Subject: [NEWS] An alternative approach for writing e-mail viruses (concept article) Date: Sat, 27 May 2000 18:12:35 +0200 An alternative approach for writing e-mail viruses (concept article) -------------------------------------------------------------------------------- SUMMARY Because of the way Internet Explorer handle image files, it is possible for an attacker (or an e-mail Virus) to send a batch file disguised as a bitmap. Apparently, Internet Explorer downloads the first few bytes, checks for a valid image file header and if the header is present, it will download the rest of the file. When the complete file is downloaded it will try to show the image. By changing a batch file's first two characters into a "BMP" standard first two characters it is possible to send a batch file that will be shown as an image file, and executed by default by Internet Explorer (running the batch file, instead of showing the image). DETAILS If a batch files disguised as an image is sent via an HTML format email, it could be possible to execute the batch file on the computer of a remote user that opens the HTML email. The first 2 bytes in the .bat file should be BM (for bitmap) or any other image file header. Example: BMdfjlqskdfjlksjdflksqjdflksjcvlvksjd (this will cause error, but who cares) ECHO 22 EF SD E3 FE AD >> filehex.txt (should append not overwrite) ECHO 1D A6 E6 .... >> filehex.txt .. debug -xxxxx filehex.txt file.exe (change the parameters appropriately) file.exe ADDITIONAL INFORMATION The information has been provided by: Zoa_Chien. ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.