail account. However, i did not open anyone of them. Fearing of infiction with a trojan or virus.

    One of my colleagues opened an email has the same subject and reported that this email is a sexual-oriented message... after a while, junk emails started to invade his inbox. So it is more likely to be the third assumption.

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    They are definate gifs since I did see those at the top of the picture but I don't trust it. Just because it puts out what I expect doesn't mean that something new isn't out and it's not known.

    I have a suspicion that it is point 3 based on the HTML code (I missed seeing it the first time I looked at the raw email source):

    Code:
    <html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body bgcolor="#FFFFF2" text="#7A7343"><p><IMG SRC="cid:part1.07080905.09000708@drfbcfmcyn@yahoo.com" border="0" ALT=""></p><p><font color="#FFFFFD">MTV Awards what's the matter Open Directory Real Audio</font></p><p><font color="#FFFFF1">History Men</font></p></body></html>
    
    --------------040707020501010301050005
    Content-Type: image/gif;
     name="egregious.GIF"
    Content-Transfer-Encoding: base64
    Content-ID: <part1.07080905.09000708@drfbcfmcyn@yahoo.com>
    Content-Disposition: inline;
     filename="egregious.GIF"
    It might be related to this (?)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    Ok, I have been getting a lot of these too. It is a Spam ad for mortages.
    Getting it from
    *.yahoo.com
    *.hotmail.com
    *.comcast.com
    etc. We are getting between 5-50 copies a day. It isn't being flagged by GFI.
    I have not followed the link, and I previewed it on a "test dummy" notebook.

    Don't think it is malware, just annoying...
    MrC
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •