*Cookie recipe* computer virus?

[Duck_Duck_Goose]

The youth pastor of my church tends to use the church’s chat loop to forward stuff all the time, but this morning there was a message with an attachment. Now, I do know enough about viruses to know that you never, never open an attachment without knowing what’s inside. So I copied it to WordPad as text file, which is what I do. When I looked at it, there was his header, “I thought you’d enjoy these cookie recipes,” and a note from him, “I copied this from a hard drive–enjoy!” or words to that effect, but the bulk of the message (and it was HUGE) was gibberish, and it had a message at the beginning that said, “This is written in MIME format [sp?] and your computer cannot read this format.”

So I went back to e-mail and deleted the whole message, and a moment after I deleted it, the monitor went blank for a moment, and then came back, but without disconnecting anything or bringing up any error messages.

So then I went to Symantec’s site. A cursory search with “cookie recipe” turns up something called Cookie Monster–was this it? Did I just install a virus on my computer? I thought if you didn’t open the attachment, you were supposed to be safe.

This is just a home computer, the most important thing we have on it is high scores from Zoombinis, but still, I don’t like the thought of this family pet being trashed. And I especially don’t like the thought of sending this to everybody in my family.

[RealityChuck]

It doesn’t sound like a virus. The Mime format warning indicates that there was an attachment. What sometimes happens with older e-mail software is that they don’t convert attachments properly when you forward them. Because of this, your computer recieved the attachment, but didn’t have the information it needed to understand it was an attachment.

(Tech note – you can only send plain ASCII text via e-mail. In order to send something that’s not plain text – like a Word file – your e-mail software converts it to ASCII according to a particular scheme (usually Mime). The recipent decodes that scheme and it shows up as an attachment. If the coding/decoding has errors in it, you end up with a lot of gibberish).

If put the gibberish in a monospaced font like Courier, all the lines should be the same length. That’s a sure sign of a botched attachment.

The monitor going blank may have just been a coincidence.

[Lance_Turbo]

A mime file can contain one or more other files in compressed form. Opening the mime file in the word pad will always give you gibberish because you need to uncompress the file or files first. A program like WinZip can uncompress the files for you. I think Microsoft Outlook does it automatically, but I could be wrong. The uncompressed file or files may contain a virus or viruses. If any of the uncompressed files have .exe or .vbs extensions look out. There could also be macroviruses in any MS Office document. Uncompress the files then have those files checked by you anti-virus software.

Or you could just call the youth pastor and ask him what was in the file attachment that he sent.

[sailor]

It sounds like it could be anything in there, but if the size was very large it could be a graphic or a program… who knows…

You did the right thing in not opening it as it is better to be safe than sorry. Be aware that a virus or a trojan may seem innocuous at first and only reveal themselves after some time and the people who send them may not be aware.

One thing you can do is forward the attachment to yourself at a Hotmail address as there you have to possibility of scanning it before downloading it.

[JonF]

Actually, the fact that it was a large pile of gibberish in MIME format means only that it was not a simple ASCII text file. Of course, it could still have been something horrible, but from your description it sounds as if it wasn’t.

For historical reasons, Internet email is restricted to 128 distinct characters, and some of those characters aren’t particularly useful for reasons that aren’t particularly germane. To get a little more technical, each byte of an Internet email message may only take on 128 of the 256 possible values for a byte (the left-most bit is always zero). Every mail server and every email program in the world expects this and would get all confused if it changed.

So, how do you send executable files, word processor documents, spreadsheets, databases, compressed files, sound files, image files, and what-not? All these files use all 256 possible values for each byte, and are called “binary files”.

The answer is encoding. The sending program uses a translation table to convert the binary file into an ASCII text file (which uses the legal 128 characters or a subset of them, and is larger than the original binary file). The ASCII text file is the gibberish you saw. The sending program also includes a specification of what translation table it used. The receiving program can reconstitute the original file provided it understands the translation table that the sender used.

There are several encoding schemes, but probably the most popular is MIME Base64. MIME means Multipurpose Internet Mail Extensions. Base64 uses only 64 distinct characters to encode the original file, because those characters are common to all the various language’s versions of the ASCII code and a few other technical reasons. Base64 expands the original file by (typically) around 33%

Of course, a lot of computer users don’t know this or need to know this. They click the attachment button and it shows up at the other end.

So the most likely explanation is that your pastor forwarded you a perfectly innocent word processor document without even realizing that it would show up as an attachemnt and cause you some concern.

The “cookie monster” virus probably would not have the text strings that you found. The “your computer cannot read it” mesage is only intended to be seen if you are using a crummy email progrm that fails decoding the attachment. If your email program can’t handle MIME Base64, you need a new email program; but it probably can. BinHex and UUENCODE are still seen, too.

[JonF]

Lance Turbo:

A mime file can contain one or more other files in compressed form.

Actually, a MIME-encoded email attachment contains only one file (which could, of course, be a compressed version of several files) and is an expanded version of that file.

[HorseloverFat]

If you’re running an antivirus program, and you should if you’re worried about viruses, you shouldn’t bother opening the file with wordpad at all. Just scan the file with your antivirus program. It sure beats looking at indecipherable binary code and doing searches on symantec’s site, which is a hoot to read as a lot of the virus alerts are joke chain letters.

[mangeorge]

1 cup peanut butter
1 cup sugar
1 lg. egg
1 teaspoon vanilla
That’s all.
NO flour. NO baking powder.
Mix real good, drop 1 tsp. size on cookie sheet. Flatten a little w/ glass or jar dipped in more sugar.
Bake @ 325 till barely browned (14 or 15 mins). Cool. Yum, real peanutbuttery cookies.
And no virus’ here. I promise.
Peace,
mangeorge

[JonF]

HorseloverFat I think you know what you’re talking about, but your message might possibly mislead people.

If you save the mail message as text, containing the encoded version of the file, and then scan that file, a virus will not be detected. The file must be decoded before a scanner can detect a virus.

[Chronos]

But aren’t most virus scanners nowadays smart enough to do the decoding themselves, espescially considering the recent rash of e-mail vira?

[JonF]

aren’t most virus scanners nowadays smart enough to do the decoding themselves

Well, certainly not most, and I don’t know of any; maybe there are some out there. I can testify from personal experience that neither a fully updated Norton Antivirus 2000 or Mcafee Network Edition will do it.