| 
	
		| View previous topic :: View next topic |  
		| Author | Message |  
		| webstuff -
 
 
 Joined: 25 Dec 2005
 Posts: 18
 
 
 | 
			
				|  Posted: Sun Jan 29, 2006 12:00 am    Post subject: Attachements & images |   |  
				| 
 |  
				| decoding a multipart email, eg, the email has an embedded image, I would like to extract this image and other information about the email found in the headers of them. 
 Any ideas?
 _________________
 53 6D 61 72 74 41 73 73
 |  |  
		| Back to top |     |  
		|  |  
		| aprelium -
 
 
 Joined: 22 Mar 2002
 Posts: 6800
 
 
 |  |  
		| Back to top |       |  
		|  |  
		| webstuff -
 
 
 Joined: 25 Dec 2005
 Posts: 18
 
 
 | 
			
				|  Posted: Sun Jan 29, 2006 9:10 pm    Post subject: |   |  
				| 
 |  
				| Ok thanks, I wondered if anyone had a simple decoder to enable me to view the content of an email.  I however worked out away of getting the email data out of outlook express without causing my Antivirus to kill it before I had chance to examine the source. 
 The process was fairly straight forward and I found that the image file was actually a payload, the I-Worm VB6.AN to be exact.
 
 So what did I do?
 
 I have outlook express WITH the PREVIEW pannel dissabled so that any potential threat stays locked up inside the email, this however posed a problem with looking in the email and seeing what the content was so I simply looked at the message source by..
 
 right click (on email in question) >> properties
 
 wait for pop up dialog and click the 'Details' Tab then click the message source.
 
 If you copy ALL the text in the pop up window and paste into a text editor like notepad or notepad+ and save as a plain old text file.
 
 navigate to the location where you saved the file and you can safely open it and read the information in the file, you then can rename the extention to .eml
 
 I use AVG7 for my security and it jumped on the file soon after renaming the file and looking at the properties of it but you can simply scan it with your regular antivirus, if your AV program is designed well, it will pick up on any infection like my AVG did.
 
 From inside the email I gained the offending IP address & user as well as getting from the header the embedded information in the email...
 
 
  	  | Code: |  	  | ------=_NextPart_5.11700093746185E-02 Content-Type: application/x-msdownload; name="Attachments00.HQX"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="Attachments00.HQX"
 
 YmVnaW4gNjY0IEF0dGFjaG1lbnRzLHppcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
 ICAgICAgLlNDUg0KTTM1SjBgYCxgYGBgJGBgYGBfX1xgYCtAYGBgYGBgYGBgMGBgYGBgYGBgYGBg
 YGBgYGBgYGBgYGBgYGBgYA0KTWBgYGBgYGBgYGBgYGBgYGBgYGBgSGBgYGBgWD9OQFhgTWBHLSg7
 | 
 
 And the virus was masking the origin by sending out information saying that it was from myself or my girlfriend or one of several other email addresses supplied by the domain provider.
 
 So what was the purpose of that? it simply gave me the information on how to get to the source of the problem, namely an IP address which I did a lookup for and found the source of the problem. The person was unaware of the infection and that his machine was sending out 100's of emails while they were online.
 
 As my girlfriend wouldnt allow me to open the emails, this was also the only solution to find out what the source was because AVG would have filtered and deleted the offending email and that information would have been lost to me.
 
 Thx for the links.
 _________________
 53 6D 61 72 74 41 73 73
 |  |  
		| Back to top |     |  
		|  |  
		| webstuff -
 
 
 Joined: 25 Dec 2005
 Posts: 18
 
 
 | 
			
				|  Posted: Sun Jan 29, 2006 10:32 pm    Post subject: |   |  
				| 
 |  
				| OK... 
 Found a PHP function to decode a base64 string.
 
