Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Beware of GIF based emails bearing HTML trojan

  • Please log in to reply
No replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:02:37 PM

Posted 29 August 2004 - 12:32 PM

Posted Image

This new GIF based email attack was spammed extensively over the weekend. While GIF files are safe, the HTML body of these email messages contain a trojan horse that could be launched on systems that are not up to date on Windows security patches (from last year MS03-032 and MS03-040).

Suspicious GIF files being mailed?

There are an increasing amount of suspicious gif attachments to email reported to us. The filenames 1.gif and 2.gif seem to be popular, but it looks like the exploit isn't in the gifs, but rather in the body of the message that tries to download from a -currently down- website. The reports so far indicate outlook warns about ActiveX permissions, but that might not be the case in all instances. Our best preventive advise would be to disable preview panes in outlook, keep anti-virus software up to date at all times, and perhaps consider to return email to plain text as much as possible both when sending and receiving messages.

McAfee releases update for 1.gif trojan

McAfee releases update for 1.gif trojan, This trojan takes advantage of the exploits covered in Microsoft Security Bulletin MS03-032 or Microsoft Security Bulletin MS03-040. McAfee notes that if these patches are applied, you are immune from this virus. McAfee will still and identify the trojan with the latest updates applied.

McAfee information on new 1.gif and 2.gif trojans

Update - 8/27/2004: A mass-mailing of this exploit occurred today. Messages appear as:

Subject: 1 or 2
Attachment: 1.gif or 2.gif

The attachments are simply 8 byte ascii files containing a number. They are not valid GIF files, nor are they infectious. The message body of such messages is typically blank, but contains HTML exploit code to load a page from a remote site, which is currently inaccessible. The code on the remote site may contain additional malware that could be responsible for the sending of the messages.

This detection covers HTML documents that attempt to exploit the Microsoft Security Bulletin MS03-032 or Microsoft Security Bulletin MS03-040 vulnerability. This severity of this vulnerability is considered to be critical. It allows an attacker to execute malicious code, simply by visiting an infectious website. Detections of this exploit do not necessarily mean that any malicious code was executed.

It simply means that an HTML document was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system. All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur on files attempting to make use of this exploit.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users