Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 3 Mar 2004 17:29:55 +0300
From:      Sergey 'DoubleF' Zaharchenko <doublef@tele-kom.ru>
To:        Mike Jeays <Mike.Jeays@rogers.com>
Cc:        questions@freebsd.org
Subject:   Re: Email account utilization warning.
Message-ID:  <20040303172955.59146203@Hal.localdomain>
In-Reply-To: <1078286029.76351.2.camel@chaucer>
References:  <cbnhckfqlptpshbuuat@FreeBSD.org> <40454A3A.5010709@slaughters.com> <1078286029.76351.2.camel@chaucer>
next in thread | previous in thread | raw e-mail | index | archive | help 
--Signature=_Wed__3_Mar_2004_17_29_55_+0300_EqtOnnYTdANFnNTP
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

On 02 Mar 2004 22:53:49 -0500
Mike Jeays <Mike.Jeays@rogers.com> probably wrote:

> PIF files are Windows Program Information Files, dating from the days of
> Windows 3.1.  I am surprised they still work - but it seems that they
> do. They have executable content, and are now being used to spread
> malicious software.

Just for the sake of correctness...

Physically, real PIFs have no more executable content than something
between a binary data file and a soft link. But Windows thinks that
they can be `executed' (that was necessary to make them usable as
links, I guess), which is quite enough - when the loader analyzes the
file, it understands it's not a PIF but an EXE format executable
from the magic number and runs it.

Some olden virus-writers probably think that if one masquerades an
.exe as .pif, some olden antiviruses won't find them :). They are
making progress: the virus is about 25% smaller than its .C
predecessor:))))

P.S. And nobody even cared to remove staff@ from CC:)

-- 
DoubleF
Cloning is the sincerest form of flattery.

--Signature=_Wed__3_Mar_2004_17_29_55_+0300_EqtOnnYTdANFnNTP
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFARev1wo7hT/9lVdwRAsXxAJ4+gQmypn4xtC/pDfxly2va+K3v/QCggIkW
7uiojPykCl/E6BC4KsX8gJs=
=tnfC
-----END PGP SIGNATURE-----

--Signature=_Wed__3_Mar_2004_17_29_55_+0300_EqtOnnYTdANFnNTP--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040303172955.59146203>