From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 11:34:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8B9237B404; Mon, 31 Mar 2003 11:34:01 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB20E43FDF; Mon, 31 Mar 2003 11:34:00 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h2VJXxCm015498; Mon, 31 Mar 2003 14:34:00 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030331143557.07ea0858@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 31 Mar 2003 14:39:49 -0500 To: "Jacques A. Vidrine" From: Mike Tancsa In-Reply-To: <20030331185633.GA40453@madman.celabo.org> References: <3E887850.7010100@drweb.ru> <3E887850.7010100@drweb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: By Sentex Communications (lava/20020517) cc: freebsd-security@freebsd.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 19:34:04 -0000 At 12:56 PM 31/03/2003 -0600, Jacques A. Vidrine wrote: >It's kind of interesting, because it is base64 encoded data which >begins with the string `PCDFEB09': > >0000 50 43 44 46 45 42 30 39 00 01 00 02 00 00 00 00 |PCDFEB09........| >0010 00 00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 |................| >0020 00 7e 9e 05 6b 64 a1 3c 4d ae e2 93 ff 42 93 c3 |.~..kd=A10030 20 c2 80 00 00 10 00 00 00 8f ec db e0 8b 1b ba | =C2........=EC=DB= =E0..=BA| >0040 4f ad 60 43 d5 17 d5 5f |O=AD`C=D5.=D5_| > >Google'ing for that string turns up a lot of hits, which seem to be >Microsoft TNEF attachements. *shrug* Perhaps it is a sneaky way of >sending some data out-of-band :-) Actually, will not some MS email clients (e.g. lookOUT) honor attachments=20 that begin in the headers ? I recall a discussion similar to this on email= =20 AV scanner lists... Because MS would decode an attachment crammed in the=20 subject line, this could be a way to bypass email scanners and cram viruses= =20 in the subject... Combined with the fact that there are many unpatched=20 email clients out there, this would be a nice way to spread an email worm. Perhaps the MS client would try and decode an attachment in the messageID ? ---Mike >or maybe it is just a buggy >application. Too bad you don't have the entire message. > >I don't think it is anything to worry about, really. > >Cheers, >-- >Jacques A. Vidrine http://www.celabo.org/ >NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos >jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"