Re: AW: Win32.Sircam.Worm Alert.....

From: Chris Ess (
Date: 07/31/01

Date: Mon, 30 Jul 2001 23:23:20 -0400 (EDT)
From: Chris Ess <>
To: Stefan Osterlitz <>
Subject: Re: AW: Win32.Sircam.Worm Alert.....
Message-ID: <>

> Quite a few add the extension as a way of "hiding" what is going on, not
> just Sircam. If you get an attachment with THREE groupings, assume it
> is a 'bad thing' and act appropriately. Has anyone seen a three-group
> attachment and it been ok?

"Three-group attachments" aren't anything new. For instance, join any
reasonably large channel on IRC (#chatzone on at least
used to be a good example) and you may get a request to have one DCC'ed to
you. (Or several.) My favourite ones are the .jpg.pif's and .jpg.bat's

> .tar.gz ?

This is one of the few ones that can be valid. It's a compressed (more
exactly, gzipped) tar file (BKA tarball). A tarball is a non-compressed
archive of files (tar is short for 'tape archive') and gzip is a
compression program, so you get a gzipped tarball, or a .tar.gz

This is predominantly a *nix thing though. I'm told some versions of
WinZip can open such files, but I'm unsure since I've never tried.

It's still possible for such a file to be malicious. Many rootkits for
*nix are stored on remote servers in such a format.

As always, be careful what you do with untrusted attachments, especially
as root.

Other ones to include are:

and: .*.gz and .*.bz2

bz2 (short for bzip2) is another compression program used on *nix.

The limitation of gzip and bzip2 is that they only compress one file, as
opposed to PKZip which can archive multiple files and compress them. But
you can compress any file with either. I've had .doc.gz and .txt.gz
sitting around a previous shell account of mine.

I'm certain there are others which can be safe. Many attachments
(including those we wouldn't think of as such) can be unsafe and

--CAE Kujikenaikara!

Sub caelo noctis sto quod stellae mihi spem dant.

"But in the night, the darkness breathes, if he wills it to be."
--Trans-Siberian Orchestra, "The Dark"