My first receipt of a CAPTCHA-bearing virus
During the last round of virus innovation a couple of weeks ago (email viruses with encrypted payloads bearing passwords in the text, circa March 3), I predicted to a colleague that the next obvious step would be an embedded CAPTCHA image to make it harder for antivirus gateways to find the password for decoding encrypted attachments. It didn’t take long; I received my first CAPTCHA-bearing virus last Saturday (March 13).
Of course, this is only a novelty in email viruses. It’s old-hat for email spam; for example a significant proportion of the Russian-language spam I see is image-only, with an embedded phone number, and not even a single URI.
As for the virus,
Trend Micro OfficeScan identifies the extracted file as PE_BAGLE.N-O, here’s a snippet:
Delivery-Date: Sat Mar 13 20:00:06 2004
Received: from home-base.com (111.164.8.67.cfl.rr.com [67.8.164.111])
by antivirus2.its.rochester.edu (8.12.9/8.12.4) with SMTP id i2E0xxGf013039
for <latex-style@cs.rochester.edu>; Sat, 13 Mar 2004 20:00:00 -0500 (EST)
Date: Sat, 13 Mar 2004 19:59:56 -0500
To: latex-style@cs.rochester.edu
Subject: Re: Thank you!
From: Comm@aol.com
Message-ID: <dqjxudgvprblgdelosm@cs.rochester.edu>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------sbwkiqilgvsgqquhumfx"
Content-Length: 34491
----------sbwkiqilgvsgqquhumfx
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
Your file is attached.<br><br>
<BR>Password - <img src="cid:rjsdmyhbsf.bmp"><BR>
<br>
</body></html>
----------sbwkiqilgvsgqquhumfx
Content-Type: image/bmp; name="rjsdmyhbsf.bmp"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="rjsdmyhbsf.bmp"
Content-ID: <rjsdmyhbsf.bmp>
Qk2m...
----------sbwkiqilgvsgqquhumfx
Content-Type: application/octet-stream; name="Document.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Document.zip"
UEsD...
----------sbwkiqilgvsgqquhumfx--
