Post by thread:[PIC:] WARNING: Dangerous PIF attachement in email

People I have just received an "Mail Delivery Failure" notification which is a fake. The mail is accompanied by an PIF attachement which is very dangerous and is not detected by the latest version of virus scanners or the latest MS patches. This email was traced back to the MINERVA IP and thence to someone in NZ. Luckily I use Mulberry as a mail client and was able to intercept it. If you get an email with this header then do not click on it, delete it without opening the main email. jon -- http://www.piclist.com hint: To leave the PICList spam_OUTpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu

--On Sunday, August 24, 2003 4:57 PM -0500 Dave VanHorn <dvanhornKILLspamCEDAR.NET> wrote: >> >> Luckily I use Mulberry as a mail client and was able to intercept it. > > What's the big deal? Just don't open unexpected attachments. 0: because it looks very genuine 1: because it is not detected by latest virus scanner 2: because if you use MS outlook or outlook express it will be opened and run automatically! jon -- http://www.piclist.com hint: To leave the PICList .....piclist-unsubscribe-requestKILLspam.....mitvma.mit.edu

> >0: because it looks very genuine No it dosen't. >1: because it is not detected by latest virus scanner Not necessary. I don't need to know if the spider in the jar is poisonous, if I'm never going to open the jar. >2: because if you use MS outlook or outlook express > it will be opened and run automatically! Highly doubtful, but I don't run those programs anyway. Eudora does not automatically open attachments. No sane email program would. -- http://www.piclist.com hint: To leave the PICList EraseMEpiclist-unsubscribe-requestspam_OUTTakeThisOuTmitvma.mit.edu

>> What's the big deal? Just don't open unexpected attachments. > > 0: because it looks very genuine A genuine what? Any .PIF attachment is pretty much guaranteed to be a virus. Just don't open attachments unless they are a file type that can't hurt you (like .JPG, .GIF, .TXT, etc). A .PIF definitely CAN hurt you, which is about the only reason they are sent via email. > 1: because it is not detected by latest virus scanner Virus scanners are worse than useless because of exactly this excuse. At best, they can only tell you about viruses they already know about. At worst they let a variant slip thru, mess up your system, and give you a false sense of security. I guess they are better than nothing for complete idiots, but common sense is far better than any virus scanner. > 2: because if you use MS outlook or outlook express > it will be opened and run automatically! No, it won't. You have to take explicit action to "open" an attachment. MSO/E does display the contents of some types of image file attachments in line, but these image files only contain data and no executable information and are therefore safe. I get about 3-5 viruses per week, and frankly they're pretty easy to spot. ***************************************************************** Embed Inc, embedded system specialists in Littleton Massachusetts (978) 742-9014, http://www.embedinc.com -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestspam_OUTmitvma.mit.edu

> A genuine what? Any .PIF attachment is pretty much guaranteed to be a > virus. Just don't open attachments unless they are a file type that can't > hurt you (like .JPG, .GIF, .TXT, etc). A .PIF definitely CAN hurt you, > which is about the only reason they are sent via email. Olin, it seems incredible, but if you put a file like "dangerouspayload.gif.pif" the outlook will show you as "dangerouspayload.gif"... Don't you believe? 1 - Create a new text file. Something like "new text file.txt" 2 - Rename it to "new text file.txt.pif" 3 - IT WILL SHOW ON YOUR DESKTOP AS "new text file.txt" BUT WILL BE A .PIF FILE!!!! Not to be wrong, I just did it here, and of course, AVG didn't let me attach it to a mail (to myself) thinking it was a virus (after all, this is a very common procedure for a virus) > Virus scanners are worse than useless because of exactly this excuse. At > best, they can only tell you about viruses they already know about. At > worst they let a variant slip thru, mess up your system, and give you a > false sense of security. AVG never let anything come to my system. It is updated daily (sometimes more than once) and NEVER EVER got anything, everything was blocked by it. > I guess they are better than nothing for complete idiots, but common sense > is far better than any virus scanner. Do agree with you, but two locks are better than one in 90% of happenings ;o) > No, it won't. You have to take explicit action to "open" an attachment. > MSO/E does display the contents of some types of image file attachments in > line, but these image files only contain data and no executable information > and are therefore safe. Yes, it will. A bad intetioned HTML code can open a file and you will not even know it...Take a look on some HTML virus reports. Of course you can configure your outlook NOT to do that, but this is not the default. Microsoft security, of course. Greetz from Brazil! Alexandre Souza http://www.pinball-taito.com.br --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/03 -- http://www.piclist.com hint: To leave the PICList KILLspampiclist-unsubscribe-requestKILLspammitvma.mit.edu

> > Olin, it seems incredible, but if you put a file like >"dangerouspayload.gif.pif" the outlook will show you as >"dangerouspayload.gif"... > > Don't you believe? So don't use outlook? Eudora shows it as .gif.pif. I get several every hour. > Yes, it will. A bad intetioned HTML code can open a file and you will >not even know it...Take a look on some HTML virus reports. Of course you can >configure your outlook NOT to do that, but this is not the default. >Microsoft security, of course. Another non problem in eudora. -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu

