SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Malicious Emails

    I've been sent a really large number of emails with a .pif attachment that tries to open immediately (using various methods).

    The name of the attachment varies but is usually disguised with .MP3.pif or .DOC.pif etc.

    The name of the sender varies. Sometimes it is a person's or a couple's name, sometimes a company name.

    The subject is always just "Re:"

    The text part of the message is always blank.

    I don't know what they do, because it would be stupid of me to run them

    However, it's annoying me. They're binary! And they take so long to download on a modem! And... they come from lots of different addresses and they're now coming to more than one of my unrelated sites' addresses.

    MAKE THEM STOP!!

    Here's part of the headers:

    From: "Cine Web Services" <###Their fake address###>
    To: ###My address###
    Subject: Re:
    MIME-Version: 1.0
    Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="====_ABC1234567890DEF_===="
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  2. #2
    Gone!
    Join Date
    Aug 2001
    Location
    Witty Location Parody
    Posts
    3,889
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There is a thread relating to these .pif files here :

    http://www.sitepointforum.com/showth...threadid=40999

  3. #3
    The Legend Indian's Avatar
    Join Date
    Nov 2001
    Location
    Gods' Own Country
    Posts
    890
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you using Outlook Express?
    Then uncheck "show preview pane" (View >Layout...)
    You can use Message Rules to send all mail from "Cine Web Services" to a particular folder or directly delete them.
    Also change the security zone to Restricted site Zone.
    (Tools >Options..),so Scripts, ActiveX etc. will not work.

    Indian

  4. #4
    Fried Gold Polymath's Avatar
    Join Date
    Nov 2000
    Location
    Manchester, UK
    Posts
    331
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's that SirCam thing - double file extensions like .doc.pif don't get intercepted by AntiVirus programs.

  5. #5
    SitePoint Zealot Andthensometoo's Avatar
    Join Date
    Aug 2001
    Location
    Michigan
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I got a couple of those. From two different people, these two files.
    Menu.bat (78.3 kb) with the following text:
    B. DOS Print Functionality Not Supported
    At the time of the software release, the following software program limitation exists:
    DOS Printing: Your HP Officejet or HP PSC does not support printing from DOS, printing from DOS programs, or printing from a DOS box within Windows.
    C. Display Printer Properties
    After you click the Properties button in the Print dialog box, there may be a delay before the HP Officejet or HP PSC dialog box is displayed.

    And of course the Menu.bat file attached.

    and
    Useful.pif (133.3 kb) with the following text:
    Printer Adjustments: to shift the paper placement for a particular printer and correct for slight variances among printers. This adjustment is on a per-printer basis and is useful for cover or label stock that does appear in the Current Paper Type drop-down list box but the alignment is slightly off.
    Repeat and adjust accordingly until the proper alignment is achieved before printing onto actual cover or label stock.

    With the Useful.pif file attached.

    First off, the file size was supicious.
    Second, the email addy to which these were sent, was NOT one that I might have registered software or hardware such as a HP printer, (which myself and millions of others probably do have) so there should never be any any emails concerning my software or hardware to that address.
    Third, I read all my email with JBmail first, so I never worry about viri untill I have to download something. (I use webmail to download any jpg files after checking them)
    I copied most of the files (binary coded) and saved them (as text file) to my "Suspect" folder, in case it was a virus. Even JBmail only showed the '.pif' or '.bat' extensions, and because it looked like it was saying that I needed the file to make a piece of my hardware to work, which may fool a lot of people.

    It turns out it was probably Magistr. It has a habit of sending out random infected files containing just parts of the viral code.
    "If you handle with products .. this is a word to see It"
    elvis.isnotalive.com
    My Complaint Dept
    Visit Interceptor's AV review

  6. #6
    SitePoint Zealot
    Join Date
    Mar 2001
    Location
    Southeast US
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sounds like Badtrans B virus.

  7. #7
    Net Senior Citizen tommatthews's Avatar
    Join Date
    Apr 2001
    Location
    Sydney Australia
    Posts
    869
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm getting sick of receiving these emails too! I am getting a few every day now.
    It's hard to create a message rule for them as they are from different people all the time and I am frightened that if I make a rule for emails with re: in the subject line that it might trash real email.
    Anyone come up with a way to stop/block these??
    I have NortonAntiVirus and zone alarm which re-names the extension so hopefully if one of my kids opens one it wont work anyway (but I don't wan't to find out the hard way!).


    affordable website design

    :: sydney australia ::


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •