On Thu, 16 Aug 2001 16:20:46 -0700, "Liz Marr" <[log in to unmask]> wrote: >Do yo have some documentation? I checked all the normal virus sites and >they didn't include ENT extensions in their lists. The only .ent extensions I >found were from folks doing SML and XML or using web-based >databases. I looked at the structure of the message, not the particular file ending. >MIME-Version: 1.0 >Content-Type: multipart/mixed; boundary="---- =_WT29148.3b7a4857.0a0/wt1" >Status: RO >Content-Length: 8118 >Lines: 120 > >------ =_WT29148.3b7a4857.0a0/wt1 > >Attention: > Please process the following attachment as an ADD request. Regards, ... Always some seemingly innocuous message here. >------ =_WT29148.3b7a4857.0a0/wt1 >Content-Type: application/octet-stream; name="081401JMDreq.txt.ent" >Content-Transfer-Encoding: base64 >Content-Disposition: attachment; filename="081401JMDreq.txt.ent" Only Sircam seems to use this filename.filetype.xxxx format, designed to automatically invoke some program on the user's machine which then results in the infection. I have seen at least a dozen different filetype endings: >Content-Type: multipart/mixed; boundary="----0E420012_Outlook_Express_message_boundary" >Content-Disposition: Multipart message > >------0E420012_Outlook_Express_message_boundary >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: quoted-printable >Content-Disposition: message text > >Hi! How are you=3F > >I send you this file in order to have your advice > >See you later=2E Thanks > >------0E420012_Outlook_Express_message_boundary >Content-Type: application/mixed; name=Pendenciasdeentrega.xls.bat >Content-Transfer-Encoding: base64 >Content-Disposition: attachment; filename=Pendenciasdeentrega.xls.bat ---------------- >Content-Type: multipart/mixed; boundary="----2B9A5F9F_Outlook_Express_message_boundary" >Content-Disposition: Multipart message > >------2B9A5F9F_Outlook_Express_message_boundary >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: quoted-printable >Content-Disposition: message text > >Hola como estas =3F > >Te mando este archivo para que me des tu punto de vista > >Nos vemos pronto=2C gracias=2E > >------2B9A5F9F_Outlook_Express_message_boundary >Content-Type: application/mixed; name="Vitácora de Trabajo Sandra Ramirez.xls.pif" >Content-Transfer-Encoding: base64 >Content-Disposition: attachment; filename="Vitácora de Trabajo Sandra Ramirez.xls.pif"