On Thu, 13 Jul 2006 09:32:27 -0400, Virus Guy <(E-Mail Removed)> wrote:

>(E-Mail Removed) wrote:
>
>> The message ID number (using arin.net) was invalid.
>
>Huh?
>
>arin.net will tell you where a given IP address is located
>(geographically). It has nothing to do with message ID numbers in
>e-mail.
>

There was one of those ISP numbers (I forget the correct name for
them). I put it in Arin, was told it's invalid !

>> I deleted the message and the gifs, so it's gone.
>
>For the past month or two, many stock P&D spam is being sent as a
>single attached image file - no text at all in the message body.
>Total message size ranges from 25k to 50k. That's what you probably
>got.
>

Very likely, I keep getting all kinds of "stock" spam lately.

>They are sent as .GIF attachments (as opposed to JPG) because text is
>better rendered as an image if it's converted to GIF format. Also
>results in a smaller file size.

Yep, 256 colors max.

(E-Mail Removed) wrote:

> > arin.net will tell you where a given IP address is located
>
> There was one of those ISP numbers (I forget the correct name
> for them).

The IP address of the source of an e-mail will be contained in the
first received line of the header, like this:

Return-Path: <(E-Mail Removed)>
Received: from xlgggby ([210.82.32.47]) by (your SMTP server)
with SMTP id AAA246 for <(E-Mail Removed)>;
Fri, 14 Jul 2006 03:32:28 -0400

The IP address in the above example is 210.82.32.47.

> I put it in Arin, was told it's invalid !

You did not give Arin an IP address. You gave it something else, and
it told you what you gave it was invalid.

From: <(E-Mail Removed)>

| Can a .GIF contain a virus?
|
| I was sent an email from someone I do not know. There was no text in
| it, just two .GIF files. The message ID number (using arin.net) was
| invalid. My email software does not view anything except plain text.
| HTML is viewed as text too. I have to manually open attachments too.
| Because of this, I was never exposed to any viruses or spyware.
| I deleted the message and the gifs, so it's gone.
|
| I used to feel safe opening pictures, but heard that some can now
| contain a virus. Can a .GIF contain one?
|
| Thanks
|
| TJ

I just received a sample named "UPX.GIF"

BitDefender 7.2 07.16.2006 Dropped:Trojan.Spy.HAKvip.A
DrWeb 4.33 07.15.2006 Trojan.PWS.Lineage
Kaspersky 4.0.2.24 07.16.2006 Trojan-Spy.Win32.Agent.nf
McAfee 4807 07.14.2006 Exploit-CodeBase.chm
Panda 9.0.0.4 07.15.2006 Suspicious file
VBA32 3.11.0 07.15.2006 suspected of Trojan-PSW.Lineage.3

It could be a file that was renamed to .GIF but I haven't really looked at its contents to
know for sure.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Sun, 16 Jul 2006 02:16:00 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: <(E-Mail Removed)>
>
>| Can a .GIF contain a virus?
>|
>| I was sent an email from someone I do not know. There was no text in
>| it, just two .GIF files. The message ID number (using arin.net) was
>| invalid. My email software does not view anything except plain text.
>| HTML is viewed as text too. I have to manually open attachments too.
>| Because of this, I was never exposed to any viruses or spyware.
>| I deleted the message and the gifs, so it's gone.
>|
>| I used to feel safe opening pictures, but heard that some can now
>| contain a virus. Can a .GIF contain one?
>|
>| Thanks
>|
>| TJ
>
>I just received a sample named "UPX.GIF"
>
>BitDefender 7.2 07.16.2006 Dropped:Trojan.Spy.HAKvip.A
>DrWeb 4.33 07.15.2006 Trojan.PWS.Lineage
>Kaspersky 4.0.2.24 07.16.2006 Trojan-Spy.Win32.Agent.nf
>McAfee 4807 07.14.2006 Exploit-CodeBase.chm
>Panda 9.0.0.4 07.15.2006 Suspicious file
>VBA32 3.11.0 07.15.2006 suspected of Trojan-PSW.Lineage.3
>
>It could be a file that was renamed to .GIF but I haven't really looked at its contents to
>know for sure.

It's not a GIF file, David. It has the header of a CHM file. There's a
compressed (and encrypted?) EXE "inside it" that Kaspersky identifiies
as SCHOVE.EXE. It's in this EXE file that KAV identifies
Trojan-Spy.Win32.Agent.nf.

I guess the malware author is depending on that quirk in Win XP
where under certain conditions the OS will execute based on file
type rather than on file extension???

Thanks for sending me the sample. I don't see my JPG-SCAN proggy
detecting this kind of file since it seems the av vednors are at
least starting to develop detection for it. We shall see.

Art
http://home.epix.net/~artnpeg

[ice_cracker]

I got this from a friend but I'm a little leery if it contains a malicious code. He is a programmer. One time he used my laptop and shortly it crashed. The link was sent by text and it's a video of a dog bouncing on a ball. Can someone check this URL if it contains one of those hidden file extensions?

http://i.imgur.com/nCPIg.gif

Thanks!

[ice_cracker]

Oh, and this one too please?? Thanks a lot!

http://db.tt.owfXKmkl