[Esd-l] Hrmm. executable file in content-type audio/x-wav comes thru.

Philip Choy plchoy at income.com.sg
Mon Nov 12 18:31:01 PST 2001


Any solutions?

They managed to be going thru leaked poisoned list, and infecting users' PCs
and overwriting command.com, and replacing them with command.pif, until
users' PCs can't boot up.

Phil.

----- Original Message -----
From: "Philip Choy" <plchoy at income.com.sg>
To: <Esd-l at spconnect.com>
Sent: 12-Nov-2001 11:28 AM
Subject: Re: [Esd-l] Hrmm. executable file in content-type audio/x-wav comes
thru.


> Here is one more entire mime with truncated attached file - last time
unless
> there is more variants.. though unlikely. This pif file of 65.7kB came
thru
> the poisoned list containing *.pif.
>
> Phil.
>
> ------
>
> Received: from interscan.cyberquote.com.sg (smtp.cyberquote.com.sg
> [10.1.20.52])
>  by phillip.com.sg (8.12.0.Beta16/8.12.0.Beta16) with SMTP id
fAC2dLxc011564
>  for <plchoy at income.com.sg>; Mon, 12 Nov 2001 10:39:21 +0800
> Date: Mon, 12 Nov 2001 10:39:21 +0800
> Message-Id: <200111120239.fAC2dLxc011564 at phillip.com.sg>
> Received: from 10.88.94.87 by interscan.cyberquote.com.sg (InterScan
E-Mail
> VirusWall NT); Mon, 12 Nov 2001 10:42:10 +0800
> From: och at phillip.com.sg
> Subject: We want peace
> MIME-Version: 1.0
> X-Security: MIME headers sanitized on mail
>  See http://www.impsec.org/email-tools/procmail-security.html
>  for details. $Revision: 1.130 $Date: 2001-09-08 11:40:29-07
> Content-Type: multipart/mixed;
>  boundary="------------InterScan_NT_MIME_Boundary"
> Status:
>
> --------------InterScan_NT_MIME_Boundary
> Content-Type: multipart/alternative;
> boundary=D4Y292h54Y3GQ8H5S1gx2W42NP1Vyq1gQ26
>
> --D4Y292h54Y3GQ8H5S1gx2W42NP1Vyq1gQ26
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
>
> <HTML><HEAD></HEAD><BODY>
> <DEFANGED_iframe src=3Dcid:V550s78E height=3D0 width=3D0>
> </iframe>
> <!--
> I'm sorry to do so,but it's helpless to say sorry.
> I want a good job,I must support my parents.
> Now you have seen my technical capabilities.
> How much my year-salary now? NO more than $5,500.
> What do you think of this fact?
> Don't call my names,I have no hostility.
> Can you help me?
> -->
> </BODY></HTML>
>
> --D4Y292h54Y3GQ8H5S1gx2W42NP1Vyq1gQ26
> Content-Type: audio/x-wav;
>  name=Bakw.pif
> Content-Transfer-Encoding: base64
> Content-ID: <V550s78E>
>
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
> RE9TIG1vZGUuDQ0KJAAAAAAAAABM8DRICJFaGwiRWhsIkVobc41WGwyRWhvgjlAbM5FaG4uN
>
> [ Trucated frm 65.7k junk file ]
>
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD==
> --D4Y292h54Y3GQ8H5S1gx2W42NP1Vyq1gQ26--
>
>
> --------------InterScan_NT_MIME_Boundary--
>
> ----- Original Message -----
> From: "John D. Hardin" <jhardin at impsec.org>
> To: "Philip Choy" <plchoy at income.com.sg>
> Cc: <Esd-l at spconnect.com>
> Sent: 11-Nov-2001 2:14 AM
> Subject: Re: [Esd-l] Hrmm. executable file in content-type audio/x-wav
comes
> thru.
>
>
> > On Fri, 9 Nov 2001, Philip Choy wrote:
> >
> > > Content-Type: audio/x-wav; name=Vlusg.exe
> > > Content-Transfer-Encoding: base64
> > > Content-ID: <R0uIhO598>
> > >
> > > Hello. To my surprise, this executable file manages to go thru the
> > > banned list. *.exe is in the poisoned list and exe is in mangle
> > > list too. And, i m using the current version 1.1.130.
> > >
> > > Any solution?
> >
> > Are those *all* of the MIME headers for that attachment?
> > --
> >  John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l



More information about the esd-l mailing list