<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [ga] Reliability of the Internet - the silent battle - part 2
On 2001-11-08 13:02:56 -0800, Roeland Meyer wrote:
>That was a secondary side-issue that only came up because Peter
>was using NAV, which only checks the email wrapper and not the
>actual payload. I now have three trusted sources which confirmed
>that the payload was, in fact, absent.
I suppose you should check your sources, since what you spread was
quite clearly an infectuous Sircam binary... (Bad enough, it's no
longer available in the public list archive.)
Let's look at your message with ID
<EA9368A5B1010140ADBF534E4D32C728069FFD@condor.mhsc.com>
in more detail.
It contained a 268288-byte attachment named "Flight crews rely on
passengers to stop trouble.doc.com" (note the extension). As I said
before, this attachment did, in turn, contain a word document at
offset 137216 (0x21800). So the question is whether the first
100+kB of that attachment Sircam code or not.
For comparison, I'll take a different Sircam message I received from
a person unknown to me, quite some time ago, named Deloitte.doc.lnk.
I assume that this is a genuine instance of Sircam.
As a first test, I extract the tail of the document, skipping the
first 137216 bytes, using dd:
$ dd if=Deloitte.doc.lnk bs=1 skip=137216 of=d.doc
d.doc turns out to be a valid word document.
Next, I extract the first 137216 bytes from both files:
$ dd if=Flight<...>.doc.com bs=137216 count=1 of=sircam-flight
$ dd if=Deloitte.doc.lnk bs=137216 count=1 of=sircam-dloitte
Then, let's produce some hex dumps...
$ od -xa sircam-deloitte > sircam-deloitte.hx
$ od -xa sircam-flight > sircam-flight.hx
... and compare these:
$ diff -u sircam-deloitte.hx sircam-flight.hx
The difference (diff output is available upon request) consists of
e-mail address and host name strings. For the sake of comparison,
I've then done the same to yet another Sircam copy which arrived
here quite some time ago, and, indeed, the same areas of the binary
(plus some more toggled bits) differ between these.
Concluding, I'm quite sure that you did indeed spread the sircam
binary you received, bit by bit. Whatever you mean by NAV detecting
an "e-mail wrapper" instead of the actual payload - you're on the
wrong track in this case.
--
Thomas Roessler http://log.does-not-exist.org/
--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|