[SpamCop-List] Re: CIA Spoof

[Porpoise]

"Mike Easter" <MikeE at ster.invalid> wrote in message 
news:dn47fq$tgh$1 at news.spamcop.net...
> Mike Easter wrote:
>
> I used a hex viewer on bqj522.zip which looks like it should extract to
> the name you found, qform.exe.  I also used my AV agent AVG on the
> folder of the zip and it did not detect anything.  I'm accustomed to AVs
> not finding virms which are zipped up, but I'm surprised at the several
> differences between your results and mine.  I'm wondering if you
> isolated the bqj522.zip in a different manner, say from the original
> mail itself, and somehow had something better to work with than what I
> got from the tracker's attachment.
>
> I was working with what I isolated from the original post's tracker's
> attachment, selecting the b64 in isolation, b64 decoding into the zip,
> and working with that zip.
>

Errr.... Yes. I isolated it from the email into a temporary folder and went 
to work on it from there. F-Secure also wouldn't scan it whilst still 
encapsulated within the email but the result I posted was from scanning the 
resulting temporarily saved .zip file. I haven't yet pulled it into Winhex 
to analyse it. The most important aspect for me though, was that it's not 
being picked up by virus-scanners whilst it's still embedded within the 
email structure. That makes it more dangerous to the unedified, who might be 
temped to open the .zip file - on the basis that their virus-scanner hadn't 
sed it was a virus.