Re: ALERT: Emacs GNUS can spread a virus invisibly

Re: ALERT: Emacs GNUS can spread a virus invisibly

[Andrew McDermott]

Hubert Chan <hubert@uhoreg.ca> writes:

>>>>>> "gm" == Gary Lawrence Murphy <garym@canada.com> writes:
>
> gm> This took me by complete surprise, and caused a major embarrassment:
> gm> Emacs GNUS can be fooled into hiding a virus attachment that is
> gm> propagated when the email is forwarded.
>
> [...]
>
> gm> The risk here is considerable: Just because the email looks clean,
> gm> just because your unix-based email program was immune to the effect
> gm> and shows no embedded trap, does not mean there isn't one.
>
> I have
>
> (setq gnus-inhibit-mime-unbuttonizing t)
>
> in my .gnus.  That causes gnus to display a list of all the MIME

Which version of gnus?  describe-variable gives me:

      "undocumented variable."

My gnus is from a daily `cvs up'.

> alternatives.  (I /think/ that's the variable -- I can't locate
> documentation for it to confirm.)  I suppose you could also frob
> gnus-unbuttonized-mime-types.
>
> -- 
> Hubert Chan <hubert@uhoreg.ca> - http://www.uhoreg.ca/
> PGP/GnuPG key: 1024D/124B61FA
> Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA
> Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.

-- 
andy

Re: ALERT: Emacs GNUS can spread a virus invisibly

[Hubert Chan]

[-- Attachment #1: Type: text/plain, Size: 820 bytes --]

>>>>> "Andrew" == Andrew McDermott <andrew.mcdermott@windriver.com> writes:

>>  I have
>> 
>> (setq gnus-inhibit-mime-unbuttonizing t)
>> 
>> in my .gnus.  That causes gnus to display a list of all the MIME

Andrew> Which version of gnus?  describe-variable gives me:

Andrew>       "undocumented variable."

Andrew> My gnus is from a daily `cvs up'.

Oort 0.06.  Mine says "undocumented variable" too, and I don't remember
how I came across that variable in the first place.  I must have looked
through the lisp sources, but I can't imagine why I would do anything
like that.

-- 
Hubert Chan <hubert@uhoreg.ca> - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA
Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: ALERT: Emacs GNUS can spread a virus invisibly

[Gary Lawrence Murphy]

I tried that multipart detect, and it did detect multipart, but 
C-d only shows the following (which I have cut and paste in hopes
of avoiding including the virus file ;)


(end of the email ...)
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

From: webfeat <webfeat@dryrain.com>
Subject: Paleontology.
To: teledynamics@canada.com
Date: Sun, 17 Nov 2002 17:07:37 -0600

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="Generator" content="Corel WordPerfect 8">
   <meta name="GENERATOR" content="Mozilla/4.7 [en] (Win95; I) [Netscape]">
   <meta name="Author" content="Carl Wlock">
   <title>MD5M13 LIONS</title>
</head>
<body text="#000000" bgcolor="#C0C0C0" link="#0000FF" vlink="#551A8B" alink="#FF0000">
<img SRC="image61R.JPG" BORDER=0 height=187 width=149>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

