FAQ  |  Search  |  Register  |  Profile  |  Log in to check your private messages  |  Log in
Attachements & images

 
Post new topic   Reply to topic    Aprelium Forum Index -> PHP
View previous topic :: View next topic  
Author Message
webstuff
-


Joined: 25 Dec 2005
Posts: 18
PostPosted: Sun Jan 29, 2006 12:00 am    Post subject: Attachements & images Reply with quote
decoding a multipart email, eg, the email has an embedded image, I would like to extract this image and other information about the email found in the headers of them.

Any ideas?
_________________
53 6D 61 72 74 41 73 73
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800
PostPosted: Sun Jan 29, 2006 1:53 pm    Post subject: Re: Attachements & images Reply with quote
webstuff,

No need to reinvent the wheel. There are several classes and libraries which encode/decode MIME emails: for example http://pear.sourceforge.net/manual/core.mail.mimedecode.php (but you can get many more by searching Google for "MIME decoding PHP").
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
webstuff
-


Joined: 25 Dec 2005
Posts: 18
PostPosted: Sun Jan 29, 2006 9:10 pm    Post subject: Reply with quote
Ok thanks, I wondered if anyone had a simple decoder to enable me to view the content of an email. I however worked out away of getting the email data out of outlook express without causing my Antivirus to kill it before I had chance to examine the source.

The process was fairly straight forward and I found that the image file was actually a payload, the I-Worm VB6.AN to be exact.

So what did I do?

I have outlook express WITH the PREVIEW pannel dissabled so that any potential threat stays locked up inside the email, this however posed a problem with looking in the email and seeing what the content was so I simply looked at the message source by..

right click (on email in question) >> properties

wait for pop up dialog and click the 'Details' Tab then click the message source.

If you copy ALL the text in the pop up window and paste into a text editor like notepad or notepad+ and save as a plain old text file.

navigate to the location where you saved the file and you can safely open it and read the information in the file, you then can rename the extention to .eml

I use AVG7 for my security and it jumped on the file soon after renaming the file and looking at the properties of it but you can simply scan it with your regular antivirus, if your AV program is designed well, it will pick up on any infection like my AVG did.

From inside the email I gained the offending IP address & user as well as getting from the header the embedded information in the email...

Code:
------=_NextPart_5.11700093746185E-02
Content-Type: application/x-msdownload; name="Attachments00.HQX"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Attachments00.HQX"

YmVnaW4gNjY0IEF0dGFjaG1lbnRzLHppcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgLlNDUg0KTTM1SjBgYCxgYGBgJGBgYGBfX1xgYCtAYGBgYGBgYGBgMGBgYGBgYGBgYGBg
YGBgYGBgYGBgYGBgYGBgYA0KTWBgYGBgYGBgYGBgYGBgYGBgYGBgSGBgYGBgWD9OQFhgTWBHLSg7


And the virus was masking the origin by sending out information saying that it was from myself or my girlfriend or one of several other email addresses supplied by the domain provider.

So what was the purpose of that? it simply gave me the information on how to get to the source of the problem, namely an IP address which I did a lookup for and found the source of the problem. The person was unaware of the infection and that his machine was sending out 100's of emails while they were online.

As my girlfriend wouldnt allow me to open the emails, this was also the only solution to find out what the source was because AVG would have filtered and deleted the offending email and that information would have been lost to me.

Thx for the links.
_________________
53 6D 61 72 74 41 73 73
Back to top View user's profile Send private message
webstuff
-


Joined: 25 Dec 2005
Posts: 18
PostPosted: Sun Jan 29, 2006 10:32 pm    Post subject: Reply with quote
OK...

Found a PHP function to decode a base64 string.