> Olin, it seems incredible, but if you put a file like > "dangerouspayload.gif.pif" the outlook will show you as > "dangerouspayload.gif"... > > Don't you believe? > > 1 - Create a new text file. Something like "new text file.txt" > 2 - Rename it to "new text file.txt.pif" > 3 - IT WILL SHOW ON YOUR DESKTOP AS "new text file.txt" BUT WILL BE A > .PIF FILE!!!! > This is true, but only if you stupidly leave the default setting for 'Show extensions of known file types' as false. That is a VERY dangerous things to do! Bob Ammerman RAm Systems -- http://www.piclist.com hint: To leave the PICList spamBeGonepiclist-unsubscribe-requestspamBeGonemitvma.mit.edu

Alexandre Souza wrote: >>A genuine what? Any .PIF attachment is pretty much guaranteed to be a >>virus. Just don't open attachments unless they are a file type that can't >>hurt you (like .JPG, .GIF, .TXT, etc). A .PIF definitely CAN hurt you, >>which is about the only reason they are sent via email. >> >> > > Olin, it seems incredible, but if you put a file like >"dangerouspayload.gif.pif" the outlook will show you as >"dangerouspayload.gif"... > > Don't you believe? > > 1 - Create a new text file. Something like "new text file.txt" > 2 - Rename it to "new text file.txt.pif" > 3 - IT WILL SHOW ON YOUR DESKTOP AS "new text file.txt" BUT WILL BE A >.PIF FILE!!!! > > Only if you have "don't show extensions for known file types" turned on. It's on by default when you load Windows - I always change it. You've just shown the exact reason not to leave it that way. :-) David... -- ___________________________________________ David Duffy Audio Visual Devices P/L U8, 9-11 Trade St, Cleveland 4163 Australia Ph: +61 7 38210362 Fax: +61 7 38210281 New Web: http://www.audiovisualdevices.com.au ___________________________________________ -- http://www.piclist.com hint: To leave the PICList TakeThisOuTpiclist-unsubscribe-requestEraseMEspam_OUTmitvma.mit.edu

> 1 - Create a new text file. Something like "new text file.txt" > 2 - Rename it to "new text file.txt.pif" > 3 - IT WILL SHOW ON YOUR DESKTOP AS "new text file.txt" > BUT WILL BE A > .PIF FILE!!!! On my desktop it shows as "new text file.txt.pif", as IMHO it should. You probably have the "hide extension" feature active, which is IMHO a bad thing (haveing it active, that is. The fact that this feature exists at all is much worse.) Wouter van Ooijen -- ------------------------------------------- Van Ooijen Technische Informatica: http://www.voti.nl consultancy, development, PICmicro products -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

Jan-Erik Söderholm XA (TN/PAC) wrote: >Desktop ? >The interesting thing is how it's shown in Outlook, not ? >Or is Outlook also using the "hide file extenstions" setting ? > > Yes. Anything that uses the Windows shell will behave the same. David... -- ___________________________________________ David Duffy Audio Visual Devices P/L U8, 9-11 Trade St, Cleveland 4163 Australia Ph: +61 7 38210362 Fax: +61 7 38210281 New Web: http://www.audiovisualdevices.com.au ___________________________________________ -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

>> I get about 3-5 viruses per week, and frankly they're pretty easy to >> spot. > > Agreed. Powerful thing that delete key! :-) I wrote that yesterday afternoon. I came in this morning and there were 8 separate virus messages waiting for me. They all appeared to be the same one with a .PIF file attached. I guess this thing is really getting around. ***************************************************************** Embed Inc, embedded system specialists in Littleton Massachusetts (978) 742-9014, http://www.embedinc.com -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

> This is true, but only if you stupidly leave the default setting for 'Show > extensions of known file types' as false. > That is a VERY dangerous things to do! No, my computer is configured to show extensions... --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/03 -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

> >I wrote that yesterday afternoon. I came in this morning and there were 8 >separate virus messages waiting for me. They all appeared to be the same >one with a .PIF file attached. I guess this thing is really getting >around. Only eight? you must live in a cave! :) They seem as dangerous to me as the light grenades in "mom and dad save the world". -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

> Olin, it seems incredible, but if you put a file like > "dangerouspayload.gif.pif" the outlook will show you as > "dangerouspayload.gif"... Only if you have Windows (this has nothing to do with Outlook) set to "hide known file types" or something like that. That is an extremely dangerous setting and it's totally irresponsible of Microsoft to set it as the default. It's one of the various things I always adjust when setting up a Windows 2000 system. > AVG never let anything come to my system. It is updated daily > (sometimes more than once) and NEVER EVER got anything, everything was > blocked by it. Well OK then, go ahead an open all the attachments you want! No problem. And I'm sure the AVG folks will personally come to your system and repair any damage in case you got a virus before they did and were able to write a fix for it. > Do agree with you, but two locks are better than one in 90% of > happenings ;o) That would be true if virus scanners were otherwise benign. Unfortunately they have to get into the system deeply and intercept things between programs to do their job. As a result they have various undesirable side effects (how often have you seen software installation instructions tell you to disable all virus software first?). ***************************************************************** Embed Inc, embedded system specialists in Littleton Massachusetts (978) 742-9014, http://www.embedinc.com -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

