Gentle people, I have recently received a highly dubious e-mail from bfrazzonat_private The subject of the letter was "damaged. For more". Attached to the letter was a file named EDCREGC.EXE whose mime type was image/gif. Below is the content of the discussed message: " If you have a Plug-and-Play monitor:Check if the Windows 95 Monitor option button is selected and that Plug and Play Monitor (VESA DDC) appears immediately under it. If so, the MGA display driver automatically uses the correct settings for your monitor. If not, use Windows 95 monitor selection to use your monitor's default settings (see "Windows95 monitor selection"). " I have posted the entire message including headers at: http://192.117.130.34/Fendor/security/bruno-8-5-2001 You may find the attached binary at: http://192.117.130.34/Fendor/security/EDCREGC.EXE Another fact of interest is that the recipient's (me) non-local address portion was capitalized. Assuming that he used an address harvester, the form of the collected address is probably identical to the recipient's address in this particular message. The only public place where my address is partially capitalized is the list archive of the incidents mailing list. I am fairly sure this is not how his software normally behaves, because other addresses in the letter were not capitalized in the same manner, as opposed to messages originating at securityfocus.com. Also note how the binary's mime type is set to image/gif. I do not know how Outlook handles this but the sender probably wanted to achieve one of two things: o Deceive the recipient into thinking that the attachment is a picture, thus coaxing him to open the curious file. o Perhaps he wanted Outlook to open the attachment automatically. I know that outlook renders certain mime-types on the fly, so maybe by opening the message the attachment is executed. Enlightenments regarding this letter are highly solicited. Best Regards, Yotam Rubin
This archive was generated by hypermail 2b30 : Tue May 08 2001 - 14:02:43 PDT