[Gllug] Is is it nasty ?
jim
jim at madeira.physiol.ucl.ac.uk
Wed Aug 1 13:45:32 UTC 2001
On Wed, 1 Aug 2001, will wrote:
> ----- Original Message -----
> From: Formi <rcformi at yahoo.com>
> To: <gllug at linux.co.uk>
> Sent: Wednesday, August 01, 2001 2:22 PM
> Subject: [Gllug] Is is it nasty ?
>
> > Guys, is this any kind of virus or nasty bit of code ? It has been sent
> to
> >me a couple of times.
> >
> > The AAA... etc, etc keeps going on and on ...
> > but finishes with
>
> filename=invoice.xls.com
>
> looks like it could be a virus masquerading as an excell file. I would say
> that it looks like binary data, and a .com file is executeable in windows I
> believe. Be carefull ;-)
As Richard says, it's definitely SirCam. The AAA ... is a (buggy - I
haven't been able to get anything interesting out of any of them either)
base64 encoding of the virus executable tacked onto the front of a random
file from the victim's system. Double extensions are always suspicious,
and indeed if you do a `file' on one of the attachments you get "MS-DOS
executable (EXE), OS/2 or Windows".
According to a Slashdot post if you chop off the first 137216 bytes of the
attachment using `dd' or whatever and remove the second extension you will
get rid of the virus code and can look at the original document. The
second extension can be .bat, .com or whatever since Windows uses it only
to decide whether it's executable and the contents to determine how to
deal with it (much as Linux uses the x mode bit and the magic).
jim
--
http://madeira.physiol.ucl.ac.uk/people/jim/
"... I naturally gravitated to London, that great cesspool into which all the
loungers and idlers of the Empire are irresistibly drained."
- Sir Arthur Conan Doyle, "A Study in Scarlet"
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list