The result is
Code:
begin 664 Attachments,zip                                      .SCR
M35J0``,````$````__\``+@`````````0```````````````````````````
M````````````````````H`````X?N@X`M`G-(;@!3,TA5&AI<R!P<F]G<F%M
M(&-A;FYO="!B92!R=6X@:6X@1$]3(&UO9&4N#0T*)`````````"W$@?;\W-I
MB/-S:8CS<VF(&FQDB/)S:8A2:6-H\W-IB%!%``!,`0,`7W;+0P``````````
MX``/`0L!!@``D````!````!0`0"`Y@$``&`!``#P`0```$```!`````"```$
M`````0````0````````````"```$`````````@``````$```$``````0```0
M````````$```````````````)/\!`)P`````\`$`)`\`````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````55!8,```````4`$``!``````````!```````````````````@```X%50
M6#$``````)````!@`0#@AP````0``````````````````$```.`N<G-R8P``
M```0````\`$`P`\```",``````````````````!```#`````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````,2XR-`!54%@A#`D""$H)MT03X$]$Y\(!`'.&
M````L`$`)@,`C@```````````````````````````````-L?*I(`_R5,$$``
M!40C(R,CS)Q8I",C(R.,*'3((R,C(Q08F,`C(R,CO(1L.",C(R,0+#1P(R,C
M([2P/&@C(R,C,`R4D",C(R-(B+@@(R,C(R3$>&0C(R,C8(!<0",C(R-4!%`<
M(R,C(P`(?*AO-R,CK*!H@#8$Z`,`#T9SQ@(.(#!`*_1/HK\[^?_%/W8,1IIP
M7)3H*K&]`1UE860R(`W?/O__4')O:F5C=#$`<&5A<F%N8__,#A%V-S'_____
M9O<):TZ\'U<I:S_),A#.KGOT%"-/N$<AYJ#OMW(Z3ZT/P/C_,YEFSQ&W#`"J
M`DYL6(U_^;VX)"`P%`$)L86-K``T9`0`B`"/"9[?;O@L4;'0#M@N>`@`@
M14\VR[%#Z`(F(""H"+K966X3#@,HZ"\$W3M"SGD"@`(&@.=:]R8!",``!Q&]
M-^G>_P(&_P$2W\P=[`0`9F9I9@\/)<N3_`9F#_=V8`<``.;6!M:Z+P`/@C`:
MS7;V7^YW?W=@9@<N!`_GY@?L-F2R=Q-V9@\'_Q;[?"$`_^\+NP`5[XN=30L%
M`5D)FQZ>_$UH#TT/L```#W!@[WG"'P(BB)D`+[)EWRQ?#X!?/UOVE@5?`!\_
M7D)>V%\/<#\;<F3)`'^P6\)+"%GPDO]W'V%G8T-^#T0`!P_?$KK#!F\`<(\/
M>->Z%Q@Y__Y8_(8#H>O>7@,+!@`_^`/P</"5R^5M^__`!ZW@`P#P#W@?/`FP
MLSP_.`^]YC9NV#@/B3!+1U.Y,%SW6_A:_'KG",N6"CD$`]SP<KG<VLJF.@``


Which is only part of it, now what is this is supposed to be? an Image file, Zip file or is it a language and if so, what language is it?

It looks a bit like a JScript encoded Script, anyone know where I can find a script decoder?
_________________
53 6D 61 72 74 41 73 73
Back to top View user's profile Send private message
webstuff
-


Joined: 25 Dec 2005
Posts: 18
PostPosted: Tue Jan 31, 2006 2:20 am    Post subject: Reply with quote
Well I never!

http://www.1-script.com/forums/Bill-Gates-as-he-presents-the-Windows-Media-Player-system-crash-article1251-24.htm

Would you believe it, this script is on this site.

anyone got any ideas on what encoding system this is?
_________________
53 6D 61 72 74 41 73 73
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192
PostPosted: Tue Jan 31, 2006 9:43 pm    Post subject: Reply with quote
Hundreds of thousands (millions?) of virus infected emails get sent out every day, most ISPs do absolutely zilch if you report it to them, so I wouldn't waste your time trying to get any further information out of the email... However, since you asked - the attachment is UUEncoded - the M at the start of every line is a dead giveaway, even if the begin 644 doesn't give you a clue...

