If the file that was sent from the previous victim's My Documents looks interesting, you could possibly open it by saving the file without the second extension and opening it from the appropriate program.
Ok, here's the thing, please don't fucking do this.
But if you REALLY want to: using your favorite HEX editor:
The attachment begins at or around offset 0x0022100, 2 screenfuls after the last bit of virus code which resembles:
naCode..}MIMEcha
r.??IniFiles.??W
inInet..?Graphic
s..?SMTPsend..?M
IMEmess.?*ShellA
PI..8Registry...
..?.?...?.?.?.??
..?.............
The first bytes of a MS-Word document are:
D0 CF 11 E0 A1 B1 1A E1
A zip file is:
50 4B 03 04 0A PK(heart)(diamond)(circle)
Delete everything before, then re-enable your Virus scanner, put your system in maximum paranoia mode and use QUIKVIEW instead of MSOffice -- you never know, a future SIRCAM variant may introduce a Word Macro virus to attachments it sends out...
Infinity is right,
PKZIP/
WinZip skips over all the virus code and seeks to the real ZIPfile header.
tlk nnr at
slashdot.org posted this one-liner to extract the attachment:
dd if=sircam.doc.exe of=clean.doc bs=1 skip=137216
Download the
unxutils for
Win32 to obtain the DD.EXE utility.