[Esa-l]Anyone seen this one before?

Simon Matthews simon at paxonet.com
Fri Jul 20 14:44:45 PDT 2001


Brett,

I think you need to look at the filename again. Surely it is a DOS batch 
file that is masquerading as an excel spreadsheet?

Simon

At 03:24 PM 7/20/01 -0600, you wrote:
>The following just came across the tech at openbsd.org list:
>
> >From: "Martha Rmos"<mrios at oleoquimica.com>
> >To: tech at openbsd.org
> >Subject: Libro1
> >date: Fri, 20 Jul 2001 15:42:14 -0600
> >MIME-Version: 1.0
> >X-Mailer: Microsoft Outlook Express 5.50.4133.2400
> >Content-Type: text/plain; charset="us-ascii"
> >Content-Disposition: Multipart message
> >X-Converted-To-Plain-Text: from multipart/mixed by demime 0.98d
> >X-Converted-To-Plain-Text: Alternative section used was text/plain
> >Sender: owner-tech at openbsd.org
> >Precedence: bulk
> >X-Loop: tech at openbsd.org
> >X-UIDL: feb82c7f67a1d23136b2b32d3c4fe1ae
> >
> >Hi! How are you?
> >
> >I send you this file in order to have your advice
> >
> >See you later. Thanks
> >
> >[demime 0.98d removed an attachment of type application/mixed which had 
> a name of Libro1.xls.bat]
> >
> >[demime 0.98d removed a section which didn't have a content-type header]
>
>Note that, since the list is "de-mimed," I can't see the Trojan
>itself, but it sure looks like an Excel macro Trojan that utilizes
>a double-extension exploit.
>
>--Brett
>_______________________________________________
>E-mail Security Announce list mailing list
>E-mail Security Announce list at spconnect.com
>http://www.spconnect.com/mailman/listinfo/esa-l



More information about the esd-l mailing list