Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 Mar 2003 14:39:49 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        "Jacques A. Vidrine" <nectar@freebsd.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: what was that?
Message-ID:  <5.2.0.9.0.20030331143557.07ea0858@marble.sentex.ca>
In-Reply-To: <20030331185633.GA40453@madman.celabo.org>
References:  <3E887850.7010100@drweb.ru> <3E887850.7010100@drweb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

At 12:56 PM 31/03/2003 -0600, Jacques A. Vidrine wrote:
>It's kind of interesting, because it is base64 encoded data which
>begins with the string `PCDFEB09':
>
>0000  50 43 44 46 45 42 30 39  00 01 00 02 00 00 00 00  |PCDFEB09........|
>0010  00 00 00 00 00 00 00 00  00 18 00 00 00 00 00 00  |................|
>0020  00 7e 9e 05 6b 64 a1 3c  4d ae e2 93 ff 42 93 c3  |.~..kd¡<M®â.ÿB.Ã|
>0030  20 c2 80 00 00 10 00 00  00 8f ec db e0 8b 1b ba  | Â........ìÛà..º|
>0040  4f ad 60 43 d5 17 d5 5f                           |O­`CÕ.Õ_|
>
>Google'ing for that string turns up a lot of hits, which seem to be
>Microsoft TNEF attachements.  *shrug*  Perhaps it is a sneaky way of
>sending some data out-of-band :-)


Actually, will not some MS email clients (e.g. lookOUT) honor attachments 
that begin in the headers ?  I recall a discussion similar to this on email 
AV scanner lists...  Because MS would decode an attachment crammed in the 
subject line, this could be a way to bypass email scanners and cram viruses 
in the subject... Combined with the fact that there are many unpatched 
email clients out there, this would be a nice way to spread an email worm.

Perhaps the MS client would try and decode an attachment in the messageID ?

         ---Mike



>or maybe it is just a buggy
>application.  Too bad you don't have the entire message.
>
>I don't think it is anything to worry about, really.
>
>Cheers,
>--
>Jacques A. Vidrine <nectar@celabo.org>          http://www.celabo.org/
>NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
>jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030331143557.07ea0858>