Re: Uncompressing gif Files that May or May Not be gif's
John Hasler writes:
> First run 'file' on it. If it isn't what it claims to be you don't need
> to
> know more: you can reject it immediately.
Thank you. I had forgotten about that great utility. The bad
news is that the .gif files in the virus messages are either
genuine gifs and the infection mechanism is hidden somewhere else
or the gif file looks so authentic that it passes all the tests.
I tried it on a couple of spams whose text is a bunch of
disconnected words and sentences for example:
From: "Kim L. Susanna" <ldpcgi@thumbnail.com>
Subject: query seek
part 1 text/html 2483
> middle class
> I can use the technical superciliousness of zazzle. Find the Art
> Portals in English on lonvig. Doom 3 Fortress is on the move, based on
> TF 2.
> He was selling the products over the Internet via spam emails and was
> caught with goods worth an estimated quarter of a million pounds.
> Concerns about a virus actually existing in "keypress. Great games,
> emotion, nice organization, some time well spent.
> The PANELs below are the PANELs shown on each of my Art Portals.
> soldier also was killed Saturday after coming under small-arms fire
> northeast of Baghdad, the military said, raising the number of
> American troops who have died this month to 37.
> Learn more by clicking here. The customer must be able to customize my
> MERCHANDISE products. Petraeus: Iraq 'doomed' if mission fails -
> Conflict in Iraq - MSNBC.
> I found the software I needed in Silicon Valley - where else.
> Tehran said it was a government liaison office and called for the
> release of the five, along with compensation for damages. The crew at
> Gang-Life on the other hand, finished off their Glock Model. You will
> find the MERCHANDISE products on my web site or on Art Portals. A new
> project, this time in Spain, is now starting at K1ck Counter-Strike.
> Today the world renowned Iconograpfer Ilina Filipova from Malta
> expressed her enthusiasm about my ideas.
> NATO chief predicts Afghanistan stability - Focus on Afghanistan -
> MSNBC.
> And if you're a Linux fan, check this Instructions Page to set you up
> and running Doom 3 on your favorite OS.
> You buy the shirts from Zazzle. The deaths raised to 36 the number of
> Americans killed in Iraq so far this month. A fifth crash has
> tentatively been blamed on mechanical failure. What is made public
> probably would be short, and shorter on details than the
> administration recently had suggested.
> Please contact your system administrator to report this fault. And a
> dream comes through.
The .gif file which was attached to this Jabberwakian
spew was called attempt.gif and passed the "file " test with flying
colors. Since the message body makes no sense and has no
hyperlinks, the .gif almost has to be the mechanism to louse
things up.
I once did a google search describing Email messages
consisting of random text with a binary attachment and this may
be a variant of what is called the "bugbare" virus in which a
.gif file is the means of infection. The only thing that didn't
match was that bugbear makes a gif file with a compound extension
like .exe.gif. It could also be that the thugs have refined it
so as to make more normal-looking files.
To me, this is interesting but the goal is to
mechanically detect those darn things and shunt them in to the
spam folder as they frequently get by bogofilter.
Martin McCormick
Reply to: