NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 2003-03

Re: what was that?

From: Mike Tancsa (mikesentex.net)
Date: Mon Mar 31 2003 - 13:39:49 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 12:56 PM 31/03/2003 -0600, Jacques A. Vidrine wrote:
>It's kind of interesting, because it is base64 encoded data which
>begins with the string `PCDFEB09':
>
>0000 50 43 44 46 45 42 30 39 00 01 00 02 00 00 00 00 |PCDFEB09........|
>0010 00 00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 |................|
>0020 00 7e 9e 05 6b 64 a1 3c 4d ae e2 93 ff 42 93 c3 |.~..kd¡<M®â.ÿB.Ã|
>0030 20 c2 80 00 00 10 00 00 00 8f ec db e0 8b 1b ba | Â........ìÛà..º|
>0040 4f ad 60 43 d5 17 d5 5f |O`CÕ.Õ_|
>
>Google'ing for that string turns up a lot of hits, which seem to be
>Microsoft TNEF attachements. *shrug* Perhaps it is a sneaky way of
>sending some data out-of-band :-)

Actually, will not some MS email clients (e.g. lookOUT) honor attachments
that begin in the headers ? I recall a discussion similar to this on email
AV scanner lists... Because MS would decode an attachment crammed in the
subject line, this could be a way to bypass email scanners and cram viruses
in the subject... Combined with the fact that there are many unpatched
email clients out there, this would be a nice way to spread an email worm.

Perhaps the MS client would try and decode an attachment in the messageID ?

---Mike

>or maybe it is just a buggy
>application. Too bad you don't have the entire message.
>
>I don't think it is anything to worry about, really.
>
>Cheers,
>--
>Jacques A. Vidrine <nectarcelabo.org> http://www.celabo.org/
>NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
>jvidrineverio.net . nectarFreeBSD.org . nectarkth.se
>_______________________________________________
>freebsd-securityfreebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]