You can see from the first line what the file is -

Quote:

begin 664 Attachments,zip .SCR


It's a SCR (screensaver) file, which is basically a renamed executable under windows. The large number of spaces is intended to trick the unwary into believing it's a Zip file and clicking on it to open. I wouldn't put too much more effort into this - the SCR is just the payload and will give you no further information about the sender and your AV has already identifed the actual virus.
_________________

"Invent an idiot proof webserver and they'll invent a better idiot..."
Back to top View user's profile Send private message
webstuff
-


Joined: 25 Dec 2005
Posts: 18
PostPosted: Thu Feb 02, 2006 8:52 pm    Post subject: Reply with quote
I knew most of that, the email encoding I did not, hence my asking.

From the M$ site, they stated that VB is used in .scr files... The above code as you can see does not look very VB does it?

All I want is to disect the thing.

I have looked for a UUdecoder/encoder tool but find 100's of solutions that want anything from $5 to £199. Given the number of freebies, IM having dificulty tracking one down because these SAME sites use the word FREE trial and FREE download which is what the google engine keeps on trawling up, totally useless to me.

If anyone knows where a FREE <-(meaning not costing anything, including adware too!) tool exists, I would appreciate the help.
_________________
53 6D 61 72 74 41 73 73
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192
PostPosted: Thu Feb 02, 2006 11:47 pm    Post subject: Reply with quote
webstuff wrote:
I knew most of that, the email encoding I did not, hence my asking.


Sorry, I wasn't putting you down, but I didn't know whether you were expecting some kind of magical information to be extracted from the email...

webstuff wrote:

From the M$ site, they stated that VB is used in .scr files... The above code as you can see does not look very VB does it?


Not sure where you picked that up from - a SCR file is a compiled executable which in normal circumstances is supposed to behave as a screensaver. Windows being Windows however, it will helpfully run *any* executable file with a .scr extension - make a copy of Notepad.exe and change the extension to .scr and run it...

The compiled code of an executable does not resemble it's original source code - even if an executable SCR file had been created in VB, there would be little or nothing resembling the original code in there. Occasionally you'll find a few strings with form titles etc in, but nothing in terms of "if x=1 blah".

webstuff wrote:

All I want is to disect the thing.


As mentioned above, when you unuuencode it, it'll just be an executable file, not source code. Unless you're skilled in assembly language and in using a disassembler or debugger, no point going further. If you want to see it broken down, just google for a proper analysis of the name of the virus that AVG found.

If you want to find out what would have happened if the particular attachment you have ran, try uploading it to the Norman Sandbox - it'll give you a neat little breakdown of everything it tried to do.

http://sandbox.norman.no/live_4.html

webstuff wrote:

I have looked for a UUdecoder/encoder tool but find 100's of solutions that want anything from $5 to £199.
<snip>
If anyone knows where a FREE <-(meaning not costing anything, including adware too!) tool exists, I would appreciate the help.


Add .uue to the file extension and try any modern archiver - Winzip/Winrar etc - it should happily decode it.

If you don't have anything that'll handle it that way - try FastCode32. The original website is long gone, but the download link on Snapfiles still works.

http://www.snapfiles.com/get/fastcode.html

I've used it plenty of times to decode attachments like this while collecting my mail over telnet.

Sounds like it could well be this btw...

http://isc.sans.org/diary.php?storyid=1051
_________________

"Invent an idiot proof webserver and they'll invent a better idiot..."
Back to top View user's profile Send private message
webstuff
-


Joined: 25 Dec 2005
Posts: 18
PostPosted: Sat Feb 04, 2006 1:16 am    Post subject: Reply with quote
thanks, intresting stuff.

the file arrived as a base64 encoded file and decoded to what is now UUencoded...

I shall keep trying.
_________________
53 6D 61 72 74 41 73 73
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> PHP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group