LISTSERV - LSTOWN-L Archives - COMMUNITY.EMAILOGY.COM

LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L

	LISTSERV Archives
	LSTOWN-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Is this a virus?

Ben Parker <[log in to unmask]>

Thu, 16 Aug 2001 17:52:51 -0600

text/plain (71 lines)

On Thu, 16 Aug 2001 16:20:46 -0700, "Liz Marr" <[log in to unmask]> wrote:

>Do yo have some documentation?  I checked all the normal virus sites and
>they didn't include ENT extensions in their lists.  The only .ent extensions I
>found were from folks doing SML and XML or using web-based
>databases.

I looked at the structure of the message, not the particular file ending.

>MIME-Version: 1.0
>Content-Type: multipart/mixed; boundary="---- =_WT29148.3b7a4857.0a0/wt1"
>Status: RO
>Content-Length: 8118
>Lines: 120
>
>------ =_WT29148.3b7a4857.0a0/wt1
>
>Attention:
>  Please process the following attachment as an ADD request.  Regards, ...

Always some seemingly innocuous message here.

>------ =_WT29148.3b7a4857.0a0/wt1
>Content-Type: application/octet-stream; name="081401JMDreq.txt.ent"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment; filename="081401JMDreq.txt.ent"

Only Sircam seems to use this   filename.filetype.xxxx  format, designed to
automatically invoke some program on the user's machine which then results in
the infection.  I have seen at least a dozen different filetype endings:

>Content-Type: multipart/mixed; boundary="----0E420012_Outlook_Express_message_boundary"
>Content-Disposition: Multipart message
>
>------0E420012_Outlook_Express_message_boundary
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: message text
>
>Hi! How are you=3F
>
>I send you this file in order to have your advice
>
>See you later=2E Thanks
>
>------0E420012_Outlook_Express_message_boundary
>Content-Type: application/mixed; name=Pendenciasdeentrega.xls.bat
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment;  filename=Pendenciasdeentrega.xls.bat

----------------

>Content-Type: multipart/mixed; boundary="----2B9A5F9F_Outlook_Express_message_boundary"
>Content-Disposition: Multipart message
>
>------2B9A5F9F_Outlook_Express_message_boundary
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: message text
>
>Hola como estas =3F
>
>Te mando este archivo para que me des tu punto de vista
>
>Nos vemos pronto=2C gracias=2E
>
>------2B9A5F9F_Outlook_Express_message_boundary
>Content-Type: application/mixed; name="Vitácora de Trabajo Sandra Ramirez.xls.pif"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment;  filename="Vitácora de Trabajo Sandra Ramirez.xls.pif"

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM