From owner-freebsd-questions@FreeBSD.ORG Wed Mar 3 06:36:54 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D197A16A4CE for ; Wed, 3 Mar 2004 06:36:54 -0800 (PST) Received: from mx.tele-kom.ru (mx.tele-kom.ru [213.80.148.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 6692243D3F for ; Wed, 3 Mar 2004 06:36:53 -0800 (PST) (envelope-from doublef@tele-kom.ru) Received: (qmail 99899 invoked by uid 555); 3 Mar 2004 17:36:52 +0300 Received: from hal.localdomain (213.80.149.173) by t-k.ru with TeleMail/2 id 1078324611-99829 for mike.jeays@rogers.com; Wed, Mar 3 17:36:51 2004 +0300 (MSK) Date: Wed, 3 Mar 2004 17:29:55 +0300 From: Sergey 'DoubleF' Zaharchenko To: Mike Jeays Message-Id: <20040303172955.59146203@Hal.localdomain> In-Reply-To: <1078286029.76351.2.camel@chaucer> References: <40454A3A.5010709@slaughters.com> <1078286029.76351.2.camel@chaucer> X-Mailer: Sylpheed version 0.9.9claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Wed__3_Mar_2004_17_29_55_+0300_EqtOnnYTdANFnNTP" cc: lee@slaughters.com cc: questions@freebsd.org Subject: Re: Email account utilization warning. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Mar 2004 14:36:54 -0000 --Signature=_Wed__3_Mar_2004_17_29_55_+0300_EqtOnnYTdANFnNTP Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit On 02 Mar 2004 22:53:49 -0500 Mike Jeays probably wrote: > PIF files are Windows Program Information Files, dating from the days of > Windows 3.1. I am surprised they still work - but it seems that they > do. They have executable content, and are now being used to spread > malicious software. Just for the sake of correctness... Physically, real PIFs have no more executable content than something between a binary data file and a soft link. But Windows thinks that they can be `executed' (that was necessary to make them usable as links, I guess), which is quite enough - when the loader analyzes the file, it understands it's not a PIF but an EXE format executable from the magic number and runs it. Some olden virus-writers probably think that if one masquerades an .exe as .pif, some olden antiviruses won't find them :). They are making progress: the virus is about 25% smaller than its .C predecessor:)))) P.S. And nobody even cared to remove staff@ from CC:) -- DoubleF Cloning is the sincerest form of flattery. --Signature=_Wed__3_Mar_2004_17_29_55_+0300_EqtOnnYTdANFnNTP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFARev1wo7hT/9lVdwRAsXxAJ4+gQmypn4xtC/pDfxly2va+K3v/QCggIkW 7uiojPykCl/E6BC4KsX8gJs= =tnfC -----END PGP SIGNATURE----- --Signature=_Wed__3_Mar_2004_17_29_55_+0300_EqtOnnYTdANFnNTP--