«

My PC says the following URL found in an email is dangerous.

http://www.ntlworld.com/inbox/pat.cu...essionid-19507

which activates

cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re

I would imagine it is dangerous as my antivirus software also
detected a malicious file attachment on the same email.

But what is "cid:"? Is this the part that is dangerous or is it
the "www" section which is dangerous?

Thank you to anyone who can help me understand about this. Google
does not give me any real info when I search for "cid:".

Franky wrote on 13.08.2004 09:14:

> My PC says the following URL found in an email is dangerous.
>
> http://www.ntlworld.com/inbox/pat.cu...essionid-19507

Non existant, I bet.

>
> which activates
>
> cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re

This decodes to "about:blank"

>
> I would imagine it is dangerous as my antivirus software also
> detected a malicious file attachment on the same email.
>
> But what is "cid:"? Is this the part that is dangerous or is it
> the "www" section which is dangerous?

No, it's the attachement.

>
> Thank you to anyone who can help me understand about this. Google
> does not give me any real info when I search for "cid:".

Google gives you 410 references for
"cid:031401Mfdab4$3f3dL780$73387018@57W81fa70r e"

No need for crossposting to four groups if you can find the answer in
two minutes by asking a search machine.

--
Walter

On Fri, 13 Aug 2004 08:14:42 +0100, Franky <>
wrote:

>My PC says the following URL found in an email is dangerous.
>
> <snip malware link>
>
>which activates
>
> cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re
>
>I would imagine it is dangerous as my antivirus software also
>detected a malicious file attachment on the same email.
>
>But what is "cid:"? Is this the part that is dangerous or is it
>the "www" section which is dangerous?
>
>Thank you to anyone who can help me understand about this. Google
>does not give me any real info when I search for "cid:".

Try googling for PHP exploit or PHP spyware or PHP trojan and see what
you get. PHP files are exploitable, and exploited. Also look up the
name of whatever your AV software told you it was on your AV software
vendor's website. What is probably happening is that there will be a
series of items downloaded (or attempts, as in your case, blocked by
the AV software) which will result in unwanted software being planted
on an unprotected PC.

It is not a good idea to post links in full where you know they link
to malware sites, somebody else might get caught by the same exploit.

While on this subject, now is a very good time to get your software
updated so thet the exploitable vulnerabilities in MSIE, MSOE, and
Windows are patched. All these exploits make use of holes in those
products and if you are fully patched you don't need to worry quite so
much.
Please remove "nospam" from mailto address
when replying

Walter Schiessberg <> wrote:

> Franky wrote on 13.08.2004 09:14:
>
>> My PC says the following URL found in an email is dangerous.
>>
>> http://www.ntlworld.com/inbox/pat.cu...essionid-19507
>
> Non existant, I bet.
>
>>
>> which activates
>>
>> cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re
>
> This decodes to "about:blank"
>
>>
>> I would imagine it is dangerous as my antivirus software also
>> detected a malicious file attachment on the same email.
>>
>> But what is "cid:"? Is this the part that is dangerous or is
>> it the "www" section which is dangerous?
>
> No, it's the attachement.

The attachment was deleted long ago. When I click on the link in
the email and it launches the 'cid' thing then my Opera browser
gives me a warning and the message seems to refer to a login.

I didn't record the message but it seems to me that the link is in
some way malicious. I posted here to ask if someone could explain
it.

>> Thank you to anyone who can help me understand about this.
>> Google does not give me any real info when I search for
>> "cid:".
>
> Google gives you 410 references for
> "cid:031401Mfdab4$3f3dL780$73387018@57W81fa70r e"
>
> No need for crossposting to four groups if you can find the
> answer in two minutes by asking a search machine.
>

As I explained, I didn't get the answer from Google. And i am not
sure you have necessarily got the answer either when you say it is
because of the attachment file.

Franky wrote:

> I didn't record the message but it seems to me that the link is in
> some way malicious.
>


Put this into your Opera browser address bar: user:1@fake

Read the security warning... and think about it.

--
Regards,
Guy

<URL:http://guysalias.batcave.net/pgpkeys.txt> [Updated: 4/29/2004]

"Franky" <> wrote in message
news:954453DF7898831E75@127.0.0.1...
> My PC says the following URL found in an email is dangerous.
>
> http://www.ntlworld.com/inbox/pat.cu...essionid-19507
>
> which activates
>
> cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re
>
> I would imagine it is dangerous as my antivirus software also
> detected a malicious file attachment on the same email.
>
> But what is "cid:"? Is this the part that is dangerous or is it
> the "www" section which is dangerous?
>
> Thank you to anyone who can help me understand about this. Google
> does not give me any real info when I search for "cid:".

The first "link" is just the description of the real link, which is the cid:
It tricks people into running the attachment that is included in the email.
The cid: is what is dangerous.

--
Richard S. Westmoreland
http://www.antisource.com