Security Incidents mailing list archives
Re: [unisog] Some more details on the worm
From: Jeffrey Altman <jaltman () columbia edu>
Date: Tue, 18 Sep 2001 20:54:51 EDT
.eml is listed in the Registry as "Microsoft Internet Mail Message" with Content Type = "message/rfc822". On my Windows 2000 system this will result in a program called \WINDOWS\system32\thumbvw.exe being executed using the Apartment threading model. - Jeff
When pages are served up by an infected server, it looks as though readme.eml is 'attached' to them. The server attempts to get the client to open them through the following bit of code (from the .dll file): <script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script> According to Slashdot, this causes the file to be automatically opened and executed by the client. I haven't been able to confirm or deny that (but if someone can, please do). Regards, Matt -- Matt Davis, MCP Intermediate Client Server Business Support Analyst COUNTRY(SM) Insurance & Financial Services 309-821-6288 mailto:matt.davis () countryfinancial com
Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and kermit-support () kermit-project org OpenSSL. SSH soon to follow. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: [unisog] Some more details on the worm Jeffrey Altman (Sep 18)