[Dshield] Taking the courtesy of warning about links to infected or malicious web pages

jayjwa jayjwa at atr2.ath.cx
Fri Mar 19 19:33:52 GMT 2004

On Thu, 18 Mar 2004, Peter Stendahl-Juvonen wrote:

> You may have noticed references in a few posts to this list (on March 9 and 10)
> containing a hyperlink to one of the web pages of Columbia University (in the
> City of New York).
> After clicking the hyperlink for this specific page, auto-protect features of
> anti-virus programs alarmed that a specific virus resides in the browser's
> cache. For instance, NAV2004 detected and identified the threat as
> W32.Sobig.F at mm.enc.

<snip questions about virus>

> https://www1.columbia.edu/sec/bboard/cpu_bboard/archive/2003_08/msg00002.html

Hi, yes, your AV scanner is correct, this is a web page with
Win32.SoBig.F, base64 encode (binary data turned to "text", basically). It
can be easily fetched on a Linux box:

jayjwa at atr2> wget https://www1.columbia.edu/sec/bboard/cpu_bboard/archive/2003_08/msg00002.html

(makes a file msg00002.html in my home directory. I use 'file' to tell me
quickly what it is for sure)

jayjwa at atr2> file msg00002.html
msg00002.html: Exported SGML document text
(Ok, I'll peek, I use 'most')

jayjwa at atr2> most msg00002.html
(I see in fact it has a base64 encoded attachment, which are highly
suspect when found in this manner. Knowing the doc is text, I open it with
Jed, my editor, copy the part which begins "--_Next Part_000" and
take the whole thing until the last "=" marker point, no extra char's,
being careful to omit the "=" at the end {messes up Zip}. Now I have a
file with only the base64 code in it, and I name it "x.b64"; time to
decode. Pull out openssl.)

jayjwa at atr2> openssl enc -base64 -d -in x.b64 -out x.pif
(It spits out x.pif, and I run file again, to be sure. File labels it as a
Windows PE executable. Hmmm... Is it an already known virus? I run my
scanner, hoping for an easy ID...)

jayjwa at atr2> f-prot x.pif -collect

x.pif: Infected Sobig.F (exact)

(...and I get it, it's Sobig.F, a popular mass-mailer.)

At this point, if you wanted to save it, zip it inside a zip archive, say
Win32.SoBig.F.zip. The exact characteristics of SoBig.F escape me at the
moment, but I do know it's a mass-mailer. To find out about it, just hit
www.google.com, and enter "Sobig.F" in the search box. It's not new, so
any decent AV cleaner will be able to kill it. BTW, this link was
still active at 3/19 19:28 UTC. Unless your web browser is doing
auto-converting of base64 files, or another app is and you saved the doc
to a file, you don't have much to worry about. I trust you're up to date
and patched up =).

[jayjwa] CCSPIS SSP ABC XYZ ABC123 MPG321 MPG123
Microsoft Internet Explorer: "Never trust a
browser that calls itself "Mozilla" when it's
obviously not." Windows: Keeping worms fed 24x7

More information about the list mailing list