 The result is
 
  	  | Code: |  	  | begin 664 Attachments,zip                                      .SCR M35J0``,````$````__\``+@`````````0```````````````````````````
 M````````````````````H`````X?N@X`M`G-(;@!3,TA5&AI<R!P<F]G<F%M
 M(&-A;FYO="!B92!R=6X@:6X@1$]3(&UO9&4N#0T*)`````````"W$@?;\W-I
 MB/-S:8CS<VF(&FQDB/)S:8A2:6-H\W-IB%!%``!,`0,`7W;+0P``````````
 MX``/`0L!!@``D````!````!0`0"`Y@$``&`!``#P`0```$```!`````"```$
 M`````0````0````````````"```$`````````@``````$```$``````0```0
 M````````$```````````````)/\!`)P`````\`$`)`\`````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````55!8,```````4`$``!``````````!```````````````````@```X%50
 M6#$``````)````!@`0#@AP````0``````````````````$```.`N<G-R8P``
 M```0````\`$`P`\```",``````````````````!```#`````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````,2XR-`!54%@A#`D""$H)MT03X$]$Y\(!`'.&
 M````L`$`)@,`C@```````````````````````````````-L?*I(`_R5,$$``
 M!40C(R,CS)Q8I",C(R.,*'3((R,C(Q08F,`C(R,CO(1L.",C(R,0+#1P(R,C
 M([2P/&@C(R,C,`R4D",C(R-(B+@@(R,C(R3$>&0C(R,C8(!<0",C(R-4!%`<
 M(R,C(P`(?*AO-R,CK*!H@#8$Z`,`#T9SQ@(.(#!`*_1/HK\[^?_%/W8,1IIP
 M7)3H*K&]`1UE860R(`W?/O__4')O:F5C=#$`<&5A<F%N8__,#A%V-S'_____
 M9O<):TZ\'U<I:S_),A#.KGOT%"-/N$<AYJ#OMW(Z3ZT/P/C_,YEFSQ&W#`"J
 M`DYL6(U_^;VX)"`P%`$)L86-K``T9`0`B`"/"9[?;O@L4;'0#M@N>`@`@
 M14\VR[%#Z`(F(""H"+K966X3#@,HZ"\$W3M"SGD"@`(&@.=:]R8!",``!Q&]
 M-^G>_P(&_P$2W\P=[`0`9F9I9@\/)<N3_`9F#_=V8`<``.;6!M:Z+P`/@C`:
 MS7;V7^YW?W=@9@<N!`_GY@?L-F2R=Q-V9@\'_Q;[?"$`_^\+NP`5[XN=30L%
 M`5D)FQZ>_$UH#TT/L```#W!@[WG"'P(BB)D`+[)EWRQ?#X!?/UOVE@5?`!\_
 M7D)>V%\/<#\;<F3)`'^P6\)+"%GPDO]W'V%G8T-^#T0`!P_?$KK#!F\`<(\/
 M>->Z%Q@Y__Y8_(8#H>O>7@,+!@`_^`/P</"5R^5M^__`!ZW@`P#P#W@?/`FP
 MLSP_.`^]YC9NV#@/B3!+1U.Y,%SW6_A:_'KG",N6"CD$`]SP<KG<VLJF.@``
 | 
 
 Which is only part of it, now what is this is supposed to be? an Image file, Zip file or is it a language and if so, what language is it?
 
 It looks a bit like a JScript encoded Script, anyone know where I can find a script decoder?
 _________________
 53 6D 61 72 74 41 73 73
 |  |  
		| Back to top |     |  
		|  |  
		| webstuff -
 
 
 Joined: 25 Dec 2005
 Posts: 18
 
 
 |  |  
		| Back to top |     |  
		|  |  
		| Anonymoose -
 
 
 Joined: 09 Sep 2003
 Posts: 2192
 
 
 | 
			
				|  Posted: Tue Jan 31, 2006 9:43 pm    Post subject: |   |  
				| 
 |  
				| Hundreds of thousands (millions?) of virus infected emails get sent out every day, most ISPs do absolutely zilch if you report it to them, so I wouldn't waste your time trying to get any further information out of the email...  However, since you asked - the attachment is UUEncoded - the M at the start of every line is a dead giveaway, even if the begin 644 doesn't give you a clue... 
 You can see from the first line what the file is -
 
 
  	  | Quote: |  	  | begin 664 Attachments,zip                                      .SCR
 
 | 
 
 It's a SCR (screensaver) file, which is basically a renamed executable under windows.  The large number of spaces is intended to trick the unwary into believing it's a Zip file and clicking on it to open.  I wouldn't put too much more effort into this - the SCR is just the payload and will give you no further information about the sender and your AV has already identifed the actual virus.
 _________________
 
 "Invent an idiot proof webserver and they'll invent a better idiot..."
 |  |  
		| Back to top |     |  
		|  |  
		| webstuff -
 
 
 Joined: 25 Dec 2005
 Posts: 18
 
 
 | 
			
				|  Posted: Thu Feb 02, 2006 8:52 pm    Post subject: |   |  
				| 
 |  
				| I knew most of that, the email encoding I did not, hence my asking. 
 From the M$ site, they stated that VB is used in .scr files... The above code as you can see does not look very VB does it?
 
