[Esa-l]Anyone seen this one before?

Brett Glass brett at lariat.org
Fri Jul 20 14:24:00 PDT 2001

The following just came across the tech at openbsd.org list:

>From: "Martha Rmos"<mrios at oleoquimica.com>
>To: tech at openbsd.org
>Subject: Libro1
>date: Fri, 20 Jul 2001 15:42:14 -0600
>MIME-Version: 1.0
>X-Mailer: Microsoft Outlook Express 5.50.4133.2400
>Content-Type: text/plain; charset="us-ascii"
>Content-Disposition: Multipart message
>X-Converted-To-Plain-Text: from multipart/mixed by demime 0.98d
>X-Converted-To-Plain-Text: Alternative section used was text/plain
>Sender: owner-tech at openbsd.org
>Precedence: bulk
>X-Loop: tech at openbsd.org
>X-UIDL: feb82c7f67a1d23136b2b32d3c4fe1ae
>Hi! How are you?
>I send you this file in order to have your advice
>See you later. Thanks
>[demime 0.98d removed an attachment of type application/mixed which had a name of Libro1.xls.bat]
>[demime 0.98d removed a section which didn't have a content-type header]

Note that, since the list is "de-mimed," I can't see the Trojan
itself, but it sure looks like an Excel macro Trojan that utilizes
a double-extension exploit.


More information about the esd-l mailing list