My first receipt of a CAPTCHA-bearing virus

During the last round of virus innovation a couple of weeks ago (email viruses with encrypted payloads bearing passwords in the text, circa March 3), I predicted to a colleague that the next obvious step would be an embedded CAPTCHA image to make it harder for antivirus gateways to find the password for decoding encrypted attachments. It didn’t take long; I received my first CAPTCHA-bearing virus last Saturday (March 13).

Of course, this is only a novelty in email viruses. It’s old-hat for email spam; for example a significant proportion of the Russian-language spam I see is image-only, with an embedded phone number, and not even a single URI.

As for the virus,
Trend Micro OfficeScan identifies the extracted file as PE_BAGLE.N-O, here’s a snippet:

Delivery-Date: Sat Mar 13 20:00:06 2004
Received: from ( [])
        by (8.12.9/8.12.4) with SMTP id i2E0xxGf013039
        for <>; Sat, 13 Mar 2004 20:00:00 -0500 (EST)
Date: Sat, 13 Mar 2004 19:59:56 -0500
Subject: Re: Thank you!
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/mixed;
Content-Length: 34491
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Your file is attached.<br><br>
<BR>Password - <img  src="cid:rjsdmyhbsf.bmp"><BR>
Content-Type: image/bmp; name="rjsdmyhbsf.bmp"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="rjsdmyhbsf.bmp"
Content-ID: <rjsdmyhbsf.bmp>
Content-Type: application/octet-stream; name=""
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=""

Leave a Reply