Date: Mon, 31 Mar 2003 14:39:49 -0500 From: Mike Tancsa <mike@sentex.net> To: "Jacques A. Vidrine" <nectar@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: what was that? Message-ID: <5.2.0.9.0.20030331143557.07ea0858@marble.sentex.ca> In-Reply-To: <20030331185633.GA40453@madman.celabo.org> References: <3E887850.7010100@drweb.ru> <3E887850.7010100@drweb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:56 PM 31/03/2003 -0600, Jacques A. Vidrine wrote: >It's kind of interesting, because it is base64 encoded data which >begins with the string `PCDFEB09': > >0000 50 43 44 46 45 42 30 39 00 01 00 02 00 00 00 00 |PCDFEB09........| >0010 00 00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 |................| >0020 00 7e 9e 05 6b 64 a1 3c 4d ae e2 93 ff 42 93 c3 |.~..kd=A1<M=AE=E2.= =FFB.=C3| >0030 20 c2 80 00 00 10 00 00 00 8f ec db e0 8b 1b ba | =C2........=EC=DB= =E0..=BA| >0040 4f ad 60 43 d5 17 d5 5f |O=AD`C=D5.=D5_| > >Google'ing for that string turns up a lot of hits, which seem to be >Microsoft TNEF attachements. *shrug* Perhaps it is a sneaky way of >sending some data out-of-band :-) Actually, will not some MS email clients (e.g. lookOUT) honor attachments=20 that begin in the headers ? I recall a discussion similar to this on email= =20 AV scanner lists... Because MS would decode an attachment crammed in the=20 subject line, this could be a way to bypass email scanners and cram viruses= =20 in the subject... Combined with the fact that there are many unpatched=20 email clients out there, this would be a nice way to spread an email worm. Perhaps the MS client would try and decode an attachment in the messageID ? ---Mike >or maybe it is just a buggy >application. Too bad you don't have the entire message. > >I don't think it is anything to worry about, really. > >Cheers, >-- >Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/ >NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos >jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030331143557.07ea0858>