Subject: [NEWS] An alternative approach for writing e-mail viruses (concept article)
Date: Sat, 27 May 2000 18:12:35 +0200

          An alternative approach for writing e-mail viruses (concept article)
--------------------------------------------------------------------------------

SUMMARY

Because of the way Internet Explorer handle image files, it is possible
for an attacker (or an e-mail Virus) to send a batch file disguised as a
bitmap.
Apparently, Internet Explorer downloads the first few bytes, checks for a
valid image file header and if the header is present, it will download the
rest of the file. When the complete file is downloaded it will try to show
the image.
By changing a batch file's first two characters into a "BMP" standard
first two characters it is possible to send a batch file that will be
shown as an image file, and executed by default by Internet Explorer
(running the batch file, instead of showing the image).

DETAILS

If a batch files disguised as an image is sent via an HTML format email,
it could be possible to execute the batch file on the computer of a remote
user that opens the HTML email. The first 2 bytes in the .bat file should
be BM (for bitmap) or any other image file header.

Example:

BMdfjlqskdfjlksjdflksqjdflksjcvlvksjd (this will cause error, but who
cares)
ECHO 22 EF SD E3 FE AD >> filehex.txt (should append not overwrite)
ECHO 1D A6 E6 ....     >> filehex.txt
..
debug -xxxxx filehex.txt file.exe (change the parameters appropriately)
file.exe

ADDITIONAL INFORMATION

The information has been provided by:  <mailto:zoa_chien@INAME.COM>
Zoa_Chien.

========================================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.