[SpamCop-List] Re: CIA Spoof
porpoise1954 at yahoo.co.uk
Tue Dec 6 14:46:37 EST 2005
"Mike Easter" <MikeE at ster.invalid> wrote in message
news:dn47fq$tgh$1 at news.spamcop.net...
> Mike Easter wrote:
> I used a hex viewer on bqj522.zip which looks like it should extract to
> the name you found, qform.exe. I also used my AV agent AVG on the
> folder of the zip and it did not detect anything. I'm accustomed to AVs
> not finding virms which are zipped up, but I'm surprised at the several
> differences between your results and mine. I'm wondering if you
> isolated the bqj522.zip in a different manner, say from the original
> mail itself, and somehow had something better to work with than what I
> got from the tracker's attachment.
> I was working with what I isolated from the original post's tracker's
> attachment, selecting the b64 in isolation, b64 decoding into the zip,
> and working with that zip.
Errr.... Yes. I isolated it from the email into a temporary folder and went
to work on it from there. F-Secure also wouldn't scan it whilst still
encapsulated within the email but the result I posted was from scanning the
resulting temporarily saved .zip file. I haven't yet pulled it into Winhex
to analyse it. The most important aspect for me though, was that it's not
being picked up by virus-scanners whilst it's still embedded within the
email structure. That makes it more dangerous to the unedified, who might be
temped to open the .zip file - on the basis that their virus-scanner hadn't
sed it was a virus.
More information about the SpamCop-List