<b><i><font size=+1>Lion Cliff Gussie - District Governor 5M-13</font></i></b>
<p><font size=+1><b><i>&nbsp;&nbsp;&nbsp; L</i></b>ion Cliff Gussie spent
33 years in education.&nbsp; After graduating from high</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp; school, Lion Cliff attended Manitoba
Teachers College.&nbsp; He later graduated</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp; from the University of Manitoba with
B.A. and BEd. degrees.&nbsp; During his</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp; tenure in education, he served as
Vice Principal, Physical Education Director,</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp; Guidance Councillor and classroom
teacher. He also served on many Manitoba</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp; Teacher Association committees and
as local president of the Swan Valley</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp; Teacher's Society for two terms.</font>
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font size=+1>Lion Cliff has served as
Chief Instructor of an Army Cadet Corp., Town</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; Recreation Director and on many
service clubs and organizations.&nbsp; Many</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; years were spent coaching school
and community sports.</font>
<p><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In addition
to teaching, Lion Cliff has owned and operated a men's clothing</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; and dry goods in partnership
with his wife Kay.</font>
<p><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; As a Lion for 15 years, District
Governor Cliff has held the offices of Lion</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; Tamer, Secretary, Director,
and President in the Swan River Lions club as</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; well as Zone Chair, Convention
Chair, Orientation Chair and Quest Chair</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; as a member of the Cabinet.&nbsp;
Presently he is chairing one committee on the</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; MD5 Multiple Council and acting
on another.</font>
<p><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; A man of many interests, Lion
Cliff is active in many sports such as curling,</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; golf, slow-pitch, X-country
skiing, snowshoeing, hiking and running and such</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; hobbies as geology, archeology
and paleontology.</font>
<p><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; Lion Cliff and Lion Kay have
three sons, two daughters and one grand-</font>
<br><font size=+1>&nbsp;&nbsp;&nbsp;&nbsp; daughter.</font>
<br><img SRC="lion_hea.gif" BORDER=0 height=94 width=111>
</body>
</html>
----------


as you can see, it doesn't show up as any attachement.

if anyone would like me to forward this message to them, let me know
and I'll send you the message as a forward

-- 
Gary Lawrence Murphy - garym@teledyn.com - TeleDynamics Communications
   - blog: http://www.teledyn.com/mt/ - biz: http://teledyn.com/ -
  "Computers are useless. They can only give you answers." (Picasso)

Re: ALERT: Emacs GNUS can spread a virus invisibly

[Kai Großjohann]

Thomas Steffen <for_replies_only@iname.com> writes:

> 1. Gnus *should* show that the posting contains more than one form of
>    the content. This is a useful information for the reader, even in a
>    perfectly normal context. 

Gnus prints `(3 parts)' in the modeline...

kai
-- 
~/.signature is: umop ap!sdn    (Frank Nobis)

Re: ALERT: Emacs GNUS can spread a virus invisibly

[Chris Brightman]

>>>>> "Chris" == Chris  <chris@jazzyb.org.uk> writes:

>>>>> "GLM" == Gary Lawrence Murphy <garym@canada.com> writes:
    GLM> I don't know why the second part was hidden in the GNUS display, and
    GLM> if there is a setting to show this message for what it actually
    GLM> contained, I don't know what it is, but it needs to get fixed.

    Chris> There are two complete sets of MIME boundaries using the same
    Chris> boundary string in messages I have seen that do this
    Chris> (unfortunately you did not paste enough to show conclusively that
    Chris> this is the same malformation, but your description is consistent
    Chris> with it).  The second set are technically MIME epilogue according
    Chris> to RFC2046.  Unfortunately some MUAs (such as OE) continue parsing
    Chris> with the same boundary string.

    Chris> The content after that final boundary is epilogue and should not
    Chris> be displayed by MUAs.  Perhaps when forwarding messages, the MIME
    Chris> prologue and epilogue should be discarded?

OK, I take back what I wrote the other day.  What I described *is* an exploit
used by some viruses to transport themselves, but having looked at the sample
posted earlier today, this is not an example of it. (incidentally, I can't
find that sample now, maybe it was cancelled?)

This is a generic MIME (Microsoft) exploit, details are available at:

http://vil.nai.com/vil/content/v_99273.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

Technical data on the vulnerability are at:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp


My view as a Gnus user to this is that I don't want to be responsible for
unknowingly sending executable attachments to others.  I take Kai's point
that the modeline indicates the number of parts, but is there a way to easily
modify the display of such messages within Gnus?  I would like to see more
information within the article buffer - what are my options?

Thanks

Chris

Re: ALERT: Emacs GNUS can spread a virus invisibly

[Gary Lawrence Murphy]

Excellent -- the buttonizing is a lot more intrusive than a modeline
report (who looks at modelines? without looking, what's the last char
on yours right now?)

I love usenet.

-- 
Gary Lawrence Murphy - garym@teledyn.com - TeleDynamics Communications
   - blog: http://www.teledyn.com/mt/ - biz: http://teledyn.com/ -
  "Computers are useless. They can only give you answers." (Picasso)