[linux-elitists] Fun with SirCam
Fri Aug 3 08:04:47 PDT 2001
You can also use dd like so:
dd if=sircam.doc.bat of=sircam.doc bs=512 skip=268
dd if=sircam.doc.bat bs=512 skip=268 | catdoc | (perl script to add it to
your web page)
If the length of the worm is 137215 then you're losing 1 byte at the
beginning, but that doesn't seem to matter.
In the depths of that dark day Thu Aug 02, the words of Rick Moen were the beacon:
> If you're typical of this list, you've been getting an amusing
> barrage of SirCam-infected file attachments for the past week.
> I've gotten dozens of them. Each attachment purports to be some sort of
> MS-Word document, Excel spreadsheet file, or such, which were in fact
> lifted from the poor sucker's hard drive and bodily included -- prefaced
> by (it turns out) 137215 bytes of Win32 binary worm code, created in
> Borland Delphi.
> But, even though gobs of potentially juicy private documents are getting
> spewed across the Internet by MS-Windows users -- including reportedly
> some from sundry governments -- most of us have been simply discarding
> them as spam-equivalents. Which, I submit to you, gentle readers, is a
> Just about any binary editor will do, but I recommend John H. Swaby's
> very useful "fb" viewer/editor for binaries, available in x86 Linux or
> Win32 binaries, or GPLed source code that'll compile just about
> anywhere: http://home.mho.net/jswaby/fb.html
> To separate the attachment into its binary-payload (worm) and document
> portions, use fb like this:
> fb c 0.137215 attachment sircam.worm
> fb c 137216 attachment document
> Happy reading!
More information about the linux-elitists