[Esa-l]Anyone seen this one before?

Fri Jul 20 14:50:54 PDT 2001

Yes.  Earlier today, I received a notice that this message had been quarantined:

> From aoadk at intelnet.net.gt  Fri Jul 20 12:27:11 2001
> Return-Path: <aoadk at intelnet.net.gt>
> Received: from mail1.intelnet.net.gt ([216.230.128.15])
>       by mail2.co.brazos.tx.us (Switch-2.0.0/Switch-2.0.0) with ESMTP id f6KHR9v12004
>       for <adejesus at co.brazos.tx.us>; Fri, 20 Jul 2001 12:27:10 -0500
> Received: from albertime (MC4-157.intelnet.net.gt [216.230.157.4] (may be forged))
>       by mail1.intelnet.net.gt (Pro-8.9.3/8.9.3) with SMTP id LAA17615
>       for <adejesus at co.brazos.tx.us>; Fri, 20 Jul 2001 11:48:08 +0600 (GMT)
> Message-Id: <200107200548.LAA17615 at mail1.intelnet.net.gt>
> From: "Alberto Ortega"<aoadk at intelnet.net.gt>
> To: adejesus at co.brazos.tx.us
> Subject: =?ISO-8859-1?Q?Informe=20Intermedio=201=2C=20Santa=20Ana=202002-077?=
> date: Fri, 20 Jul 2001 11:47:18 -0500
> MIME-Version: 1.0
> X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
> X-Mailer: Microsoft Outlook Express 5.50.4133.2400
> X-Security: MIME headers sanitized on mail2.co.brazos.tx.us
>       See http://www.impsec.org/email-tools/procmail-security.html
>       for details. $Revision: 1.129 $Date: 2001-04-14 20:20:43-07
> Content-Type: multipart/mixed;
boundary="----6324E7D2_Outlook_Express_message_boundary"
> Content-Disposition: Multipart message
>
> ------6324E7D2_Outlook_Express_message_boundary
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: message text
>
> Hi! How are you=3F
>
> I send you this file in order to have your advice
>
> See you later=2E Thanks
>
> ------6324E7D2_Outlook_Express_message_boundary
> Content-Type: TEXT/PLAIN;
> X-Content-Security: [mail2.co.brazos.tx.us] NOTIFY
> X-Content-Security: [mail2.co.brazos.tx.us] REPORT: Trapped poisoned executable
"Informe Intermedio 1, Santa Ana 2002-077.doc.bat"
> X-Content-Security: [mail2.co.brazos.tx.us] QUARANTINE
> Content-Description: SECURITY WARNING
>

which claims to be a doc.bat.  Your question piqued my curiousity so I grabbed the file and ran it
through a virus checker.  Norton with a 7/10/01 definition file doesn't seem to think
there's anything
suspicious about the file.  I don't have handy an isolated machine to run it on to
check that out.
And a UNIX 'file' check returns "MS-DOS executable ...".  Anyone else?

Brett Glass wrote:

> The following just came across the tech at openbsd.org list:
>
> >From: "Martha Rmos"<mrios at oleoquimica.com>
> >To: tech at openbsd.org
> >Subject: Libro1
> >date: Fri, 20 Jul 2001 15:42:14 -0600
> >MIME-Version: 1.0
> >X-Mailer: Microsoft Outlook Express 5.50.4133.2400
> >Content-Type: text/plain; charset="us-ascii"
> >Content-Disposition: Multipart message
> >X-Converted-To-Plain-Text: from multipart/mixed by demime 0.98d
> >X-Converted-To-Plain-Text: Alternative section used was text/plain
> >Sender: owner-tech at openbsd.org
> >Precedence: bulk
> >X-Loop: tech at openbsd.org
> >X-UIDL: feb82c7f67a1d23136b2b32d3c4fe1ae
> >
> >Hi! How are you?
> >
> >I send you this file in order to have your advice
> >
> >See you later. Thanks
> >
> >[demime 0.98d removed an attachment of type application/mixed which had a name of Libro1.xls.bat]
> >
> >[demime 0.98d removed a section which didn't have a content-type header]
>
> Note that, since the list is "de-mimed," I can't see the Trojan
> itself, but it sure looks like an Excel macro Trojan that utilizes
> a double-extension exploit.
>
> --Brett
> _______________________________________________
> E-mail Security Announce list mailing list
> E-mail Security Announce list at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esa-l

--
Tom Golson
Network Analyst
Brazos County IT Department
979.361.4468
tgolson at co.brazos.tx.us