I caught one of these uuencoded 'in the wild'. It would have slipped through my filters if not for the standard Subject: line. ---<snip>--- kindly check the attached LOVELETTER coming from me. begin 666 LOVE-LETTER-FOR-YOU.TXT.vbs ---<snip>--- I've since updated my filters to catch uuencodes as well. On a lighter note, a clueless gateway forwarded 6 copies of the worm with the following helpful banner attached: ---<snip>--- kindly check the attached LOVELETTER coming from me. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by the latest virus scan software available for the presence of computer viruses. ********************************************************************** ------_=_NextPart_000_01BFB683.1FF56E54 Content-Type: application/octet-stream; name="LOVE-LETTER-FOR-YOU.TXT.vbs" --<snip>--- ...Eric
2000-05-05-13:44:16 Eric Conrad:
I caught one of these uuencoded 'in the wild'. It would have slipped through my filters if not for the standard Subject: line.
Does anyone know for sure that the uuencoded version isn't actually devenomed by the uuencoding? I.e. is there any known gateway that will turn the uuencoded attachment back into the known-virulent MIME, or any known MUA that will offer to execute the uuencoded script with a simple click? If the user has to go out of their way to expressly decode the thing into a file, then deliberately execute that file, that varient of the worm won't spread like wildfire; I'm content to let it pass. -Bennett
most modern mailers wil automagically uudecode.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Bennett Todd Sent: Friday, May 05, 2000 11:19 AM To: Eric Conrad Cc: nanog@merit.edu Subject: Re: uuencoded Love Worm variant
2000-05-05-13:44:16 Eric Conrad:
I caught one of these uuencoded 'in the wild'. It would have slipped through my filters if not for the standard Subject: line.
Does anyone know for sure that the uuencoded version isn't actually devenomed by the uuencoding? I.e. is there any known gateway that will turn the uuencoded attachment back into the known-virulent MIME, or any known MUA that will offer to execute the uuencoded script with a simple click? If the user has to go out of their way to expressly decode the thing into a file, then deliberately execute that file, that varient of the worm won't spread like wildfire; I'm content to let it pass.
-Bennett
My Outlook Express happily presented his uuencoded file just like any other attachment, which it then offerred (no thanks) to execute for me. Whether attachments are MIME or UUE makes no difference to modern MUAs. (No) thanks to Eric Conrad for intentionally sending us a live virus; I'd managed to not get any copies so far. S | | Stephen Sprunk, K5SSS, CCIE #3723 :|: :|: Network Consulting Engineer, NSA :|||: :|||: 14875 Landmark Blvd #400; Dallas, TX .:|||||||:..:|||||||:. Email: ssprunk@cisco.com ----- Original Message ----- From: Bennett Todd To: Eric Conrad Cc: nanog@merit.edu Sent: Friday, May 05, 2000 13:18 Subject: Re: uuencoded Love Worm variant Does anyone know for sure that the uuencoded version isn't actually devenomed by the uuencoding? I.e. is there any known gateway that will turn the uuencoded attachment back into the known-virulent MIME, or any known MUA that will offer to execute the uuencoded script with a simple click? If the user has to go out of their way to expressly decode the thing into a file, then deliberately execute that file, that varient of the worm won't spread like wildfire; I'm content to let it pass.
(No) thanks to Eric Conrad for intentionally sending us a live virus; I'd managed to not get any copies so far.
I didn't send a live virus; I sent the 'begin' line as an example, and snipped the rest. Had I realized dumb mailers would see that as an actual attachment, I would have commented the 'begin' snippet. ...Eric
participants (4)
-
Bennett Todd
-
Eric Conrad
-
Roeland Meyer (E-mail)
-
Stephen Sprunk