January 20th, 2005, 12:52 PM
Worm activity? -- Re     ...
I'm curious if anyone else has received these. They seem to be originating from "hotmail accounts" (probably made up) and have subject lines of:
What's interesting is that they contain a single gif with it. Now it's one of two things:
- a worm trying to propogate (using strings on the file didn't provide me with anything and I don't want to open it on Windows so I'm going to check it out in linux later)
- trojan bound to the image (see point above)
- a spammer verifying an address and trying to by-pass any filters
January 20th, 2005, 01:02 PM
been recieving them for the past 2 weeks or more at work.. havent had the oppertunity to capture one to play with.. no available crash-test dummy.. have used the Armstrong Spam filter method to keep them out of boxes.. I think I have had a couple of other domains than just Hotmail, but I think it was most common..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
January 20th, 2005, 01:35 PM
haven't heard anything on this but i do know that if you rename an exe with the gif extention it will still run when called from the cmd line.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
January 20th, 2005, 01:55 PM
It should be fairly easy to determine if the attached file actually is a GIF. Open it in some text- or hexeditor. The first few bytes should read 'GIF87a' or 'GIF89a' or 0x47 0x49 0x46 0x38 0x37 0x61 respectively 0x47 0x49 0x46 0x38 0x39 0x61.
Are there serious exploits known using GIF files? I've found but two that 'only' result in a browser-crash (http://securitytracker.com/alerts/2004/Jul/1010827.html and http://securitytracker.com/alerts/2004/Jul/1010827.html).
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
January 20th, 2005, 02:03 PM
I have been recieving the same e-mails, even to my bsuiness account, which is not free e-mail account. However, i did not open anyone of them. Fearing of infiction with a trojan or virus.
One of my colleagues opened an email has the same subject and reported that this email is a sexual-oriented message... after a while, junk emails started to invade his inbox. So it is more likely to be the third assumption.
January 20th, 2005, 02:55 PM
They are definate gifs since I did see those at the top of the picture but I don't trust it. Just because it puts out what I expect doesn't mean that something new isn't out and it's not known.
I have a suspicion that it is point 3 based on the HTML code (I missed seeing it the first time I looked at the raw email source):
It might be related to this (?)
<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body bgcolor="#FFFFF2" text="#7A7343"><p><IMG SRC="cid:part1.07080905.09000708@email@example.com" border="0" ALT=""></p><p><font color="#FFFFFD">MTV Awards what's the matter Open Directory Real Audio</font></p><p><font color="#FFFFF1">History Men</font></p></body></html>
January 20th, 2005, 05:03 PM
Ok, I have been getting a lot of these too. It is a Spam ad for mortages.
Getting it from
etc. We are getting between 5-50 copies a day. It isn't being flagged by GFI.
I have not followed the link, and I previewed it on a "test dummy" notebook.
Don't think it is malware, just annoying...
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!