> Only if you have Windows (this has nothing to do with Outlook) set to > "hide known file types" or something like that. That is an extremely > dangerous setting and it's totally irresponsible of Microsoft to set it as > the default. It's one of the various things I always adjust when setting > up a Windows 2000 system. Strange is: I use windows 98 and has this setting to "show all file types" or something like this. This is one of the first things I do when I install win98. > Well OK then, go ahead an open all the attachments you want! No problem. > And I'm sure the AVG folks will personally come to your system and repair > any damage in case you got a virus before they did and were able to write > a fix for it. I don't use to open attachments, even when .JPG or .GIF, thanks ;o) > That would be true if virus scanners were otherwise benign. Unfortunately > they have to get into the system deeply and intercept things between > programs to do their job. As a result they have various undesirable side > effects (how often have you seen software installation instructions tell > you to disable all virus software first?). Yep, but AVG never did me any knowledgeable harm... --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/03 -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

> That would be true if virus scanners were otherwise benign. Unfortunately > they have to get into the system deeply and intercept things between > programs to do their job. As a result they have various undesirable side > effects (how often have you seen software installation instructions tell > you to disable all virus software first?). Agreed, which is why I only let a virus scanner do what it did 5 years ago: scan files when I want it to. No virus scanner runs resident on my system, it is only invoked when I MANUALLY run it. Most of the problems I've dealt with on people's systems, that were not hardware related, were related, either directly or indirectly, to a piece of virus software doing something it shouldn't. TTYL -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

Alexandre Souza wrote: >>This is true, but only if you stupidly leave the default setting for 'Show >>extensions of known file types' as false. >>That is a VERY dangerous things to do! > > > No, my computer is configured to show extensions... I did your test: create a file named z.txt, rename it to z.txt.pif and it shows z.txt. More when I click on it I get the message: "z.txt.pif is not a valid win32 application". I use win2000 and the Files Options "Hide the known extension files" is not selected !!!!! I'm stunned :-o What else could be wrong ? Gaston -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

1. I am subscribed to piclist digests and I have never, ever seen ONE virus transit the listserv. Therefore any virus you ever saw 'from the piclist' was actually sent with a faked header, and was NOT from the piclist. James can confirm this easily, since he is archiving the list. 2. If Olin says he sees 4-5 a week it makes me wonder what his wonderful system makes of the remaining 5-6 a DAY that should be going through it (based on what others and I see). It would be too good to hope that his wonderful system just deletes them silently. good luck Olin, Peter -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

> >2. If Olin says he sees 4-5 a week it makes me wonder what his wonderful >system makes of the remaining 5-6 a DAY that should be going through it >(based on what others and I see). It would be too good to hope that his >wonderful system just deletes them silently. I probably get 5-6 an hour, or thereabouts. I just delete them. There's a bunch of virii in my attachment directory, awaiting the big flush, but since I have no problem of disk space, and they're about as dangerous as a light grenade, I haven't gotten around to it recently. I did get virused ONCE, using eudora. I clicked on the attachment. In my own defence, I was deathly ill with pancreatitis, and the morphine drip wasn't doing my critical thinking any good. -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

Yup, and I've also noticed that some of these new wonderful virus' are using other peoples email addresses to send out the virus. I've checked my computer many times and don't have the virus, yet someone on one of the lists I'm on does have one of these current virus' and it is "borrowing" my IP address. Happened to a friend of mine too, tracked it down to a comcast IP address that time. Makes one almost want to just use a throwaway email address when crap like this happens. -Tony ----- Original Message ----- From: "Igor Pokorny" <RemoveMEigorpTakeThisOuTAPPLET.CZ> To: <PICLISTEraseME.....MITVMA.MIT.EDU> Sent: Monday, August 25, 2003 2:36 PM Subject: Re: [PIC:] WARNING: Dangerous PIF attachement in email from PIC list > Hello Peter, > my provider have done such service for me for a couple of years. Being > anoying to save any exe, pps etc file to my temporary directory, rename it > to see what is send to me i resigned from its service. I use a program that > is upraded twice a week - till now I haven't had any problem with viruses... > The last one was erased from my Emails a couple times every day. > > Regards > > Igor > > {Original Message removed}

> I have been getting about 150 emails a day from the virus and not one > email was from anybody that I know. And about once an hour, I get an > email that appears like I sent it but it came back as undeliverable. I > checked my computer with the latest anti-virus and scanned all drives > and no virus was detected. Don't worry I got several of those too, some apparently sent by me. I traced the origin to a server in .kr and sent a love letter to the relevant admin. The latest virus is really bad. Also which pos thing pings everything in sight all the time ? My firewall logs are chock full of pings (one ping per origin ip). Peter -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.