Why is this URL dangerous?

Discussion in 'Computer Security' started by Franky, Aug 13, 2004.

  1. Franky

    Franky Guest

    My PC says the following URL found in an email is dangerous.

    www.ntlworld.com/inbox/pat.curran/read.php?sessionid-19507

    which activates

    cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re

    I would imagine it is dangerous as my antivirus software also
    detected a malicious file attachment on the same email.

    But what is "cid:"? Is this the part that is dangerous or is it
    the "www" section which is dangerous?

    Thank you to anyone who can help me understand about this. Google
    does not give me any real info when I search for "cid:".
    Franky, Aug 13, 2004
    #1
    1. Advertising

  2. Franky wrote on 13.08.2004 09:14:

    > My PC says the following URL found in an email is dangerous.
    >
    > www.ntlworld.com/inbox/pat.curran/read.php?sessionid-19507


    Non existant, I bet.

    >
    > which activates
    >
    > cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re


    This decodes to "about:blank"

    >
    > I would imagine it is dangerous as my antivirus software also
    > detected a malicious file attachment on the same email.
    >
    > But what is "cid:"? Is this the part that is dangerous or is it
    > the "www" section which is dangerous?


    No, it's the attachement.

    >
    > Thank you to anyone who can help me understand about this. Google
    > does not give me any real info when I search for "cid:".


    Google gives you 410 references for
    "cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re"

    No need for crossposting to four groups if you can find the answer in
    two minutes by asking a search machine.

    --
    Walter
    Walter Schiessberg, Aug 13, 2004
    #2
    1. Advertising

  3. Franky

    John Elsbury Guest

    On Fri, 13 Aug 2004 08:14:42 +0100, Franky <>
    wrote:

    >My PC says the following URL found in an email is dangerous.
    >
    > <snip malware link>
    >
    >which activates
    >
    > cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re
    >
    >I would imagine it is dangerous as my antivirus software also
    >detected a malicious file attachment on the same email.
    >
    >But what is "cid:"? Is this the part that is dangerous or is it
    >the "www" section which is dangerous?
    >
    >Thank you to anyone who can help me understand about this. Google
    >does not give me any real info when I search for "cid:".


    Try googling for PHP exploit or PHP spyware or PHP trojan and see what
    you get. PHP files are exploitable, and exploited. Also look up the
    name of whatever your AV software told you it was on your AV software
    vendor's website. What is probably happening is that there will be a
    series of items downloaded (or attempts, as in your case, blocked by
    the AV software) which will result in unwanted software being planted
    on an unprotected PC.

    It is not a good idea to post links in full where you know they link
    to malware sites, somebody else might get caught by the same exploit.

    While on this subject, now is a very good time to get your software
    updated so thet the exploitable vulnerabilities in MSIE, MSOE, and
    Windows are patched. All these exploits make use of holes in those
    products and if you are fully patched you don't need to worry quite so
    much.
    Please remove "nospam" from mailto address
    when replying
    John Elsbury, Aug 13, 2004
    #3
  4. Franky

    Franky Guest

    Walter Schiessberg <> wrote:

    > Franky wrote on 13.08.2004 09:14:
    >
    >> My PC says the following URL found in an email is dangerous.
    >>
    >> www.ntlworld.com/inbox/pat.curran/read.php?sessionid-19507

    >
    > Non existant, I bet.
    >
    >>
    >> which activates
    >>
    >> cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re

    >
    > This decodes to "about:blank"
    >
    >>
    >> I would imagine it is dangerous as my antivirus software also
    >> detected a malicious file attachment on the same email.
    >>
    >> But what is "cid:"? Is this the part that is dangerous or is
    >> it the "www" section which is dangerous?

    >
    > No, it's the attachement.


    The attachment was deleted long ago. When I click on the link in
    the email and it launches the 'cid' thing then my Opera browser
    gives me a warning and the message seems to refer to a login.

    I didn't record the message but it seems to me that the link is in
    some way malicious. I posted here to ask if someone could explain
    it.

    >> Thank you to anyone who can help me understand about this.
    >> Google does not give me any real info when I search for
    >> "cid:".

    >
    > Google gives you 410 references for
    > "cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re"
    >
    > No need for crossposting to four groups if you can find the
    > answer in two minutes by asking a search machine.
    >


    As I explained, I didn't get the answer from Google. And i am not
    sure you have necessarily got the answer either when you say it is
    because of the attachment file.
    Franky, Aug 13, 2004
    #4
  5. Franky

    Guy Guest

    Franky wrote:

    > I didn't record the message but it seems to me that the link is in
    > some way malicious.
    >



    Put this into your Opera browser address bar: user:1@fake

    Read the security warning... and think about it.

    --
    Regards,
    Guy

    <URL:http://guysalias.batcave.net/pgpkeys.txt> [Updated: 4/29/2004]
    Guy, Aug 13, 2004
    #5
  6. "Franky" <> wrote in message
    news:954453DF7898831E75@127.0.0.1...
    > My PC says the following URL found in an email is dangerous.
    >
    > www.ntlworld.com/inbox/pat.curran/read.php?sessionid-19507
    >
    > which activates
    >
    > cid:031401Mfdab4$3f3dL780$73387018@57W81fa70re
    >
    > I would imagine it is dangerous as my antivirus software also
    > detected a malicious file attachment on the same email.
    >
    > But what is "cid:"? Is this the part that is dangerous or is it
    > the "www" section which is dangerous?
    >
    > Thank you to anyone who can help me understand about this. Google
    > does not give me any real info when I search for "cid:".


    The first "link" is just the description of the real link, which is the cid:
    It tricks people into running the attachment that is included in the email.
    The cid: is what is dangerous.

    --
    Richard S. Westmoreland
    http://www.antisource.com
    Richard S. Westmoreland, Aug 24, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Simon Telrenner
    Replies:
    2
    Views:
    450
    Ted Mittelstaedt
    Oct 16, 2003
  2. =?Windows-1252?Q?Frisbee=AE?=

    Re: PC use is dangerous

    =?Windows-1252?Q?Frisbee=AE?=, Jul 22, 2004, in forum: MCSE
    Replies:
    0
    Views:
    397
    =?Windows-1252?Q?Frisbee=AE?=
    Jul 22, 2004
  3. Neil
    Replies:
    0
    Views:
    379
  4. Doom

    OT: PC use is dangerous

    Doom, Jul 22, 2004, in forum: MCSE
    Replies:
    8
    Views:
    367
    Guest
    Jul 23, 2004
  5. RichA

    Why pre-ordering is dangerous (and often stupid)

    RichA, Jun 26, 2011, in forum: Digital Photography
    Replies:
    36
    Views:
    828
    John McWilliams
    Jul 2, 2011
Loading...

Share This Page