Message Attachments

While the direct content of a message is displayed clearly in our mail readers, to be read or deleted as we see fit, an attachment poses a dilemma. We cannot easily determine its contents without examining it, but that process alone can expose us to any computer virus that it might contain. This section will explain how you can safely extract the contents of a suspicious attachment and determine their function. Consider this email as an example:

    From: support@symantec.com
    To: XYZ@craic.com
    Subject: Re: Submit a Virus Sample
    Date: Sat, 15 Jan 2005 23:58:39 +0800

    The sample file you sent contains a new virus version of mydoom.j.
    Please clean your system with the attached signature.

    Sincerly,
     Robert Ferrew

    +++ Attachment: No Virus found
    +++ MessageLabs AntiVirus - www.messagelabs.com

Although that sounds vaguely convincing, I’m not going to trust an email from an antivirus company, Symantec, which appears to screen its messages with software from its competitor, MessageLabs. We can assume that the attached file, datfiles.zip, contains a virus or something equally nasty. How can we isolate the payload and figure out what it represents?

Warning

It should go without saying that you should not attempt any extraction or analysis of viruses, worms, or spyware on any Windows system.

On a Unix system, download the entire email message into a new directory and look at the text. Here are the relevant lines from our example. It has three parts: the mail headers, the text of ...

Get Internet Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.