 All I want is to disect the thing.
 
 I have looked for a UUdecoder/encoder tool but find 100's of solutions that want anything from $5 to £199.  Given the number of freebies, IM having dificulty tracking one down because these SAME sites use the word FREE trial and FREE download which is what the google engine keeps on trawling up, totally useless to me.
 
 If anyone knows where a FREE <-(meaning not costing anything, including adware too!) tool exists, I would appreciate the help.
 _________________
 53 6D 61 72 74 41 73 73
 |  |  
		| Back to top |     |  
		|  |  
		| Anonymoose -
 
 
 Joined: 09 Sep 2003
 Posts: 2192
 
 
 | 
			
				|  Posted: Thu Feb 02, 2006 11:47 pm    Post subject: |   |  
				| 
 |  
				|  	  | webstuff wrote: |  	  | I knew most of that, the email encoding I did not, hence my asking. 
 | 
 
 Sorry, I wasn't putting you down, but I didn't know whether you were expecting some kind of magical information to be extracted from the email...
 
 
  	  | webstuff wrote: |  	  | From the M$ site, they stated that VB is used in .scr files... The above code as you can see does not look very VB does it?
 
 | 
 
 Not sure where you picked that up from - a SCR file is a compiled executable which in normal circumstances is supposed to behave as a screensaver.  Windows being Windows however, it will helpfully run *any* executable file with a .scr extension - make a copy of Notepad.exe and change the extension to .scr and run it...
 
 The compiled code of an executable does not resemble it's original source code - even if an executable SCR file had been created in VB, there would be little or nothing resembling the original code in there.  Occasionally you'll find a few strings with form titles etc in, but nothing in terms of "if x=1 blah".
 
 
  	  | webstuff wrote: |  	  | All I want is to disect the thing.
 
 | 
 
 As mentioned above, when you unuuencode it, it'll just be an executable file, not source code.  Unless you're skilled in assembly language and in using a disassembler or debugger, no point going further.  If you want to see it broken down, just google for a proper analysis of the name of the virus that AVG found.
 
 If you want to find out what would have happened if the particular attachment you have ran, try uploading it to the Norman Sandbox - it'll give you a neat little breakdown of everything it tried to do.
 
 http://sandbox.norman.no/live_4.html
 
 
  	  | webstuff wrote: |  	  | I have looked for a UUdecoder/encoder tool but find 100's of solutions that want anything from $5 to £199.
 <snip>
 If anyone knows where a FREE <-(meaning not costing anything, including adware too!) tool exists, I would appreciate the help.
 | 
 
 Add .uue to the file extension and try any modern archiver - Winzip/Winrar etc - it should happily decode it.
 
 If you don't have anything that'll handle it that way - try FastCode32.  The original website is long gone, but the download link on Snapfiles still works.
 
 http://www.snapfiles.com/get/fastcode.html
 
 I've used it plenty of times to decode attachments like this while collecting my mail over telnet.
 
 Sounds like it could well be this btw...
 
 http://isc.sans.org/diary.php?storyid=1051
 _________________
 
 "Invent an idiot proof webserver and they'll invent a better idiot..."
 |  |  
		| Back to top |     |  
		|  |  
		| webstuff -
 
 
 Joined: 25 Dec 2005
 Posts: 18
 
 
 | 
			
				|  Posted: Sat Feb 04, 2006 1:16 am    Post subject: |   |  
				| 
 |  
				| thanks, intresting stuff. 
 the file arrived as a base64 encoded file and decoded to what is now  UUencoded...
 
 I shall keep trying.
 _________________
 53 6D 61 72 74 41 73 73
 |  |  
		| Back to top |     |  
		|  |  
		|  |  
  
	| 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 |  |